[WIP][DEV] S-Off [off-topic discussion prohibited]
- Thread starter sk806
- Start date
-
- Tags
- development
- Status
Have you agreed with anyone about anything on this thread so far? The devs are making progress and your just putting them down and questioning them. and thats negative to all the people like me who believe they are working hard to get this done.
>fastboot oem list_partition_emmc
...
(bootloader) index, type, start, num
(bootloader) 0, 0x4D, 0x1, 0x100
(bootloader) 1, 0x51, 0x101, 0x200
(bootloader) 2, 0x5D, 0x301, 0x3FCDE
(bootloader) 3, 0x5, 0x3FFDF, 0x1CDF020
OKAY [ 0.017s]
finished. total time: 0.018s
Is this the partition table you are looking for?
Yea I don't get very many encouraging post, don't know why just trying to help...
Sent from my HTC One X using XDA
Yeah, sorry! I know it's late...my time, so I figured, oh I'll just stop bothering ya!
I got it, I'll send it now.
Haters are gonna hate, don't bother listening to them. Keep up the hard work buddy!
Swyped from my HTC One X using XDA premium.
I believe so!!! Thanks, I will pass the info on, thank you
Sent from my HTC One X using XDA
Hey some encouragement.!!!! Thank you buddy!!! I greatly appreciate it!!
Sent from my HTC One X using XDA
How's that LTE working out for ya? Oh wait...
I got tired of sprints joke of a network. Best I had ever gotten 3g wise was 800kbps and wimax was pathetic. So don't pity us. We can use all of our phones hardware.
On the other hand, I'm loving the 40Mbps I'm getting now.
Last edited:
How's that LTE working out for ya? Oh wait...
I got tired of sprints joke of a network. Best I had ever gotten 3g wise was 800kbps and wimax was pathetic. So don't pity us. We can use all of our phones hardware.
On the other hand, I'm loving the 40Mbps I'm getting now.
Truth, I just jumped from sprint and chose this over the evo lte. No regrets whatsoever.
Sent from my HTC One X using Tapatalk 2
OK guys, I have cleaned the thread a bit.
Some people's attitude and language are totally unacceptable.
What the point in turning this thread in a flame war?
Are you going to get closer to S-off by doing that?
Consider this a warning...
Some people's attitude and language are totally unacceptable.
What the point in turning this thread in a flame war?
Are you going to get closer to S-off by doing that?
Consider this a warning...
The funny part about this comment is.....
We can flash all of those things too. The only thing we are unable to do, which everyone wants S-Off for is:
* Get rid of tampered/relocked message
* Not have HTCDEV have a list of your phone in their database (a list of warranty forfeitures).
Thats all. Thats all this whining, complaining, cracking your phone open, etc. is for.
So how about everyone that info about where these guys are at and what they are doing just simply.....go to the IRC channel they are working in and get the info there. I do agree with nugzo that I would NOT be posting such a 'hardcore mod' with such a high possibility of failure here until it is 100% proven and completed.
I really am rooting for anyone able to S-Off this device....but its really not necessary unless you want to lie about your warranty to be honest at this point
.Good luck to everyone, and lets just stop posting here in general unless you are ACTUALLY contributing to this (or maybe not at all until there are actual findings).
Thanks,
-h8
Code:
billy:~/android$ fastboot oem writesecureflag 0
...
(bootloader) elite_init_sd, SD card already power on
(bootloader) sdhw_7xxx_open: id=0
(bootloader) [SD_HW_ERR] SD: No device attached
(bootloader) 902910 902E20
FAILED (status read failed (No such device))
finished. total time: 6.260sAnd then Fastboot locks up. If I try 'fastboot oem h' or anything else, it just says <waiting for device> and I have to hold the power button to get it to restart.
HTH,
Billy
Last edited:
Ok, thread has been cleaned up again. From thid point forward, I don't want to see anymore bickering, flaming, or disruptive behavior. If you see anybody being disruptive, DO NOT engage or participate, just report it, and one of us Mods will deal with it. Engaging in disruptive behavior only makes things worse. Let's all show respect to the OP for his work. The next person who is disruptive will receive an infraction.
With that said, have fun, and please be.respectful to each other.
Thread Re-Opened.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"If you choose not to decide, you still have made a choice"~Rush
Sent from my HTC One X, using XDA Premium.
With that said, have fun, and please be.respectful to each other.
Thread Re-Opened.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"If you choose not to decide, you still have made a choice"~Rush
Sent from my HTC One X, using XDA Premium.
Last edited:
OK, so I'm nearly certain that 0x8400 in mmcblk0p3 is the S-OFF bit, as was discussed a while back (page ~80 or so). I believe I found the tampered flag and the unlocked bootloader flag too. By dumping my partitions, then unlocking for the first time, dumping again, relocking, and dumping a third time. I then hashed all the dumps and compared them. Then I compared the images where the hashes that didn't match.
0x8400 is '00' on the two S-OFF devices we have dumps from, and it's '03' from every other phone I've checked, regardless of if it's locked, unlocked, or re-locked. '0' and '3' are consistant with the 'fastboot oem writesecurityflag' command too.
Everything else, on every partition, is either inconsistent on devices of similar security status, or it changes from lock to unlock to relock.
To reiterate what was said earlier in this thread in the interest of organization, I've tried dd'ing a modified version mmcblk0p3 and it seems to complete successfully, but you can pull it again immediately afterwards and it's unchanged. I tried "cat mmcblk0p3.img > /dev/block/mmcblk0p3", which either froze or powered off my phone at some point in the process, but that didn't work either.
The permissions of /dev/block/mmcblk0p3 is BRW------ root.root, but I tried chmod'ing it 777, but that didn't help anything.
Do we know anything else about mmcblk0p3? What else is contained within it? It's a big file 130mb. If we can determine when the device is expecting it to be modified, maybe we can take advantage and modify it ourselves.
Billy
0x8400 is '00' on the two S-OFF devices we have dumps from, and it's '03' from every other phone I've checked, regardless of if it's locked, unlocked, or re-locked. '0' and '3' are consistant with the 'fastboot oem writesecurityflag' command too.
Everything else, on every partition, is either inconsistent on devices of similar security status, or it changes from lock to unlock to relock.
To reiterate what was said earlier in this thread in the interest of organization, I've tried dd'ing a modified version mmcblk0p3 and it seems to complete successfully, but you can pull it again immediately afterwards and it's unchanged. I tried "cat mmcblk0p3.img > /dev/block/mmcblk0p3", which either froze or powered off my phone at some point in the process, but that didn't work either.
The permissions of /dev/block/mmcblk0p3 is BRW------ root.root, but I tried chmod'ing it 777, but that didn't help anything.
Do we know anything else about mmcblk0p3? What else is contained within it? It's a big file 130mb. If we can determine when the device is expecting it to be modified, maybe we can take advantage and modify it ourselves.
Billy
Great observations and great find. That partition is probably nand-locked by security built into h-boot. Perhaps with the correct tools (qpst, etc) we can write to it.
Did you notice any other changes to that partition when you made the lock/relock change? Hopefully there's not a hash or signature of some sort that needs to be updated when that byte gets updated.
ADD: And I know it's a total longshot, but anyone try editing that partition from ADB in CWM? Perhaps the kernel is blocking the write and not h-boot. Longshot, I know.
Last edited:
- Status
Similar threads
- Poll
Top Liked Posts
-
There are no posts matching your filters.
-
93Hi All,
OK, bootloader is unlocked, I am working on recovery, so the next challenge is....................S-OFF!!! Aw, f%@ck, I thought i had my life back...
I invite all users with ideas and/or knowledge to jump in and tell me what they think I am doing right and what makes me a moron. I have no pride, so lay it on me.
I will post progress reports in Post #2.
Anyway, here's to getting this done quickly.
Steve
Moderator Edit
This Thread has been moved back to the development section in an effort to put an end to the off topic discussion.
Given the size of this thread I'm going to suggest that you USE the Search thread feature located at the top to make sure your suggestion or idea has not been attempted already.
ANY OFF TOPIC POSTS WILL BE DELETED!2524More good news Here.............
There have been 3 crucial files that we have been needing and searching for.
Partition.XML
8960_msimage.mbn
Mprg8960.hex
I was able to build 2 of them from scratch and they are proper
8960_msimage.mbn
http://db.tt/zePePzCO
Partition_boot.XML
http://db.tt/IeKEAsLj
So we have 2 ready, now to make them usable we need the mprg8960.hex, which is the flash programmer. Once we have the 3 together, we can flash the emmc to a big USB storage device, and we can build from scratch. This should not only benefit s off but unbricking any Evita that is in qshusb mode, regardless of how it got there and what firmware it was on......
8960_msimage.mbn is used in conjunction with the mprg8960.hex to flash emmc into usb storage device.
Partition_boot.XML will be used to flash sbl1, sbl2, sbl3, tz and rpm if one of them becomes corrupted.....namely sbl3 or rpm, as we sit, if either of those get borked, there is no fix ATM.
So......mprg8960.hex......we need to find one or build one:beer:
Sent from my Nexus 7 using Tapatalk 2
---------- Post added at 08:17 PM ---------- Previous post was at 08:12 PM ----------
I'm not investigating the pads on the motherboard ATM. A bricked hox cant provide the testing needed so if anyone else wants to jump on that it may provide some good news for us.
Sent from my Nexus 7 using Tapatalk 2
New posts
-
Note 9 (soft/hard?) bricked, help needed- Latest: quadcore_yt
