Database Develop

[Newbie Guide] adb/fastboot/bootloader/android 101

The purpose of this document is to clarify a few basics about HTC Android Phones and basic commands to interface with the phones. Think of this as a beginner's guides to the Android device from a non-traditional user's point of view. I'll keep it simple and plain as much as I can for the new users. I'll also try to keep all the technical aspects true as much as I can while keeping it simple.
Before you go on, please read this and understand the basic concepts and how and why following commands are being used. Do not follow anyone's instructions/tutorials/guides without prior basic understanding of what each command do. I do want to believe it's humans visiting this forum and not lemmings. If you do not understand, feel free to ask here. I will or someone else also knowledgeable will answer your questions. DO NOT QUOTE THIS AS A WHOLE. My pet peeves and a complete waste of screen space.
Sometime, depending on your OS, command names may change (e.g: mouse / mouse.exe / mouse-linux / mouse-mac). For general purpose, we'll use mouse instead of an OS specific commands in this instructions.
So to repeat myself, if you understood the concepts of the commands, and you are on a linux system and someone's guide says touch index.php, you will automatically type touch-linux or whatever the name of your executable is on your system.
​
We shall assume you know how to install needed drivers and where to get android sdk and put the sdk binaries (executables) in the system path. If we need to expend this let me know and I'll expend this here.
Further, if I get any parts wrong, PM me and I'll get those parts corrected.
Android Partition, SPL etc.
Partitions:
Followings are a list of partitions on your android phone.
misc - misc partition -
recovery - Recovery Partition - This is where the original HTC recovery or Amon Ra's recovery or any other Recovery would go. Basically if you reboot into recovery it'll boot from here.
boot - This is your boot partition
system - This is where all your system information (ROM resides)
cache - cache (When you factory reset the phone, this area is wiped)
userdata - user data (like your login, your user settings etc) When you factory reset the phone, this area is wiped)
So, if you replace the recovery image, you are pretty much set for updates provided here at XDA. Note: By replacing your recovery image, you may not be able to have OTA updates.
ROM images will normally replace boot and system images at the same time and often time, userdata and cache too; reseting the phone completely.
SPL/Bootloader/Radio/Bricking Phones:
SPL / Bootloader is like BIOS on a computer. At least I think of it that way. SPL can be updated! SPL comes as either Security-On of Security-Off (S-ON/S-OFF).
Note: It is my understanding that radio will boot first, followed by other systems. So it is IMPORTANT that your radio image/version will work with your SPL image/version. This is the one and only reason for phones being bricked. You can not brick your phone by flashing a ROM or Boot image or recovery image. Once you flash the wrong radio for the SPL, the only known method of recovery is to send the phone back into HTC for repair.
How do I know the phone is bricked? A bricked phone can not boot into bootloader, recovery, or into normal operation modes. You can not connect to a bricked phone via adb or fastboot. You can only see one screen on the phone and it will be the first splash screen.
Commands:
adb - Android Debug Bridge - One of the two things you'll need to know if you ever want to do anything non-conventional on your android based phone.
List of commands that can be used by adb can be prompted by typing adb at the system shell (command prompt or terminal)
Notable adb commands:
adb devices - If you don't know anything, this is the ONE thing you have to know.
adb devices will give you a list of devices connected to the computer. This is also a good way to make sure that your phone is actually connected to the computer.
adb reboot (bootloader|recovery)
adb reboot - this will reboot your phone normally.
adb reboot bootloader - this will reboot your phone back into the bootloader (white screen with the android on wheels)
adb reboot recovery - this will reboot your phone back into recovery console (either default or amon_ra's recovery).
adb shell - this will shell into the phone and you can now explore the phone. Remember phone's native backend os is linux so know your linux commands.
adb remount - remounts the system partition on the phone so you can you read/write to it.
adb push xxx yyy - will push xxx file from computer into yyy location/file on phone (needs rooted access)
adb pull xxx yyy - will pull xxx file from phone into yyy location/file on computer (needs rooted access)
Fastboot is protocol used to update the flash filesystem in Android devices from a host over USB. It allows flashing of unsigned partition images.
Notable fastboot commands:
fastboot devices - If you don't know anything, this is the ONE thing you have to know.
fastboot devices will give you a list of devices connected to the computer. This is also a good way to make sure that your phone is actually connected to the computer.
fastboot reboot - this will reboot your phone normally
fastboot oem unlock - this will unlock your bootloader - NOTE THIS WILL VOID YOUR NEXUS ONE WARRANTY
fastboot erase XXX - Will erase the partition XXX (such as userdata, cache) - mainly used for resetting phone and clearing userdata / factory settings.
fastboot flash XXX YYY - This will flash XXX partitionn with YYY image.
e.g: fastboot flash system system_update.img will flash/update your system partition with an image called system_update
If anyone needs me to dig deep into using anything else, please PM me. I'll add it on here. Hopefully this will help all newbies about the basic commands and what they do.
FAQs (UPDATED Feb 09, 2010)
Q: One question about the Android SDK. Do I need it to flash my N1 or just to program new apps? Where can I get it?
A: Android SDK is not entirely needed to flash the N1. However, there are tools in there that you need. Adb / Fastboot etc. Although they can be downloaded by themselves, the windows version of the SDK also have the Drivers that are needed for android devices for USB connection. So, it is recommended to get it. You can get it from developer.android.com
Q:I have never experienced anything like this when I did a hard-spl on my winmo phone. Radio versions are included with SPL's, right?
A: Official packages from HTC did come with nbh packaging, meaning it is a all in one upgrader that will update Radio, ROM, System etc, it is very much common for active development area here at XDA to get the radio or SPL or ROM separately and independently of one another. And as such, you will most likely flash them seperately (who wants to wait 6-8 months). Also, since this phone is released by google, HTC will most likely not update any major Radios. However, it is very likely that we will be hacking in Radio updates or any other "updates" from HTC from their new device - HTC Bravo.
Q: Is there a guide for snow leopard? I'm kind of stuck.
A: I personally ran android SDK and aforementioned executable on both MAC OS 10.5 and 10.6. Like I posted, the commands and the executable names may be slightly different. I may call adb and you may find it as adb-mac. I am not going to write 3 separate documents for 3 separate OSes. You have to know that adb=adb-mac (on your mac), adb-linux (for linux) etc. And yes the above guide will work universally.
Q: Can i replace the splash image..?? (unlocking related)
A: As of the above date (next to the FAQ) no you can not. Issue is probably a few folds. One of them is that splash1.img is not going in due to security lock. Remember, you unlocked the phone. HTC will not like it. Anyhow, I like the current quad color X. If you are thinking of getting rid of the lock logo, good luck. Even if you can get rid of it, you will still have to overcome the pink text that says ***UNLOCKED*** on your bootloader.
Q: Can you run Windows Mobile on Android Phones?
A: With enough resources given, sure. Will it ever happen? No. Why? Windows mobile compiler and builder cost $. As a matter of fact, as of version 5, it was going to cost me $75 per device. That's one of the reasons why handset makers went to Android open platform. Android is free and universal so as long as you use certain chipsets and certain items, you are good to go. Can it ever be ported? Sure. With right amount of time and money anything can be done. But at this point, it's cheaper for you to go buy a windows mobile smartphone.
Q: How do I know the phone is bricked?
A: You can not brick a phone unless you are flashing Radio/SPL packages. Make sure if you are doing that, you follow directions VERY CAREFULLY. A bricked phone can not boot into bootloader, recovery, or into normal operation modes. You can not connect to a bricked phone via adb or fastboot. You can only see one screen on the phone and it will be the first splash screen.
Q: I have installed the Android SDK however, i cannot seem to get the laptop to detect the nexus. What have i left out?
A: Most common item that people forget to enable is USB Debugging. Settings => Applications => Development => USB debugging [checked]
Q: I have rooted n1. when I go to recovery to do backup, I get the triangle with the little green android guy, but phone is stuck there. I have to remove battery to reboot phone. What have I done wrong?
A: You still have the stock (shipping) recovery. If you want a different recovery (Amon RA's), download it, the from fastboot, run fastboot flash recovery downloaded_recovery.img
Q: Which step of the rooting / recovery procedure does it give root?
A: Root and Recovery are two totally different things. Recovery is a partition that contain recovery information. Stock recovery is what allows OTA updates etc. Normally it will search for update.zip in the root folder of the SD card. Amon_RA's Recovery or any other recovery images are there to enhance the traditional stock recovery. Amon Ra's Recovery for example, contains thing such as ability to update from different zip files, and backup/restore of your data/system.
Rooting is not done by recovery but is a kernel level access (simply put) that will give root or "SU". It is done by patching the boot partition of the your android device.
Q: What are the differences, advantages, disadvantages of the different ROM's?
A: They are all different. Some have some features, some are plain stock, some are made for bleeding edge kernel etc. You'll have to try them out and figure out yourself. I may make a chart of what they are (see the bottom at my signature - wiki) but with too many android devices, I will need some major help. One person alone will not have total knowledge of all the ROM releases. There are just way too many devices and ROMs.
Q: Which ROM will allow OTA updates?
A: Stock ROM WITH Stock Recovery.
Q: If the phone is SIM/carrier unlocked and you root do you have to SIM unlock again?
A: SIM/Carrier unlock has nothing to do with rooting your phone. You can still have root and still be carrier locked. Nexus One comes carrier unlocked from factory.
Q: How much space is there for apps? is using the sd card really necessary? (on Nexus One)
A: Search google? The phone has 512MB or space. That SHOULD be more than enough for you. If not, you have some serious issues. I do not believe you will not App2SD for Nexus One. Google did say during the release conference that they will update Android/N1 so that apps can be run/installed to SD but that requires some system and security changes (mainly to prevent pirated software - Yes if I write something, I deserve to get paid for it).
Q: When you do "flash zip from sdcard" or "fastboot flash image" does this merge and overwrite the files in to the partition?
A: When you update a software (via recovery), software my be merged. However, if you fastboot flash, just like the word flash says, it will flash and overwrite the partition.
Q: Which partition does "flash zip from sdcard" affect?
A: Depends on what you are flashing. It could be any or all of the partitions such as SPL, Boot, System, Recovery, Radio. You should study first before randomly flashing things.

sorry, got it!

blakestimac said:
i apologize if this is the wrong place for this but, but i have adb setup perfectly, but fastboot is not recognized at all. could i have missed something?
Click to expand...
Click to collapse
I need your system info.
What os are you running? where did you get fastboot? what are you trying to do?

Don't forget fastboot boot for testing images. My most used command

I still have no idea how to use or setup adb i have downloaded the sdk and used fastboot and superboot to root my phone and am currently running the cm 5.0 beta 2 rom and want to learn how to use adb so i can enable the ram. Thanks, Joe

really a noob question here.....it wa easier with Hero.
i have installed the Android SDK
however, i cannot seem to get the laptop to detect the nexus.
what have i left out?

wishmaker738 said:
really a noob question here.....it wa easier with Hero.
i have installed the Android SDK
however, i cannot seem to get the laptop to detect the nexus.
what have i left out?
Click to expand...
Click to collapse
Check the FAQ.

dylanfan424 said:
I still have no idea how to use or setup adb i have downloaded the sdk and used fastboot and superboot to root my phone and am currently running the cm 5.0 beta 2 rom and want to learn how to use adb so i can enable the ram. Thanks, Joe
Click to expand...
Click to collapse
Ok. I need to know what you actually did. I am not understanding what you are trying to do.

Can't run adb commands - device not found
Thanks for the info. I am having an issue with running adb commands. My phone is rooted via superboot and I tested it with Nexus Torch which works. Now I am trying to install the new kernel so I can run the wireless tether app... but I can't get any of the adb commands to recognize the phone. I boot the phone by holding the trackball and power button. I am in USB debugging mode. When I run fastboot devices, the phone serial number shows up. When I run adb devices, it says no device detected. And when I try to run any other adb commands they do not work, even though fastboot commands work. Any ideas? Thanks.

Sorry i was pretty vague before i down loaded the sdk and also installed the adb setup file included with the superboot pack but just have no idea how to get it to work and add things through adb. I tried typing adb commands into comand line with the phone connected to the computer but nothing happend. just said not recognised command so i just basically need a rundown of how to setup adb.

dylanfan424 said:
Sorry i was pretty vague before i down loaded the sdk and also installed the adb setup file included with the superboot pack but just have no idea how to get it to work and add things through adb. I tried typing adb commands into comand line with the phone connected to the computer but nothing happend. just said not recognised command so i just basically need a rundown of how to setup adb.
Click to expand...
Click to collapse
I'm a noob so can't offer much help...but I would make sure the usb drivers are installed if you're using windows....this probably should have happened when you installed the sdk, but you can also install it through the device manager and point it to the folder where the usb drivers are located. Also make sure the phone is in USB debugging mode. also you may need to reboot your pc. Make sure you have setup running when you run the adb commands. you need to be in the same directory as the adb file, or in the case of the superboot pack you need to type "adb-windows" not just "adb". you may also need to put .exe, ie adb-windows.exe.

pwnvds said:
Thanks for the info. I am having an issue with running adb commands. My phone is rooted via superboot and I tested it with Nexus Torch which works. Now I am trying to install the new kernel so I can run the wireless tether app... but I can't get any of the adb commands to recognize the phone. I boot the phone by holding the trackball and power button. I am in USB debugging mode. When I run fastboot devices, the phone serial number shows up. When I run adb devices, it says no device detected. And when I try to run any other adb commands they do not work, even though fastboot commands work. Any ideas? Thanks.
Click to expand...
Click to collapse
You run fastboot from the white screen. Android on non-white screen. It's one or the other. It's ADB or Fastboot (depending on the mode of the phone).

dylanfan424 said:
Sorry i was pretty vague before i down loaded the sdk and also installed the adb setup file included with the superboot pack but just have no idea how to get it to work and add things through adb. I tried typing adb commands into comand line with the phone connected to the computer but nothing happend. just said not recognised command so i just basically need a rundown of how to setup adb.
Click to expand...
Click to collapse
Is the directory where ADB/fastboot (SDK) is installled in your system path?
I am guessing it's not. If it was, just by typing adb alone (without commands), it'll give you a list of commands. Click here if you want to know how to change your system path to include a particular folder.
We're now in the age of nintendo pilots and point and click OS that no one knows how to use command lines and system paths anymore.

recovery
I have rooted n1. when I go to recovery to do backup, I get the triangle with the little green android guy, but phone is stuck there. I have to remove battery to reboot phone. What have I done wrong?

umplarry said:
I have rooted n1. when I go to recovery to do backup, I get the triangle with the little green android guy, but phone is stuck there. I have to remove battery to reboot phone. What have I done wrong?
Click to expand...
Click to collapse
Answered in FAQ area.

seraph1024 said:
Answered in FAQ area.
Click to expand...
Click to collapse
I tried that before I posted. I searched the FAQ again. Maybe I am a complete DA, but still can't find answer. I don't mind searching, it will help me to learn, but could you point me in the right direction in FAQ?

umplarry said:
I tried that before I posted. I searched the FAQ again. Maybe I am a complete DA, but still can't find answer. I don't mind searching, it will help me to learn, but could you point me in the right direction in FAQ?
Click to expand...
Click to collapse
Q: I have rooted n1. when I go to recovery to do backup, I get the triangle with the little green android guy, but phone is stuck there. I have to remove battery to reboot phone. What have I done wrong?
A: You still have the stock (shipping) recovery. If you want a different recovery (Amon RA's), download it, the from fastboot, run fastboot flash recovery downloaded_recovery.img
Click to expand...
Click to collapse
There you go.

seraph1024 said:
There you go.
[/B]
Click to expand...
Click to collapse
Thanks for your help

seraph1024 said:
There you go.
[/B]
Click to expand...
Click to collapse
I had it downloaded, just had not flashed it

I've been looking all over, but I probably need to check the HTC Dream forum or something.
How do I install a custom ROM? I know you have to adb push update.zip somewhere, but I can't find any info about this. Please help.

[Q] Porting Meego to the Tab, some Android noob questions before I start

Hi chaps,
I've just bought a Galaxy tab with plans to port Meego to the device.
I'm new to all the Android stuff, and tbh the myriad methods for doing this/that/the other and the relative lack of explanation of what's actually being done in these various methods/tools is quite confusing (and worrying).
So, if you'll bear with me, I have a few questions which are probably quite basic.
I've rooted my Tab using SuperOneClick, no problems there, I also understand that there is a leaked flashing tool called (Multi)Odin and an open source flashing tool called Heimdall. I understand adb.
So onto the questions:
Before I start messing about, how should I backup my existing firmware image? I see people talking about taking image dumps using dd, or Odin or Heimdall. What is the preferred method? And how should one then restore the device from these backups?
Alternatively is it possible to simply download the firmware directly from Samsung (I see links to later firmware, but really I'd be happy with what I have currently - P1000XXJK5 and FROYO.XWJJ7)?
I'm assuming that the best installation method would be to replace recovery, then I can add my own kernel and have it boot a rootfs mounted on the external SD card for example. Any thoughts?
I've seen one thread about people compiling their own kernels, with panics and the like which are solved by giving the full path to the initramfs extracted from the existing image. Any clues as to why the built version doesn't work? This is not so important as I can have a look at this when I build the Samsung source.
Is anyone looking at the bootloaders? Is there any information anywhere about them (as changing the bootloader to allow selection of the kernel to be booted would make life easier)?
Thanks for your patience!

Ok, so to partly answer myself, I see www dot samfirmware dot com has links to downloads of firmware images.
I'd really prefer to generate my own image of what's currently on the device rather than trusting a download site, but I guess it's better than nothing. Does anyone know how these images were generated anyway?

lardman said:
Ok, so to partly answer myself, I see www dot samfirmware dot com has links to downloads of firmware images.
I'd really prefer to generate my own image of what's currently on the device rather than trusting a download site, but I guess it's better than nothing. Does anyone know how these images were generated anyway?
Click to expand...
Click to collapse
Samfirmware get their images direct from Samsung insiders. They are not dumps.
If you want to dump from your device search "rotobackup" here in the dev forum.
Sent from my GT-P1000 using Tapatalk

alias_neo said:
Samfirmware get their images direct from Saunaing insiders. They are not dumps.
Click to expand...
Click to collapse
Ok that's reassuring.
alias_neo said:
If you want to dump from your device search "rotobackup" here in the dev forum.
Click to expand...
Click to collapse
Great, just what I was looking for, many thanks

So some more questions:
Any limit to the size of the kernel? Presumably just the size of the partition (which after extracting the image for backup seems to be a pretty large 15.4MB)?
What do all the .rc files in the raminitfs do? They are as follows: fota.rc, init.goldfish.rc, init.rc, init.smdkc110.rc, lpm.rc, recovery.rc
The init.rc is the normal init.rc file, so that's fine. Presumably the recovery.rc file is run if the bootloader detects that recovery mode is wanted (holding down keys during boot). The init.goldfish.rc? I guess this is to do with the emulator, though why it would be in a release image I don't know.
I assume that init.smdkc110.rc is automatically run somewhere along the line, though I don't see where it's started.
Any thoughts on lpm.rc and fota.rc? Are multiple .rc files run for the normal and recovery boots?
Thanks

lpm.rc is for low power mode that displays battery charging animation
goldfish is for running the rom under qemu.
backup your rom using rotobackup. compile samsung's kernel from sources, mix up default initramfs with meego's init scripts. pack all Meego stuff into loop mounted disk image. then flash zImage to kernel and your disk image to factoryfs using heimdall. I assume you have experience hacking N8xx/N900 and Maemo or Meego?
factoryfs is around 300MB so I think it should fit Meego and it (and kernel) can be easily restored with heimdall.

Thanks for the comprehensive reply
Yes I do have experience hacking Maemo/Meego, though have never really had to fiddle with init scripts before and this is as good a reason as any to learn.
I'd actually like to dual boot, so am modifying recovery.rc to bring up the Meego system on the external SD card.
Am just fiddling about building extra kernel modules now (needs btrfs for my image for example) and modifying the recovery.rc file.

Hmm, well I was all set to go and flash my new zImage and was looking for the heimdall command line, when I saw this at the top of one of the threads in this part of the forum (http://forum.xda-developers.com/showthread.php?t=870690):
Restoring to factory after using this process (you need using stock images):
heimdall flash --kernel stockzImage --recovery stockzImage --factoryfs factoryfs.rfs
Click to expand...
Click to collapse
Which has made me worry a bit that I've missed a recovery partition with its own kernel and wrongly assumed that the same kernel is used for both recovery and normal running, just with a different .rc file to be interpreted by init.
Any thoughts?

Do we trust the partition sizes reported here: http://forum.xda-developers.com/showpost.php?p=9471190&postcount=14
They seem very small for the kernel partition. I used RotoHammer's dd method to grab the contents of the partitions as a backup, so am assuming the sizes shown above are not correct (or represent something else?)
Going back to RECOVERY and ZIMAGE partitions - the ZIMAGE partition contains a recovery.rc, the question is really whether, even if they use the same zImage in both the ZIMAGE and RECOVERY partitions, the version in the RECOVERY partition is actually booted if recovery mode is selected (by holding the up volume key, etc.)? OTOH it may be that the RECOVERY partition is either empty or unused, has anyone tested specifically to see whether recovery.rc is run from the ZIMAGE partition?

Well I think I can answer my own question there, I flashed my modified kernel (modified recovery.rc) only to the KERNEL partition, and it boots normally if I don't touch anything, and just gets stuck on the first Samsung screen if I boot in recovery mode.
So it's doing something, I just can't tell what. Not sure if any kernel messages are getting lost behind that image, or perhaps they aren't even output to the framebuffer at all. I seem to remember seeing something about disabling the splashscreen so I'll go and have a look for that. Anyone got any other suggestions?
P.S. I also note there's a flash of screen corruption as the device starts up with my new kernel, I don't remember seeing that before. Is this a usual occurance?

I see from the Nexus S port that including adbd in the image seems to be the way to go for early messages, I'll need to generate a new Meego image and have another go later on.

Interesting, I can't see that I've done anything wrong, and my extra init shell script is not started. I am trying to use the "exec" keyword in recovery.rc to start a shell script which will pass control to the Meego rootfs. At the start of my shell script I start adbd (i.e. still within the initramfs), so I should be able to tell if it has started, and it doesn't appear to do so.
Therefore I did some Googling, and I've seen that in some cases the initramfs init does not implement the "exec" keyword (http://forum.samdroid.net/f9/new-init-exec-import-implemented-3280/). This is troublesome for me as it's what I'm trying to use, but at least would explain why I don't seem to leave the init process
I couldn't see the Samsung specific source for init anywhere, has anyone found any? I'm not happy to replace it using the standard Android source as I'm guessing there's code missing which allows the bootloader to tell init how the device was started so that it knows which of the .rc files to run. Has anyone looked into this?
Thanks

Looking at the code in that link it looks pretty straightforward, just a case of parsing the kernel command line (though I might just reverse engineer the existing init first to make sure I'm not missing anything).
Would still be easier to get the actual source code from Samsung, so I've emailed their Open Source group.

lardman said:
P.S. I also note there's a flash of screen corruption as the device starts up with my new kernel, I don't remember seeing that before. Is this a usual occurance?
Click to expand...
Click to collapse
I get it with CM

Does CM use a compressed initramfs? I'm using one of those and wondering if it's something to do with the (admittedly small) extra time required to move to init.
I don't have my Tab with me here, could someone post the output of /proc/cmdline please? You'll need to be root. Thanks.

Well it's booting you'll all be glad to hear.
More details to follow, but from memory the following were required:
Custom kernel to add btrfs support (as the image I'm booting is a btrfs partition on the external SD); kernel patch to allow compile-time cmdline to be added to the end of the bootloader cmdline (to enable console=tty0); replace Android init with init script to perform some basic setup then pivot_root to the Meego partition.
Next steps are to get the Meego system running usefully (which includes getting a terminal as currently I just have a login prompt but no way of inputting anything!) and also seeing whether I can get dual booting working with an Android system standard boot and Meego replacing the recovery boot.
Poor pic, but still: http://people.bath.ac.uk/enpsgp/Tab/PICT0040.JPG

Good stuff. Thanks for keeping us informed.

After you've got the groundwork for this done, how easy would it be to get Ubuntu running?

Try google http://lmgtfy.com/?q=ubuntu+on+galaxy+tab
Sent from my GT-P1000 using XDA App

brilldoctor said:
Try google http://lmgtfy.com/?q=ubuntu+on+galaxy+tab
Sent from my GT-P1000 using XDA App
Click to expand...
Click to collapse
That's using chroot, which I don't want. I want it running natively.
Sent from my Galaxy Tab

SUCCESS !! :) FM Radio app by HTC: Reverse Engineer: Please help

I'm working to enable FM radio functionality, RX and TX on HTC Legend and other devices with TI FM chip.
I need help to get this done ASAP. I'm an experienced embedded Linux dev, but I'm pretty new to smartphones and Android.
A few weeks back I managed to muddle my way through on phone gold card creation, downgrading, rooting, CWMod (2.5 ?) installation, CMMod7 nightly install, S-Off and new Radio flash. Since then I haven't flashed anything and probably forgot half of what I learned.
So now I want to flash the best ROM for the purpose of figuring out the audio routing "secrets" of the HTC FM app. Any suggestions for the best ROM for that purpose ?
Next, I could use some pointers to the best posts or web pages to refer to for flashing the HTC Rom, and then later flashing back to CM7. As easy as possible. Can I do something Nandroid like and save the entire state of the phone to easily get me back to where I started with CM7 ?
Yes, I AM a dev, but very much appreciate easy to follow step by steps that don't leave me scratching my head wondering if I'll brick my device or create some other catastrophy . Eg: Should I ignore those error messages or not worry ? Do I have to reboot 5 times while clicking my heels ? Etc.
Once I get the above figured out, perhaps this thread can be used for discussion of the observations and any reverse engineering results.
Thanks !

Well, the best ROM would probably be BlaY0's, as it has the FM functionality. Take a nandroid of that and then install CM (as that's what your developing for, ye?). Then nandroid the CM and you can easily switch between the 2 without the need to set it up again.
BlaY0's ROM is based of the official HTC one, so it would probably do for the reverse engineering stuff. Thus I don't think you'd need to go back to a stock HTC ROM. If you do you can just flash a pre-rooted one (found here) and that would do it.

TheGrammarFreak said:
Well, the best ROM would probably be BlaY0's, as it has the FM functionality. Take a nandroid of that and then install CM (as that's what your developing for, ye?). Then nandroid the CM and you can easily switch between the 2 without the need to set it up again.
BlaY0's ROM is based of the official HTC one, so it would probably do for the reverse engineering stuff. Thus I don't think you'd need to go back to a stock HTC ROM. If you do you can just flash a pre-rooted one (found here) and that would do it.
Click to expand...
Click to collapse
OK, thanks GrammarFreak. BlaY0's ROM 0.7 it is.
Hate to be/seem so newb-ish....
So I'm running CM7 now. So:
(1) Run ROM Manager Backup.
(2) Watch phone go into recovery mode with red triangle and exclamation mark.
(3) Don't freak as the backup will take maybe 10-20 minutes or so.
(4) Phone reboots back to CM7 I presume.
(5) Pull any important data from sdcard including ROM backup files.
(6) Download http://blay0.r3volutionary.net/b-0.7.zip
(7) Run ROM Manager to flash Blayo.
(8) Reboot and mess around with Blayo ROM.
(9) When done messing, optionally save Blayo ROM and mods with ROM Manager Backup.
(10) Use ROM Manager restore to return to CM7 ROM.
Sound good ? I don't even have to remember which key when booting brings up CWMod recovery mode ?
I couldn't find a canonical web page documenting CWMod/ROM Manager and it's usage.
Gee my phone has been stuck in red mode for a while now...
EDIT: So I'm reading threads and getting the impression the red triangle is not what I want. So I run "adb reboot" and will check and see if the backup looks good.
I can understand that the "community" has to somehow pull together to pool info, but my experience seems typical of what so many face.
In order to figure out some sort of semi-foolproof method of doing XYZ it seems I have to search threads all over to collect the full info. 50-100+ page threads are a challenge. Do I start with the first few posts or pages of posts, or should I skip to somewhere near the end for latest info ? Yes I can read to see if first posts are updated etc.
Before I started the rooting process on my phone, I read QUITE a few big threads from begin to end. And I made LOTS of notes to try and figure it all out and avoid problems. And my head got so full it almost exploded, and I almost sorta gave up, dived in, did a few more google searches on the way and thankfully finally ended up with a nicely open device.
But it all seems so ridiculously difficult, UNLESS you happen to come across some very succinct, accurate and informative HOWTO somewhere that works well for you.
/rant off

Ok, I want you to do a couple of things:
Forget about ROM manager, it's a piece or crap and it creates more problems than it solves.
So, you said you performed S-OFF, correct? Did you let the S-OFF procedure install ClockworkMOD recovery? Given the red triangle of doom I doubt it. No worries. Here's what you do:
Download this (it's the ADB tools) to a known location. Then extract the zip to a known location. Open a command window in that location (for the sake of this guide: C:\ADB) So open CMD (start, run, type CMD, hit enter) In CMD type "cd C:\ADB". Plug your phone into the computer (make sure you're using CM). Debugging mode should be on (you'll get a notification in the status bar of your phone). Now, I want you to download this (CWM 2.5) and save it to C:\ADB. In CMD type "adb push recovery.img /sdcard" Wait for it to complete. It will output a file-size, time taken and resultant transfer rate. When it's completed type "adb shell". You'll end up with a "#" and nothing else (if you get a "$" just type "su" and hit enter, and on the phone's screen accept the Superuser request). Now, type "flash_image recovery /sdcard/recovery.img", let it do it's thang. When you see the "#" type "reboot recovery", and your phone will reboot to CWM. This is what I refer to as a win
Now, from clockworkMOD you can use the trackball (move and click) to select "backup/restore" then "backup". Let it do its stuff. Once backed up you can flash B-0.7 and then back that up. Note down the name of each backup so you know which is which

TheGrammarFreak said:
Ok, I want you to do a couple of things:
Forget about ROM manager, it's a piece or crap and it creates more problems than it solves.
So, you said you performed S-OFF, correct? Did you let the S-OFF procedure install ClockworkMOD recovery? Given the red triangle of doom I doubt it. No worries. Here's what you do:
Download this (it's the ADB tools) to a known location. Then extract the zip to a known location. Open a command window in that location (for the sake of this guide: C:\ADB) So open CMD (start, run, type CMD, hit enter) In CMD type "cd C:\ADB". Plug your phone into the computer (make sure you're using CM). Debugging mode should be on (you'll get a notification in the status bar of your phone). Now, I want you to download this (CWM 2.5) and save it to C:\ADB. In CMD type "adb push recovery.img /sdcard" Wait for it to complete. It will output a file-size, time taken and resultant transfer rate. When it's completed type "adb shell". You'll end up with a "#" and nothing else (if you get a "$" just type "su" and hit enter, and on the phone's screen accept the Superuser request). Now, type "flash_image recovery /sdcard/recovery.img", let it do it's thang. When you see the "#" type "reboot recovery", and your phone will reboot to CWM. This is what I refer to as a win
Now, from clockworkMOD you can use the trackball (move and click) to select "backup/restore" then "backup". Let it do its stuff. Once backed up you can flash B-0.7 and then back that up. Note down the name of each backup so you know which is which
Click to expand...
Click to collapse
Thanks for the newb-friendly instructions. Much of I don't need, but may help others.
I'm running Linux, I've had adb etc installed for 2 weeks. I've got the SDK installed w/ Eclipse but never tried it, but have done App Inventor. And I've been poking around in the innards of the various source codes, binaries, firmwares and other files for the last 2 weeks too.
OK, I'll "Forget about ROM manager" and just use CWM after manually rebooting into it with Volume Down or whatever.
I'm pretty positive I'm S-OFF and have CWM 2.5.0.0.7 or so installed. ROM Manager says so. I have CWM on before I S-Offed using the Bell/Virgin modified alpharev boot disk.
I'll do the backup manually with CWM later tonight when I get back to this. I checked the SD and the backup isn't there, although there are still 3 backups I took when I installed CM7 2 weeks ago.
So I guess I do a complete flush or wipe or whatever when installing the new (or a backed up) ROM ? And since the backup is a nandroid type it will absolutely restore to exactly the same state as when the backup was taken ? But the SD card is not touched...
EDIT:
"adb reboot recovery" gives me red triangle of doom.
"adb reboot bootloader" gives me AlphaRev and I see S-Off and HBOOT 1.000000000
Did AlphaRev remove CWM ?

Given that you get the red triangle we can assume you don't have CWM installed to /recovery, you have it in fakeflash. Nothing inherently wrong with that, just FYI
As for your rant in post numero uno, I've often considered trying to put together a comprehensive "document" on the matter, but it'd take an age and would probably raise more questions than it'd answer.
"adb reboot recovery" gives me red triangle of doom.
"adb reboot bootloader" gives me AlphaRev and I see S-Off and HBOOT 1.000000000
Did AlphaRev remove CWM ?
Click to expand...
Click to collapse
See above about fakeflash. You could well use the image I linked above and use flash_image on the phone or fastboot to flash it

Fakeflash is pretty easy, I either do that or do my business in rom manager as I find that easy.
Rom manager method for installing a new rom:
If rom manager isn't installed, do so from the market
start up rom manager
tap "backup current ROM" (I suggest naming your backup, I just use the rom name)
Let it reboot and do it's thing
When it's booted back into CM7, open up rom manager again
tap "install ROM from SD card"
browse your sd for your rom and tap it.
You are presented with 2 check box options
Since we already backed up make sure "backup existing rom" is unchecked
If you are flashing a new rom, make sure "Wipe Data and Cache" is checked
If you are flashing a newer version of the same rom, you can leave this area unchecked as it will not erase the stuff stored on the phones built in memory
Press ok, let it do it's thing and thats it.
Place the fakeflash update.zip from http://forum.xda-developers.com/showthread.php?t=698404 on the root of your sd card
turn off your phone
Hold the volume down button as you press the power button
using the volume buttons, navigate to "recovery"
press power
your phone will reboot to th red triangle (of DOOOM)
Don't panic, hold volume up and press power (if it gives you an error just wait few seconds)
Using the volume buttons to scroll and power for enter choose "apply sdcard:update.zip"
Use the trackball and go to "Nandroid" if you are using ClockWorkMod 2.5.xxx fake flash or "backup and recovery" if you are using ClockWorkMod 3.xxx
hit "backup"
Let it do it's thing
If you're installing a new rom, scroll to "wipe data/factory reset", wait, then choose "wipe cache partition". If your installing a newer version of the same rom, don't bother.
Scroll to "install zip from sdcard"
scroll to "choose zip from sdcard"
choose your zip, let it do it's thing, and thats that.
You're SD is not touched at all during flashing, no need to backup those files.
Wow, can't believe I typed all that out...

TheGrammarFreak said:
As for your rant in post numero uno, I've often considered trying to put together a comprehensive "document" on the matter, but it'd take an age and would probably raise more questions than it'd answer.
See above about fakeflash. You could well use the image I linked above and use flash_image on the phone or fastboot to flash it
Click to expand...
Click to collapse
Re: rant, don't want to come off as complaining, I KNOW documenting semi-foolproof procedures is tons of work, to do properly. I understand a big problem is consideration of the large set of combinations of ROMs, recoveries, apps, S-On/S-Off states, Radios, etc.
OK, cool, I want "realflash" type recovery then. I guess that's one reason to have S-Off ?
I had to slightly alter your first command by appending a '/'.
EDIT: WOOHOO ! Success I think ! Feel free to skip the rest of this post unless you want to hear the details of my adventure...
Thank you ! Editing this post the last hour I wrote "Success ! " here anticipating such, but alas, I have some issue.
I don't know if I have to be extra patient as deodexing happens, Or if I'm stuck in some boot loop... I see "HTC quietly brilliant" and screen flashing on and off and re-writing the HTC spam.
Re: HTC FM app. OK, cool, I see :
ls -l /system/app/HtcFMRadio.apk
-rw-r--r-- root root 826176 2008-08-01 07:00 HtcFMRadio.apk
And bluetooth. Is there any way to switch normal media output, like from TuneIn radio etc, to my cheap new bluetooth headset ? I pushed the button in CM7 and I see I could start a voice dial, but I figured BT would take over all audio I desired routed through it.
-----------------
I did:
adb push recovery.img /sdcard/
adb shell flash_image recovery /sdcard/recovery.img
adb reboot recovery
In the CWM menu I had to select "Nandroid", and then "Backup".
That completed.
I didn't want to bother rebooting, so manually grabbed the backup files:
adb shell ls -l /sdcard/clockworkmod/backup/
adb shell ls -l /sdcard/clockworkmod/backup/2011-02-27.03.19.57/
mkdir cm7backup-2011-02-27.03.19.57
cd cm7backup-2011-02-27.03.19.57
adb pull /sdcard/clockworkmod/backup/2011-02-27.03.19.57/boot.img
adb pull /sdcard/clockworkmod/backup/2011-02-27.03.19.57/cache.img
adb pull /sdcard/clockworkmod/backup/2011-02-27.03.19.57/data.img
adb pull /sdcard/clockworkmod/backup/2011-02-27.03.19.57/nandroid.md5
adb pull /sdcard/clockworkmod/backup/2011-02-27.03.19.57/recovery.img
adb pull /sdcard/clockworkmod/backup/2011-02-27.03.19.57/system.img
Then to be sure:
cat nandroid.md5
md5sum *.img
Yes, looks good ! Now for Blayo:
cd ..
adb push b-0.7.zip /sdcard/
Goto CWM. Version 2.5.0.1, I had a 7 at the end before. Fine I'm sure.
Use volume up/down to select install from a ZIP. Press power to select. Oh, oh, shoulda used the trackball switch as it powered off.
Whoops, press power again and screen comes back, LOL. Choose zip from sdcard and use trackball switch this time. Move and select Blayo b-0.7.zip
Wonderfully wacky confirmation. Error message saying it can't find the zip file. Hmmm....
Reboot a few times and finally do "adb reboot recovery" and retry install from ZIP.
No go, get:
-- Installing: SDCARD:b-0.7.zip
Finding update package...
Opening update package...
E:Can't open sdcard/b-0.7.zip
(bad)
Installation aborted.
Try to open 98 MB zip file. No go. AHA ! corrupted file.
Try download from mirror 2: http://www.dkmdesign.dk/custom_roms/blay0/b-0.7.zip File is supposed to be 126 MB.
Gee I'm glad there's an unzip process that checks the integrity of ROM flashes.
So again:
adb push b-0.7.zip /sdcard/
And install, running..... Done !
Try to use power button to reboot. Use back key and "reboot system now". Cross fingers and offer the gods sacrifices...
See androids on skateboards again. Recall I may have to be patient as deodexing happens... See "HTC quietly brilliant" spam,,, in this context,good. Waiting....
Waiting.... screen flashing on and off and writing the HTC mind control spam.
Try reboot when tired of waiting and same thing. AFAICT, from "adb shell ls * etc" on the filesystem, Blayo ROM is installed but just won't stop flashing the HTC logo.

speedyink said:
If you are flashing a new rom, make sure "Wipe Data and Cache" is checked
Click to expand...
Click to collapse
Thanks. Maybe that's my boot loop or whatever problem now. I didn't recall seeing that option, but should be there with CWMod, so I'll try installing Blayo again after that.
There was some Wipe in main menu, and another w/ factory reset. Also in advanced menu I selected Wipe Dalvik cache. I left the Battery Stats alone. Hmmm. Naah !
Did all 3 wipe twice for good luck. Rebooted in between. Installed. Now waiting... Oh here's the HTC screen again. Time to read the Blayo thread to see how long to wait. etc.
Man what a pain ! Yet likely a world easier than the new paths I attempted to forge on my previous LG Optimus Chic resulting in a hard brick, LOL.
WOOHOO ! Success I think !

Welcome to the BlaY0 universe.. Just remember that many of us went through this journey as well to have our phone in same state Glad you got to fully download the BlaY0 rom from my mirror.. now happy reverse engineering..
Sent from my Legend using XDA App

whitetigerdk said:
Welcome to the BlaY0 universe.. Just remember that many of us went through this journey as well to have our phone in same state Glad you got to fully download the BlaY0 rom from my mirror.. now happy reverse engineering..
Sent from my Legend using XDA App
Click to expand...
Click to collapse
Thanks. Figured I was finished messing with such nasties once I had CM.
(In case you aren't aware, I have scripts that make the FM radio "work" on CM7. I can scan and see RSSI as expected etc. Only "problem" is I haven't figured out the audio routing part yet so no sound, which is why I'm exploring the HTC app for it's special tricks.)
What I want to do now is try running my hcitool scripts and see if they work on Blayo ROM.
If yes, then the Blayo ROM has something the CM7 ROM needs.
If no, then there's likely some magic step required on either stock ROM or CM7 ROM and likely the HTC FM app is doing that step, directly or indirectly.
But the needed hcitool is not on Blayo ROM. I find 3 of the hci utils and install them. Now I can't get hciattach running, which I think is needed for hcitool.
I'm guessing I can edit /init.legend.rc and change service hciattach to enabled. Reboot and no dice. Try running from command line also with no luck. At one point it hung, but now:
# hciattach -n -s 115200 /dev/ttyHS0 texasalt 4000000 flow
Unknown device type or id
# hciattach -n -s 115200 /dev/ttyHS0 any 4000000 flow
Can't set device: Device or resource busy
Can't initialize device: Device or resource busy
# hciattach -n -s 115200 /dev/ttyHS0 any
Can't set device: Device or resource busy
Can't initialize device: Device or resource busy

Waiting with baited breath
Sent from my Legend using XDA App

pjgodd said:
Waiting with baited breath
Sent from my Legend using XDA App
Click to expand...
Click to collapse
Bated ? Baited=fish
Well AFAICT, the world of Bluez bluetooth and hciattach, hcitool, hciconfig and hcidump doesn't get along with the TI BT stack world of btipsd and btipds_cli.
I'll have to bust out the NDK and start trying APIs.
But FIRST, I'm happy to report that btipds_cli is a pretty interesting and cool tool. Once I rebooted, turned BT on and learned the quirky UI, it wasn't too long before I had FM audio coming out of the speakers or the headphone.
I even tried a BT over FM option in another menu, but no go. Next I'll try the FM Tx, cause I'd REALLY like to see if that works.
btipds_cli doesn't seem to want to start FM a second time though, so a few reboots might be needed for testing.
I think it's possible that the "14.start_audiO" option in the "4.fm_Rx/" is the missing link for FM in non HTC ROMs. I don't know yet if it initiates a digital PCM / SCO connection or just switches analog. I don't see any new processes for that but btipsd might be doing the good stuff.

Following this thread with great interest..
Sent from my Legend using XDA App

I still can't get the transmitter to work, despite all the commands seeming successful. Both with hcitool on CM7 and btipsd_ci on Blayo0.7.
So I think one, or both, of the following are the TX issues:
(A) - It is somehow disabled by the hardware. The Tx antenna pin could be tied to ground, perhaps even through a capacitor or something. It may even just be unconnected and unable to transmit a few inches because it's inside an RF shield.
(B) - The firmware file for the FM portion disables TX, yet the registers still respond as if it works.
(A) would be difficult to infeasible to fix.
(B) should be fixable by loading a firmware file from a TI FM chip device that is known to support transmission.
For a TI based device that is known to transmit, I presume firmware files for a TI or TI partner evaluation board may work.

So far I can't get hciattach and hcitool etc working on BlaY0 ROM.
I HAVE, however, gotten btipsd and btipsd_cli to work on CM7. I had to create the /data/btips directory and am running btipsd manually in foreground.
What I find is exactly the same as with my hcitool scripts: everything seems to work but actual sound doesn't exit the device. Even after doing everything else the same as with BlaY0 ROM.
The /etc/firmware files on both ROMs are identical.
So I'm thinking there is some other thing separating the two ROMs. Could be some HTC customized library, or a config file or who knows.

Hi Mike, your work is appreciated, i hope you wil get it to work. We have great legend dev's. Please BlaYo and. Ali Ba, help this guy!

mikereidis said:
I HAVE, however, gotten btipsd and btipsd_cli to work on CM7. I had to create the /data/btips directory and am running btipsd manually in foreground.
Click to expand...
Click to collapse
Then you got as far as I did a few months ago. The btipsd stuff can be found in the original init.legend.rc, if you are interested.
mikereidis said:
So I'm thinking there is some other thing separating the two ROMs. Could be some HTC customized library, or a config file or who knows.
Click to expand...
Click to collapse
"Customized library" applies here, but that's in fact a euphemism for "all kinds of proprietary code in the framework".
I gave up reverse engineering after looking at the disassembled HTC radio application. As I already told you there are loads of pointers to closed source TI code that can be found in the framework (= /system/lib/whatever.so). You will have to reverse engineer all those rpcs, libandroid_servers and god knows whatnot.

ali ba said:
I gave up reverse engineering after looking at the disassembled HTC radio application. As I already told you there are loads of pointers to closed source TI code that can be found in the framework (= /system/lib/whatever.so). You will have to reverse engineer all those rpcs, libandroid_servers and god knows whatnot.
Click to expand...
Click to collapse
Oh, there must be SOME shortcut...
Since I have the FM radio and audio working with the btipsd_cli. I'm not sure the answer would lie in the HTC FM app. Or at least the answer is in btipsd_cli also.
I'd love to find the source to btipsd_cli. I DO have source for TI's fmapp and fmstack-0.12 and I can see they share some, but not all code.
In a log I can see an HCI command is sent when audio starts; I just don't know which one or with which parameters.
btipsd_cli has some rather weird bugs that prevent me from experimenting well with audio routing. When I disable analog, audio keeps playing. At first I thought it was using digital, but now I think it's part of the buginess. When I select various digital options, various weird things happen, including a crash in btipsd for most of them.
If I can run some HCI queries, I might get better clues or the actual answer. I managed to get hciattach to sort of work with "texas" as the type, but I think I need "texasalt" and the binary I have that runs on Blayo doesn't support it. The CM7 binaries wont run on Blayo.
So unless there are some other tools I can use, I'm wondering if it's time to write an NDK app.
Unless I can increase the verbosity of the btipsd logging to tell me everything it's doing. Will check.

These AudioRouting strings aren't in the CM7 libandroid_runtime so I tried pushing the Blayo lib to CM7. GUI never boots fully, but no audio still using the btipsd_cli.
Same when I also replace libandroid_servers.so, bluez-plugin/audio.so and bluez-plugin/input.so
strings blayo/system/lib/libandroid_runtime.so |grep -i audiorouting
FM_RX_DisableAudioRouting
FM_RX_EnableAudioRouting
nativeJFmRx_SetAudioRouting(): Entered
nativeJFmRx_SetAudioRouting: fmapp_set_audio_routing() returned %d
nativeJFmRx_SetAudioRouting(): Exit
nativeJFmRx_disableAudioRouting(): Entered
nativeJFmRx_disableAudioRouting: FM_RX_DisableAudioRouting() returned %d
nativeJFmRx_disableAudioRouting(): Exit
nativeJFmRx_enableAudioRouting(): Entered
nativeJFmRx_enableAudioRouting: FM_RX_EnableAudioRouting() returned %d
nativeJFmRx_enableAudioRouting(): Exit
nativeJFmRx_EnableAudioRouting
nativeJFmRx_DisableAudioRouting
nativeJFmRx_SetAudioRouting
FM_RX_DisableAudioRouting
FM_RX_EnableAudioRouting
DisableAudioRouting
EnableAudioRouting

[HOW-TO/INFO] Bell FAQ [9-25-2011]

This is my attempt at a Bell FAQ, it is a work in progress.
Q. Why don't the instructions I found on how to do X not work?A. This is a development forum, sometimes things are written in shorthand assuming you know things you don't. At lot of things are specific to one carrier's phone or another. Sometimes things change and are now obsolete, something new was found, a better way of doing things, if you were not following it all along you are likely to be lost. Read between the lines, you are a human being with reasoning abilities, figure it out. ​Q. What should I do first?
A. Backup your phone. That means everything, especially your pds partition. Nandroid won't cut it and you have already modified your phone beyond the ability to get back if you can run it.
Ex. dd if=/dev/block/mmcblk0p3 of=/sdcard/backup/mmcblk0p3
Save your backup on your computer, create a zip of all the files, burn it off on cd/dvd, put it in a safety deposit box at your bank. Be prepared for bricking your phone. A lot of things mentioned in threads here are developed and tested for ATT phones, they may not work 100% on your phone.​Q. What is ADB?A. It stands for Android Debug Bridge or something like that. It is a program that runs on your computer that lets you talk to your phone using special commands. Your phone has to have adb enabled, it's a setting under application/development.
Ex. adb shell
This opens a linux shell connected to your phone. Linux is an operating system for computers, it is also used as the base for android phones.
Ex. adb install file.apk
Ex. adb push file /tmp
Ex. adb pull /tmp/file .​
Q. What is CWM recovery?A. Android phones come with a special boot configuration that allows for changes to the android system from a place outside the system. It is very corporate and does the job for official signed updates, but only Motorola and it's oems can sign the updates. Not much fun for us. CWM recovery is a replacement for the official recovery system that doesn't require signed updates.
You install CWM recovery using fastboot or moto-fastboot.​Q. What is unlocking the bootloader all about?A. It is the means of putting CWM recovery on your phone so you can install roms and other packages. It allows you to flash a partition with mods and have the phone not soft brick when you reboot. When the unlocked versions of the atrix bootloader were found it started a new round of mods. A lot of the threads prior to that are now obsolete.​Q. How do I unlock the bootloader?A. There is a huge thread already about this, see here.
WARNING: this is a permanent change to your phone.
Summary:
1. Download the archive
2. Extract the sbf inside, whatever it's called, that is the one to use.
3. Use linux sbf_flash or rsdlite from windows to install it.
3. fastboot oem unlock
4. Copy code fastboot spits out.
5. fastboot oem unlock code
6. fastboot reboot
You will see unlocked while booting and when you get into android you will have ~300MB of ram. This will need to be fixed. Also, you will lose all your data during the process, do a backup first.​Q. What is fastboot/moto-fastboot?A. It's a program to access the phone and do stuff, write phone partition images mostly. The stock one can only handle tiny system images, pretty useless for the Atrix, xda member eval- compiled the motorola version for us that can handle larger system images, do a search for moto-fastboot.
Ex. moto-fastboot flash recovery recovery.img.​Q. How do I fix the ram problem?A. I did up a CWM recovery zip to update the boot and recovery partitions to contain a kernel command line with the missing bit "[email protected]" added. See here.
There are other means of doing this, some boot images come prepackaged with the command line already embedded. There are ATT compiled kernels with a patch inside the kernel itself to do the same thing. You can search for those when you are ready to try things like custom ATT kernels on your phone.​Q. How do I root the phone?A. If you are unlocked and you have fastboot flashed a version of CWM recovery, it is trivial. By that I mean almost impossible for newbies to figure out.
It would go something like this:
1. Boot into CWM recovery.
2. use adb shell
3. adb push a su binary to the phone.
4. mount system as read write as /system
5. copy su binary to /system/bin
6. make sure it has the right permissions, 06755 mode , user root, group root.
7. unmount -l /system
8. when in android look on the market for Superuser.apk, install.
Every rooting method out there is all about putting su into /system/bin with 06755 permissions, most don't work anymore since Gingerbread. If you are looking for a simple, no brain involved solution, you are likely to get something working and also something else you didn't want like a replaced preinstall partition or an installed busybox with different functionality for some important system commands. (Busybox may be more up to date even, but if it doesn't do what is expected of the older version, it's still not good.)
Another way would be to create a CWM zip that simply puts the linux su binary in system with the correct permissions. Some info about creating your own can be found here. Doing this is more involved that just doing it manually, but it would be a good practice for getting into creating CWM updates.
Here is a link to a exploit someone did up to root the phone when running GB. Haven't tested it, and with an unlocked phone it is totally redundant, but it's nice that some found yet another security hole in the OS, seems similar in result to psneuter, so be sure to reboot the phone to fix the exploited system.
Seriously, if you are going to be reading or posting in the development section of xda for an android phone, take the 5 minutes to become familiar with adb and a few linux shell commands, it will save you hours of confusion and aggravation. If you fly blind trying things on your phone without understanding what you are doing you are eventually going to get into a place you can't get out of and need a new phone or REALLY have to struggle to understand things. You were warned. ​Q. How do I get back to stock?
A. You can't unless you have a backup of all your phone partitions and can update your radio and bootloader to be stock. Once you unlock your phone, it is recorded that you did so by blowing a physical fuse on the phone. This cannot be restored, you will need a new phone.
What does stock mean to you? When I bought my phone it had a certain radio, the bootloader couldn't be unlocked, the android system files had certain versions, etc. Beyond the android system there are 18 partitions that I know of on the phone, most phones do with 5-6. Every ota update or sbf files take the normal files and change them to something else, non android partitions get modified or replaced.
I have some solutions for getting close to stock, do a search for Gobstopper. There is one for Bell 2.2.2 and Bell 2.3.4, use one or the other. These attempt a full back to stock operation, that means the radio and bootloader will be stock, recovery will be stock as well. (All the partitions that are on the phone are written over with the ones that were on my phone when I bought it, with the exception of partitions 3 (pds), 15 (cache), 16 (data), and 18 (userdata or internal memory), factory reset clears cache and data, you don't want pds touched or internal memory.) Unlocked will no longer be displayed when you boot and you will no longer have CWM recovery installed. You will need to install the unlocked bootloader again and fastboot flash recovery again if stock is not what you wanted. (Your pds partition is not involved in this operation, so if you made changes to it, either directly or indirectly via a sbf this will not restore it, your pds partition contains individual phone information.)
More about sbf format here.​Q. What does the pds partition taste like?A. It's not really fit to eat. Now you know.
It is mmcblk0p3, a partition on your phone, it is mounted as /pds when android boots and contains a bunch of folders and files that nobody really understands fully but Motorola. Having a look at some of the files you will see things like your network physical address, bluetooth physical address. You will find threads where the display is all arsed up, cpu running at half speed, touch screen not working right, etc, all due to something going wrong with /pds. It is best to back it up and not mess with it. Restore it in an emergency. Maybe one day everything in there will be figured out, take a stab at it yourself.
See this thread by edgan for how to back up your pds partition.
See this thread by KeRmiT80 about attempting to fix your pds partition. Good motivation to see previous link.
​Q. I lost network data access after flashing X.
A. Check your APN list, if it's not a Bell firmware you are using, it probably doesn't have Bell's APN list. Scratch that, you don't know what that is or how to check it.
It stands for Access Point Name and a big list of them is stored on your phone in one big file (/system/etc/apns-conf.xml), each firmware has it's own version of it. Your phone will get two numbers from your carrier's phone network to do a look up in this list to figure out what configuration to use. So say it gets mcc 302, mcn 610, it will check the phone and look up 302, 610 in the file and read what it says there and use that config to try to connect. Now, another thing is that the phone knows what the home network is by these two numbers, embedded somewhere in the system. A foreign, non Bell carrier won't have Bell's numbers in there so your phone will think it's roaming. If you have roaming disabled, guess what, no data connection. Your carrier should be smart enough not to charge you for roaming, never had a problem with that, but you never know.
Here are the apn settings you can enter manually for your phone, see Bell's support link.
​Q. How do I get webtop over HDMI to work?
A. There are several threads on getting this to work on ATT phones and others, they are specific to the firmware being run on the phone. They involve copying two deodexed files to your system/app folder and replacing the ones already there. You will also need to clear your dalvik cache to get the new code recognized. They are DockService.apk and PortalApp.apk. If you are not deodexed then you also have to remove the .odex files for both.
Here is one thread for Gingerbread, in the zip there is one for ORFR that will get you to viewing the webtop on Bell GB, but applications don't load.
Here is another thread for Froyo that works, see the Bell specific bit in the OP. This does not work from Bell Gingerbread.​ To be continued...

Hoping the Mods sticky this
A link should be attached to the wiki as well. I will try to when I get home if it isn't done already.

shouldn't this be in general? or q&a?

Magnetox said:
shouldn't this be in general? or q&a?
Click to expand...
Click to collapse
Probably both. Most things referenced are in development.
Cheers!
Sent from my MB860 using xda premium

y2whisper said:
Hoping the Mods sticky this
A link should be attached to the wiki as well. I will try to when I get home if it isn't done already.
Click to expand...
Click to collapse
+1 this should be a sticky on either or both general or development...
cheers for this...this thread is going to help me with my youtube viewers BIG TIME!!

Very nice!
Keep it up NFHimself!

NFHimself said:
This is my attempt at a Bell FAQ, it is a work in progress.
Q. How do I root the phone?A. If you are unlocked and you have fastboot flashed a version of CWM recovery, it is trivial. By that I mean almost impossible for newbies to figure out.
It would go something like this:
1. Boot into CWM recovery.
2. use adb shell
3. adb push a su binary to the phone.
4. mount system as read write as /system
5. copy su binary to /system/bin
6. make sure it has the right permissions, 06755 mode , user root, group root.
7. unmount -l /system
8. when in android look on the market for Superuser.apk, install.
Every rooting method out there is all about putting su into /system/bin with 06755 permissions, most don't work anymore since Gingerbread. If you are looking for a simple, no brain involved solution, you are likely to get something working and also something else you didn't want like a replaced preinstall partition or an installed busybox with different functionality for some important system commands. (Busybox may be more up to date even, but if it doesn't do what is expected of the older version, it's still not good.)​ To be continued...
Click to expand...
Click to collapse
I used this method to root the stock Bell Gingerbread ROM. Works on an Atrix too. It's a quick download and easy for those people who may not be comfortable with the adb command line.
http://www.psouza4.com/Bionic/

thx
useful for newbies
but can you put some more details about returning to stock and explain the pds partition in details plz?

papakilo10 said:
I used this method to root the stock Bell Gingerbread ROM. Works on an Atrix too. It's a quick download and easy for those people who may not be comfortable with the adb command line.
http://www.psouza4.com/Bionic/
Click to expand...
Click to collapse
Had a look at the script in that one, should be fine, doesn't install a busybox or anything like that. I don't care for Superuser.apk in /system/app myself, but it won't harm anything having it there.
Cheers!

ytwytw said:
thx
useful for newbies
but can you put some more details about returning to stock and explain the pds partition in details plz?
Click to expand...
Click to collapse
I added a few things, anything in particular you wanted?
I am trying to avoid step by step tutorials or spoon feeding everything, so people who are lazy/careless will have to attempt to think for themselves. It just leads to more questions, more laziness, and bricked phones, and I don't have the time these days.
Cheers!

[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)

NOTE: There have been multiple reports of devices with serial numbers containing VM190 or higher being shipped with DL-Mode disabled in BROM.
These devices cannot be unlocked using kamakiri.
These devices do not show up at all on USB when shorted.
After the old bootrom-exploit (amonet) we've been using for unlocking all these Fire-gadgets is closed in more recent Mediatek SOCs like the one used in the FireTV Stick 4K, @xyz` has done it again and found another bootrom-exploit.
Together we proudly present kamakiri for the FireTV Stick 4K.
Before proceeding make sure to read and understand this entire post.
Running this exploit requires a patched linux-kernel on the PC you are using.
We have put together a Live-ISO that already contains all prerequisites required for running kamakiri.
You can find the current version of the ISO at:
https://github.com/amonet-kamakiri/fireiso/releases
It can be burned to a CD or to a USB-flashdrive.
Current Version: kamakiri-mantis-v2.0.1.zip
You will need to open the device and remove the heatshield on the side without the antennas (2 square bricks).
NOTE: It is not required to desolder or force the shield off, it is just clipped onto a frame. (The attached picture may be a bit misleading, since it also has the frame removed)
You will need something for shorting (wire, aluminum foil etc.)
Boot the ISO
Download and extract the exploit package.
Open a terminal in the kamakiri directory
Run
Code:
./bootrom-step.sh
Short one of the points in the attached photo to ground (the cage of the shielding).
Ideally you want to use DAT0, since that is tiny it might be easier to short the point marked CLK instead.
It is very important that you use a piece of soft wire or aluminum foil or something similar for shorting. Don't use tweezers as that makes it incredibly easy to knock of the capacitor off the PCB and kill the board!
Connect the stick to your computer (while keeping it shorted)
The script should tell you to release the short and hit enter
Once finished run
Code:
./fastboot-step.sh
Your device will now reboot into TWRP
Important information
Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)
TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).
For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).
It is still advised to disable OTA.
thanks to @hwmod for the picture
thanks to @Sus_i for providing an update.bin
thanks to @zeroepoch for developing aftv2-tools
Contributors
k4y0z, xyz`
Source Code: https://github.com/amonet-kamakiri/

There are three options for interacting with TWRP:
A mouse via USB-OTG
TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
Via /cache/recovery/command
Example for /cache/recovery/command:
Code:
echo "--update_package=/path/to/zipfile" > /cache/recovery/command
echo "--wipe_cache" >> /cache/recovery/command
reboot recovery
Should you somehow end in a bootloop, TWRP contains a special boot menu that will be displayed when you boot the stick with an OTG-cable connected.
It will give you 5 seconds to hit cancel and stay in TWRP or reboot into the OS otherwise.
NOTE:This will only work if the boot-exploit is still there.

Changelog:
Version 2.0.1 (04.03.2022)
Fix Boot Menu on TWRP-Install
Version 2.0 (02.03.2022)
Update PL and TZ
Update TWRP to 3.6.1_9-0
Add support for boot-recovery and boot-fastboot
Add support for fused devices with FireOS < 6.2.8.7
Version 1.2 (20.10.2019)
Update TZ from 6.2.6.6
Add support for updating via TWRP
Version 1.1 (17.10.2019)
Add delay to properly flush data to EMMC

Yesss!!! Thanks.

Mother of GOD.
Can't believe.
And can't wait for a clean Android TV Rom.
It will be amazing since I need to use an American account to use this fire stick 4k in my country.

Complete, no issues... Great job! Thanks for the live USB, could not have made this easier!

@k4y0z I wonder why this cannot be done in Ubuntu?
I'm able to install pyusb with:
Code:
sudo apt-get install python-usb python3-usb
And then the scripts start. Is due the kernel patch?
BTW: good work I still looking at the exploit in github and looks awesome lol.

Rortiz2 said:
@k4y0z I wonder why this cannot be done in Ubuntu?
Click to expand...
Click to collapse
k4y0z said:
Running this exploit requires a patched linux-kernel on the PC you are using.
Click to expand...
Click to collapse
If you patch your kernel, there is no reason it wouldn't work on ubuntu.

I love the option to go into TWRP on boot with an OTG.... Fantastic!

Thanks to everyone involved. So happy to get some control over the 4k!

Can someone explain how to get the shield off?

rbox said:
Can someone explain how to get the shield off?
Click to expand...
Click to collapse
The heatsink and shield come off together, they are clipped on.
Start levering it up from the narrow side.

@k4y0z
Excellent work as always!!! :highfive::highfive::highfive::highfive::highfive:
Now, any chance that you can create a fastboot exploit such that there'd be no need to open the case? Same story with Fire TV2 (tank), fastboot exploit?
Keep the good stuff coming!!!

Is this something that Amazon can fix with future updates? I am holding off until we have a more refined rom..

rootuser11 said:
Is this something that Amazon can fix with future updates? I am holding off until we have a more refined rom..
Click to expand...
Click to collapse
No, the only way they can fix it is with a new hardware revision.

Does this permanently install anything? If I reboot after getting into TWRP the first time with fastboot the hacked fastboot splashscreen doesn't come back, it just boots FireOS normally with no options to boot TWRP.

Getting off the heatsink was a bit daunting especially because I didn't know there was also a sticky pad holding it on. Also spent ages trying to short the DAT0 point, got fed up and got it first time with CLK. Now I just need a rom to install!

iLLNiSS said:
Does this permanently install anything? If I reboot after getting into TWRP the first time with fastboot the hacked fastboot splashscreen doesn't come back, it just boots FireOS normally with no options to boot TWRP.
Click to expand...
Click to collapse
Everytime i boot from power off with a OTG it gives the option for TWRP. It installed TWRP recovery. From there you can install root.
Try
ADB reboot recovery

bibikalka said:
@k4y0z
Excellent work as always!!! :highfive::highfive::highfive::highfive::highfive:
Now, any chance that you can create a fastboot exploit such that there'd be no need to open the case? Same story with Fire TV2 (tank), fastboot exploit?
Keep the good stuff coming!!!
Click to expand...
Click to collapse
Unfortunately the fastboot bug cannot be used like that on the 4K or we probably would have done so from the start
I will look into the FireStick 2 when I get the time, but given the fastboot-bug is LK-Version specific and can be easily patched, I am unsure if it's worth the effort.

Michajin said:
Everytime i boot from power off with a OTG it gives the option for TWRP. It installed TWRP recovery. From there you can install root.
Try
ADB reboot recovery
Click to expand...
Click to collapse
I’m guessing I have to actually install TWRP once inside TWRP the first time? I don’t have an OTG cable so never did anything once inside the first time.