Goal: S-off HOX (TEGRA3)

Search This thread

jotha

Retired Forum Moderator
Again removed irrelevant and trivial information.

C'mon guys, we try to maintain here a level ABOVE the common and trivial knowledge. So please guys (especially MrT69), if you can't keep that level there, just keep out of the discussion and play somewhere else. This isn't your playground here.
We are really starting to loose our patience. This is the last time that this will stay without any infraction.
 

farhanito

Senior Member
Aug 21, 2010
901
231
Jakarta
sure, can you upload it? only got 1.31/1.36/1.39

btw, what is the status of getting into/out of APX? would love to check it out
hi, i'm no dev.. but i think my phone has something interesting..

my one x can get in and out of APX mode.
http://xdaforums.com/showpost.php?p=37356013&postcount=5195

but currently it's completely read-only.
i'm not sure this would help. but if you guys need something to test, just point me the direction..

btw, i tried nvflash from Trip's thread
C:\\tripndroid_nvflash>nvflash -w
Nvflash started
rcm version 0X4
Command send failed (usb write failed)
 

backXslash

Member
Jun 4, 2009
48
68
True it's for another chipset so the S-OFF portion won't work, but (and I may be wrong) I don't see a reason the SuperCID thing won't work for us, provided we find the right partition to edit.

http://xdaforums.com/showthread.php?p=26516911#post26516911

This is for the One X, and it's also confirmed to work on the One S, and they're editing /dev/block/mmcblk0p4 with root permissions. I'm ASSUMING that means that S-ON is only partially enforced. If we could get SuperCID, that's be a huge step in the right direction, would it not? Does anyone know what that partition actually is, and what the analogous partition on the One X+ is?

__________

Upon further investigation, /dev/block/mmcblk0p1 through /dev/block/mmcblk0p11 are all -something- though none of them contains strings for my CID or IMEI. HOWEVER, /dev/block/mmcblk0p9 DOES contain the string value for the last RUU flashed, which in my case is 1.17.401.1, with the entire rest of the file being padding.

There are more partitions, beyond 11. They actually go up to 20, as per ls -la /dev/block/, but everything beyond 11 seems to be excessively large.

-------

Sorry for the continuous posting, but I'm investigating. Anyway, the command "ls -la /dev/block/platform/sdhci-tegra.3/by-name/" yields a partition map with names.

lrwxrwxrwx root root 2013-02-19 11:08 APP -> /dev/block/mmcblk0p12
lrwxrwxrwx root root 2013-02-19 11:08 CAC -> /dev/block/mmcblk0p13
lrwxrwxrwx root root 2013-02-19 11:08 DLG -> /dev/block/mmcblk0p18
lrwxrwxrwx root root 2013-02-19 11:08 DUM -> /dev/block/mmcblk0p15
lrwxrwxrwx root root 2013-02-19 11:08 LKM -> /dev/block/mmcblk0p20
lrwxrwxrwx root root 2013-02-19 11:08 LNX -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 2013-02-19 11:08 MSC -> /dev/block/mmcblk0p16
lrwxrwxrwx root root 2013-02-19 11:08 PDT -> /dev/block/mmcblk0p19
lrwxrwxrwx root root 2013-02-19 11:08 PG1 -> /dev/block/mmcblk0p6
lrwxrwxrwx root root 2013-02-19 11:08 PG2 -> /dev/block/mmcblk0p7
lrwxrwxrwx root root 2013-02-19 11:08 PG3 -> /dev/block/mmcblk0p8
lrwxrwxrwx root root 2013-02-19 11:08 RCA -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 2013-02-19 11:08 RFS -> /dev/block/mmcblk0p17
lrwxrwxrwx root root 2013-02-19 11:08 RV1 -> /dev/block/mmcblk0p11
lrwxrwxrwx root root 2013-02-19 11:08 SIF -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 2013-02-19 11:08 SOS -> /dev/block/mmcblk0p5
lrwxrwxrwx root root 2013-02-19 11:08 SP1 -> /dev/block/mmcblk0p10
lrwxrwxrwx root root 2013-02-19 11:08 UDA -> /dev/block/mmcblk0p14
lrwxrwxrwx root root 2013-02-19 11:08 WDM -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 2013-02-19 11:08 WLN -> /dev/block/mmcblk0p1

This is from CM10.1, with the latest BLADE kernel, radio 3.1204.167.31 and HBOOT 1.35. Does anyone know what's what here?
 
Last edited:

Giblet-dono

Senior Member
Mar 24, 2009
1,507
702
OnePlus 7T Pro
OnePlus Nord
True it's for another chipset so the S-OFF portion won't work, but (and I may be wrong) I don't see a reason the SuperCID thing won't work for us, provided we find the right partition to edit.

http://xdaforums.com/showthread.php?p=26516911#post26516911

This is for the One X, and it's also confirmed to work on the One S, and they're editing /dev/block/mmcblk0p4 with root permissions. I'm ASSUMING that means that S-ON is only partially enforced. If we could get SuperCID, that's be a huge step in the right direction, would it not? Does anyone know what that partition actually is, and what the analogous partition on the One X+ is?

__________

Upon further investigation, /dev/block/mmcblk0p1 through /dev/block/mmcblk0p11 are all -something- though none of them contains strings for my CID or IMEI. HOWEVER, /dev/block/mmcblk0p9 DOES contain the string value for the last RUU flashed, which in my case is 1.17.401.1, with the entire rest of the file being padding.

There are more partitions, beyond 11. They actually go up to 20, as per ls -la /dev/block/, but everything beyond 11 seems to be excessively large.

-------

Sorry for the continuous posting, but I'm investigating. Anyway, the command "ls -la /dev/block/platform/sdhci-tegra.3/by-name/" yields a partition map with names.

lrwxrwxrwx root root 2013-02-19 11:08 APP -> /dev/block/mmcblk0p12
lrwxrwxrwx root root 2013-02-19 11:08 CAC -> /dev/block/mmcblk0p13
lrwxrwxrwx root root 2013-02-19 11:08 DLG -> /dev/block/mmcblk0p18
lrwxrwxrwx root root 2013-02-19 11:08 DUM -> /dev/block/mmcblk0p15
lrwxrwxrwx root root 2013-02-19 11:08 LKM -> /dev/block/mmcblk0p20
lrwxrwxrwx root root 2013-02-19 11:08 LNX -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 2013-02-19 11:08 MSC -> /dev/block/mmcblk0p16
lrwxrwxrwx root root 2013-02-19 11:08 PDT -> /dev/block/mmcblk0p19
lrwxrwxrwx root root 2013-02-19 11:08 PG1 -> /dev/block/mmcblk0p6
lrwxrwxrwx root root 2013-02-19 11:08 PG2 -> /dev/block/mmcblk0p7
lrwxrwxrwx root root 2013-02-19 11:08 PG3 -> /dev/block/mmcblk0p8
lrwxrwxrwx root root 2013-02-19 11:08 RCA -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 2013-02-19 11:08 RFS -> /dev/block/mmcblk0p17
lrwxrwxrwx root root 2013-02-19 11:08 RV1 -> /dev/block/mmcblk0p11
lrwxrwxrwx root root 2013-02-19 11:08 SIF -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 2013-02-19 11:08 SOS -> /dev/block/mmcblk0p5
lrwxrwxrwx root root 2013-02-19 11:08 SP1 -> /dev/block/mmcblk0p10
lrwxrwxrwx root root 2013-02-19 11:08 UDA -> /dev/block/mmcblk0p14
lrwxrwxrwx root root 2013-02-19 11:08 WDM -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 2013-02-19 11:08 WLN -> /dev/block/mmcblk0p1

This is from CM10.1, with the latest BLADE kernel, radio 3.1204.167.31 and HBOOT 1.35. Does anyone know what's what here?


The reason the SuperCID won't work for us, was also unclear to me for a long time..
Someone finally explained why.
The CID Is not saved the same way as with qualcomm chips!
A different location or way of saving data, not traditionally on a partition.
So this will not help/work us in any way
 

sieempi

Senior Member
Jul 30, 2010
295
401
my research on hox

Actually some info is stored on a partition that is not easily accesible in android (DIA not mapped). CID, for example, along with IMEI are stored, I believe, @ 00a00015.
This is a hexdump -C of /dev/block/mmcblk0
Code:
00a00000  48 54 43 2d 42 4f 41 52  44 2d 49 4e 46 4f 21 40  |HTC-BOARD-INFO!@|
00a00010  9e 00 00 00 48 54 43 5f  5f 30 33 32 33 35 33 34  |....HTC__0323534|
00a00020  xx xx xx xx xx xx xx xx  xx xx xx 00 23 05 00 00  |xxxxxxxxxxx.#...|-> imei not
00a00030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|      shown
I believe a lot of other flags are found in this area. It would be nice to map this to a partition in a custom kernel for easier access.
I even tried the following:
  • dd if=/dev/block/mmcblk0 bs=1 skip=10485780 count=8 of=/sdcard/a.bin (a.bin has the actual CID)
  • hexedit a.bin to supercid
  • dd if=/sdcard/a.bin of=/dev/block/mmcblk0 bs=1 seek=10485780 count=8 (patch with supercid)
but due to some protection mechanisms I don't yet understant, the changes are not submitted to emmc. (we need a tegra3 advisor)

I think this might be the place to hit if we, somehow, get access to rw.

If anyone is having heavy stuff to test, I'm willing to be the rat test. So far I'm trying to force into apx with TripNRaVeR's buggy rom version for further insights, but I've been "unfortunate" so far.

PS: each time I'm running fastboot oem boot my phone doesn't boot, nor says anything, but gets stuck in fastboot - it needs a forced poweroff; any ideea why? (I don't recall to have this issue with other phones)
PS2 @ teemo: that is NOT linux LNX partition, but a part of DIA partition which is hidden to android!
 
Last edited:

Lloir

Inactive Recognized Developer
Mar 23, 2009
6,236
8,029
Samsung Galaxy Note 8 (2017 Phone)
STOP now please. All "investigation" is HERE. No need to repeat. Do your homework - then come back with some real news ;)




That would be the system image = linux partition. Already covered in above OLD thread.

i would like to point out the following

1) This thread is for the HOX AND HOX+

2) Your crap does NOT = development or anything of the sort
 

TripNRaVeR

Senior Member
Jun 25, 2010
2,914
12,633
Maasbracht
True it's for another chipset so the S-OFF portion won't work, but (and I may be wrong) I don't see a reason the SuperCID thing won't work for us, provided we find the right partition to edit.

http://xdaforums.com/showthread.php?p=26516911#post26516911

This is for the One X, and it's also confirmed to work on the One S, and they're editing /dev/block/mmcblk0p4 with root permissions. I'm ASSUMING that means that S-ON is only partially enforced. If we could get SuperCID, that's be a huge step in the right direction, would it not? Does anyone know what that partition actually is, and what the analogous partition on the One X+ is?

__________

Upon further investigation, /dev/block/mmcblk0p1 through /dev/block/mmcblk0p11 are all -something- though none of them contains strings for my CID or IMEI. HOWEVER, /dev/block/mmcblk0p9 DOES contain the string value for the last RUU flashed, which in my case is 1.17.401.1, with the entire rest of the file being padding.

There are more partitions, beyond 11. They actually go up to 20, as per ls -la /dev/block/, but everything beyond 11 seems to be excessively large.

-------

Sorry for the continuous posting, but I'm investigating. Anyway, the command "ls -la /dev/block/platform/sdhci-tegra.3/by-name/" yields a partition map with names.

lrwxrwxrwx root root 2013-02-19 11:08 APP -> /dev/block/mmcblk0p12
lrwxrwxrwx root root 2013-02-19 11:08 CAC -> /dev/block/mmcblk0p13
lrwxrwxrwx root root 2013-02-19 11:08 DLG -> /dev/block/mmcblk0p18
lrwxrwxrwx root root 2013-02-19 11:08 DUM -> /dev/block/mmcblk0p15
lrwxrwxrwx root root 2013-02-19 11:08 LKM -> /dev/block/mmcblk0p20
lrwxrwxrwx root root 2013-02-19 11:08 LNX -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 2013-02-19 11:08 MSC -> /dev/block/mmcblk0p16
lrwxrwxrwx root root 2013-02-19 11:08 PDT -> /dev/block/mmcblk0p19
lrwxrwxrwx root root 2013-02-19 11:08 PG1 -> /dev/block/mmcblk0p6
lrwxrwxrwx root root 2013-02-19 11:08 PG2 -> /dev/block/mmcblk0p7
lrwxrwxrwx root root 2013-02-19 11:08 PG3 -> /dev/block/mmcblk0p8
lrwxrwxrwx root root 2013-02-19 11:08 RCA -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 2013-02-19 11:08 RFS -> /dev/block/mmcblk0p17
lrwxrwxrwx root root 2013-02-19 11:08 RV1 -> /dev/block/mmcblk0p11
lrwxrwxrwx root root 2013-02-19 11:08 SIF -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 2013-02-19 11:08 SOS -> /dev/block/mmcblk0p5
lrwxrwxrwx root root 2013-02-19 11:08 SP1 -> /dev/block/mmcblk0p10
lrwxrwxrwx root root 2013-02-19 11:08 UDA -> /dev/block/mmcblk0p14
lrwxrwxrwx root root 2013-02-19 11:08 WDM -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 2013-02-19 11:08 WLN -> /dev/block/mmcblk0p1

This is from CM10.1, with the latest BLADE kernel, radio 3.1204.167.31 and HBOOT 1.35. Does anyone know what's what here?

Well i'm not sure what you are posting here but all the 20 partitions are allready found and known by probably all the devs here. The partitions are set to ro with the force_ro binary placed on the mmcblk0 and mmcblk1 (boot) partitions.
EDIT:
marked ( ) the boot, not only the boot but all the relevant partitions are forced_ro

The force_ro binary can only be found when you set the correct permissions on the boot partitions. Otherwise it says doesnt exist unless you type in the full cat 0 > /sys/..../force_ro command then it says permission denied.

I have several ways to gain rw access to the binary and i can set it disabled. Problem is that it needs to be removed completely for us to have proper acces.

Mounting boot/recovery partitions to the rom cannot be done right now because of the filesystem. I have walked the road you describe allready and my results are in this topic. This method is way to risky to try without having a backup hox available.

I had quite a bunch of success rates when i used my hox with broken screen but since that one is bricked i stopped this s-off development.

Actually some info is stored on a partition that is not easily accesible in android (DIA not mapped). CID, for example, along with IMEI are stored, I believe, @ 00a00015.
This is a hexdump -C of /dev/block/mmcblk0
Code:
00a00000  48 54 43 2d 42 4f 41 52  44 2d 49 4e 46 4f 21 40  |HTC-BOARD-INFO!@|
00a00010  9e 00 00 00 48 54 43 5f  5f 30 33 32 33 35 33 34  |....HTC__0323534|
00a00020  xx xx xx xx xx xx xx xx  xx xx xx 00 23 05 00 00  |xxxxxxxxxxx.#...|-> imei not
00a00030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|      shown
I believe a lot of other flags are found in this area. It would be nice to map this to a partition in a custom kernel for easier access.
I even tried the following:
  • dd if=/dev/block/mmcblk0 bs=1 skip=10485780 count=8 of=/sdcard/a.bin (a.bin has the actual CID)
  • hexedit a.bin to supercid
  • dd if=/sdcard/a.bin of=/dev/block/mmcblk0 bs=1 seek=10485780 count=8 (patch with supercid)
but due to some protection mechanisms I don't yet understant, the changes are not submitted to emmc. (we need a tegra3 advisor)

I think this might be the place to hit if we, somehow, get access to rw.

If anyone is having heavy stuff to test, I'm willing to be the rat test. So far I'm trying to force into apx with TripNRaVeR's buggy rom version for further insights, but I've been "unfortunate" so far.

PS: each time I'm running fastboot oem boot my phone doesn't boot, nor says anything, but gets stuck in fastboot - it needs a forced poweroff; any ideea why? (I don't recall to have this issue with other phones)
PS2 @ teemo: that is NOT linux LNX partition, but a part of DIA partition which is hidden to android!

The fastboot command doesnt work since hboot 0.96 it is blocked by htc. :good:

I have found the IMEI, CID etc and i could read them just fine directly from the mmcblk0 /1 partitions after setting permissions. Sorry to say this and not trying to offend but this doesnt help us in any way by gaining s-off.

IF i understand the s-off correctly for the QCOM chips, its been done by overwriting cids?? It isnt that hard to gain acces to the CID settings, they are not high level secured...
 
Last edited:

scotty1223

Inactive Recognized Contributor
Jan 3, 2011
2,813
3,056
IF i understand the s-off correctly for the QCOM chips, its been done by overwriting cids?? It isnt that hard to gain acces to the CID settings, they are not high level secured...

well,not directly. with qualcom chips,the secureflag is turned of by(with my limited understanding):
1) sd card phones- getting the processor into download mode,then booting temporarily from the sd instead of the emmc

2)non-sd card phones- the recent exploit being used on hoxl,hos,and dna is attempting to flash a signed update.zip onto a superCID device. when the flash fails with a 92 supercid error,forcing a boot apparently does so without emmc write protection,wich allows the secureflag to be turned off from the booted OS on that next boot.

so superCID is needed for this recent exploit to work,but its function is somewhat indirect. maybe a similar method to disable write protect is possible with the tegra? ive got a one x,id love to see you figure it out.. mebbe we could pool some donations to get you anoter broken screen/damage device?
 

TripNRaVeR

Senior Member
Jun 25, 2010
2,914
12,633
Maasbracht
well,not directly. with qualcom chips,the secureflag is turned of by(with my limited understanding):
1) sd card phones- getting the processor into download mode,then booting temporarily from the sd instead of the emmc

2)non-sd card phones- the recent exploit being used on hoxl,hos,and dna is attempting to flash a signed update.zip onto a superCID device. when the flash fails with a 92 supercid error,forcing a boot apparently does so without emmc write protection,wich allows the secureflag to be turned off from the booted OS on that next boot.

so superCID is needed for this recent exploit to work,but its function is somewhat indirect. maybe a similar method to disable write protect is possible with the tegra? ive got a one x,id love to see you figure it out.. mebbe we could pool some donations to get you anoter broken screen/damage device?

If you run a sense rom would you mind trying this out:

Add to build.prop:
Code:
ro.sdcard=2

Possible that it requires the fuse command also but i cant remember it know, will check when i'm home. If what youre saying is true then i found some stuff. See if something happens. Also anyone knows what GEP means? It is all related to the sdcard hack.

A sense rom, and a sense rom only, is capable of this stuff. Sense actually checks a few modes during bootup (very early) they can be altered but since this is the first time i actually found this stuff (yesterday) i hardly know 5% of the things that can be done.

The fact that you telling me this now made me see (maybe a far) link to my findings from yesterday.
 

scotty1223

Inactive Recognized Contributor
Jan 3, 2011
2,813
3,056
If you run a sense rom would you mind trying this out:

Add to build.prop:
Code:
ro.sdcard=2

Possible that it requires the fuse command also but i cant remember it know, will check when i'm home. If what youre saying is true then i found some stuff. See if something happens. Also anyone knows what GEP means? It is all related to the sdcard hack.

A sense rom, and a sense rom only, is capable of this stuff. Sense actually checks a few modes during bootup (very early) they can be altered but since this is the first time i actually found this stuff (yesterday) i hardly know 5% of the things that can be done.

The fact that you telling me this now made me see (maybe a far) link to my findings from yesterday.

sure... i can try that later this evenig.im at work now,ill be home 8-9ish :)
 

virtualflyer

Senior Member
Mar 16, 2011
352
46
If you run a sense rom would you mind trying this out:

Add to build.prop:
Code:
ro.sdcard=2

Possible that it requires the fuse command also but i cant remember it know, will check when i'm home. If what youre saying is true then i found some stuff. See if something happens. Also anyone knows what GEP means? It is all related to the sdcard hack.

A sense rom, and a sense rom only, is capable of this stuff. Sense actually checks a few modes during bootup (very early) they can be altered but since this is the first time i actually found this stuff (yesterday) i hardly know 5% of the things that can be done.

The fact that you telling me this now made me see (maybe a far) link to my findings from yesterday.
I know I'm not a dev, but I have both a one x and a sense rom, so I've tried this...
Nothing seems to change actually, I can assure you I did everything right.
If you need further tests, or prefer someone else to do it better, say it!
 

TripNRaVeR

Senior Member
Jun 25, 2010
2,914
12,633
Maasbracht
My bad, wrong command

Add to build.prop:

Code:
ro.sdcard2=

Correct values are 0 and 1

Also add to build.prop
Code:
persist.fuse_sdcard=

Correct values are true and false

Some random stuff i found, dont pin me on this, i'm only posting my finds here:
- enc security key is stored on "extra" partition
- enc security key is checked BEFORE all partitions are mounted
- emmc bkops (kernel) seems needed
- sd enc key read failure on boot? phone gets into read only mode
- ro.ril.ruim.carrier=ct
- read_marked looks for security key
- key192 and key256 used (why? i dont know)


Response and results please
 
  • Like
Reactions: clyder

virtualflyer

Senior Member
Mar 16, 2011
352
46
R: Goal: S-off HOX+ and maybe the HOX (TEGRA3)

Will do it in a few minutes, in the meantime I'm learning many things on s-off for hox.

Should I try both 1 and 0 and true and false?
And check where for any result?
 

superchilpil

Senior Member
Sep 26, 2009
4,278
1,432
Texas
OnePlus 8 Pro
Nubia Red Magic 6
Re: Goal: S-off HOX+ and maybe the HOX (TEGRA3)

Emmc

dev: size erasesize name
mmcblk0p5: 00800000 00001000 "recovery"
mmcblk0p4: 00800000 00001000 "boot"
mmcblk0p16: 60000000 00001000 "system"
mmcblk0p17: 10000000 00001000 "cache"
mmcblk0p20: 00200000 00001000 "misc"
mmcblk0p1: 00600000 00001000 "wlan"
mmcblk0p2: 00200000 00001000 "WDM"
mmcblk0p25: 00200000 00001000 "pdata"
mmcblk0p3: 00600000 00001000 "radiocab"
mmcblk0p18: e00000000 00001000 "userdata"
mmcblk0p24: 01a00000 00001000 "devlog"
mmcblk0p19: 00200000 00001000 "extra"
mmcblk0p14: 03400000 00001000 "mdm9k"
mmcblk0p15: 00800000 00001000 "mdm9k_config"
mmcblk0p21: 00800000 00001000 "modem_st1"
mmcblk0p22: 00800000 00001000 "modem_st2"


Slithered from my HTC One X+
 

Top Liked Posts

  • There are no posts matching your filters.
  • 69
    I have gained access to some neat tools!

    The tool is also able to boot into diag58, currently i'm running it userspace and can freely set everything i want. I tried entering diag58 but it was waiting on modem. Going to try to read the secure key, it has basicly acces to everything.


    BBVVcZiCEAMtjoX.jpg
    56
    Got this key out of the 0.40 hboot


    0x15d15b4fb63ee0b
    50
    And another thing that also belongs here, have full acces to my device right now during APX mode.

    http://xdaforums.com/showpost.php?p=37133727&postcount=4973
    38
    IHTC One X+ Infos will be adapted to this as soon as possible.


    Names for the devices are:


    Model ID: PM35110
    Model Name: S728e
    aka One X+



    Model ID: PJ46100 aka
    Model Name: S720e
    aka One X



    So as the title says, we're facing the problem of not having S-OFF yet, although the One X (S720e) has been released nine months ago. The One X+ is newer but since it has the same processor family, it's accountable to this project. It's possible to unlock the bootloader via HTCdev but it doesn't gives us S-OFF. The Unlock via HTCdev gives us only partially control over Bootloader and Recovery. Since it's release date, some great Devs including Xmoo, Football, Mike1986 and more tried to disable the security check. Unfortunatly without a solution for the masses. Also the One X+ (S728e) is relatively new on the market, so THIS is maybe the first thread in the world regarding S-OFF on the S728e Unlike on other HTC phones, on which hardware solutions like the XTC-Clip, or software solutions like revolutionary or any similar software did the job, on the One X they're not going to work. At the moment the only known method is the official HTC's way.

    Ways to set the devices S-OFF
    Ways%20to%20set%20the%20S720e%20S-OFF.jpg


    --------------DIAG + JAVCARD Route--------------

    Infos I could gather. At the moment these infos are only valid for the S720e:

    Basically u need adb/android SDK before proceed.

    [WITH ROOT ACCESS]
    [+] Dump/copy boot.img
    Code:
    Command prompt :
    > adb shell
    > su
    > dd if=/dev/block/mmcblk0p4 of=/sdcard/boot.img
    More partition/img availabe to dump. Will update later.

    [WITHOUT ROOT ACCESS]
    Currently only /system is usable

    1) Android SDK (just need adb)
    2) Download busybox
    3) Command prompt :
    > adb push busybox /data/local/busybox
    > adb shell
    > cd /sdcard/
    > chmod 755 /data/local/busybox
    > /data/local/busybox tar cvf sysdump.tar /system
    4) Ignore tar: error exit delayed from previous errors'. Is done correctly.

    ----------------------------------------------------------------------

    Just finished dumped my semi-virgin One X system partition from SEA WWE stock ROM :D.
    The file would be OneX_SEA_WWE_1.26.707.2_SYSTEM_DUMP.zip 558.3 MB :eek:


    Radio (The Radiomodule on S720e is an Intel X-Gold 626 chip [XMM6260]) location (xmoo's post Radio) Documentation of the Radio chip and direct download:
    xmoo; said:
    Mike found out Radio is probably: \system\etc\QUO_6260.fls.clean
    7.96MB

    Commands located in QUO_6260.fls.clean
    CALIB_NVM
    DYNAMIC_NVM
    STATIC_NVM
    SEC_DATA
    PSI_RAM

    If I could believe the following:
    Found the same commands in a datasheet: "MSM3000Qualcomm, Inc.MOBILE STATION MODEM"
    http://www.datasheetarchive.com/MSM3000-datasheet.html

    So guess we got the Radio located!

    Possible Hboot location (blubber's post Hboot):
    blubber; said:
    xmoo; said:
    How do you know this?

    /EBT does not excist on my phone.


    mmcblk0p2 -> /dev/block/platform/sdhci-tegra.3/by-name/WDM
    mmcblk0p16 -> /dev/block/platform/sdhci-tegra.3/by-name/DUM
    mmcblk0p17 -> /dev/block/platform/sdhci-tegra.3/by-name/MSC
    mmcblk0p20 -> /dev/block/platform/sdhci-tegra.3/by-name/PDT

    of course it does not exist as i have written a few times before!
    it is not accessible with a stock kernel!

    i know it is there:


    Code:
    130|root@android:/ # hexdump -C /dev/block/mmcblk0|grep EBT                    
    000000e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|

    and the EBT partition does contain the bootloader!


    CID Check needs to be bypassed (xmoo's post CID check)
    xmoo said:
    Guys, the diag files have "CIDNUM: 11111111" in it.
    Can't change it cause the file gets corrupted.
    So only way to boot it up is by passing the CID check.

    This is were the Smartcard or Goldcard comes in.
    We tried the one from http://psas.revskills.de/?q=goldcard with no success.
    I remember for some devices you had to change 00 to 11, or something like that.
    Maybe this has to be done for this device aswell. Also I remember something that SDHC cards were not supported, or they are... been a long time ago.
    So your help is need.

    Create a goldcard which works.

    Remember to test it like this: http://xdaforums.com/show....php?t=1714056

    Thank you.

    Partiton list (Football's post Partition list)
    Football said:
    After intensive digging in some stuff I have found this. This is whole partition list for One X with all addresses and lengths of partitions...
    Code:
    [partition]
    name=BCT
    id=2
    start_location=0x00
    size=0x400000
    
    [partition]
    name=PT
    id=3
    start_location=0x400000
    size=0x200000
    
    [partition]
    name=EBT
    id=4
    type=bootloader
    start_location=0x600000
    size=0x400000
    
    [partition]
    name=DIA
    id=5
    type=bootloader
    start_location=0xA00000
    size=0x400000
    
    [partition] (Board Information)
    name=BIF
    id=6
    start_location=0xE00000
    size=0x200000
    
    
    [partition]
    name=GP1
    id=7
    start_location=0x1000000
    size=0x200000
    
    ### WLAN firmware ###
    [partition]
    name=WLN
    id=8
    start_location=0x1200000
    size=0x600000
    #filename=wlan.img
    
    ### WLAN Data + MFG Data ###
    [partition]
    name=WDM
    id=9
    start_location=0x1800000
    size=0x200000
    filename=WDM.img
    
    ### Radio Calibration Data ###
    [partition]
    name=RCA
    id=10
    filesystem_type=ext3
    start_location=0x1A00000
    size=0x600000
    
    ### Linux Kernel OS ###
    [partition]
    name=LNX
    id=11
    start_location=0x2000000
    size=0x800000
    filename=boot.img
    
    ### Recovery ###
    [partition]
    name=SOS
    id=12
    start_location=0x2800000
    size=0x800000
    filename=recovery.img
    
    ### PG1FS ###
    [partition]
    name=PG1
    id=13
    start_location=0x3000000
    size=0x1000000
    
    ### PG2FS ###
    [partition]
    name=PG2
    id=14
    start_location=0x4000000
    size=0x1000000
    
    ### PG3FS ###
    [partition]
    name=PG3
    id=15
    start_location=0x5000000
    size=0x1000000
    
    ### Software Info ###
    [partition]
    name=SIF
    id=16
    start_location=0x6000000
    size=0x400000
    filename=SIF.img
    
    ### Splash1 ###
    [partition]
    name=SP1
    id=17
    start_location=0x6400000
    size=0x400000
    
    ### Reserve1 ###
    [partition]
    name=RV1
    id=18
    start_location=0x6800000
    size=0x1C00000
    
    ### System ###
    [partition]
    name=APP
    id=19
    filesystem_type=ext3
    start_location=0x8400000
    size=0x50000000
    filename=system.img
    
    ### Cache ###
    [partition]
    name=CAC
    id=20
    filesystem_type=ext3
    start_location=0x58400000
    size=0x14000000
    
    ### Internal SD ###
    [partition]
    name=ISD
    id=21
    start_location=0x6C400000
    size=0x650000000
    
    ### Userdata ###
    [partition]
    name=UDA
    id=22
    filesystem_type=ext3
    start_location=0x6BC400000
    size=0x89400000
    filename=userdata.img
    
    ### Memory dump ###
    [partition]
    name=DUM
    id=23
    start_location=0x745800000
    size=0x200000
    
    
    ### MISC Partition ###
    [partition]
    name=MSC
    id=24
    start_location=0x745A00000
    size=0x200000
    
    ### Radio File System ###
    [partition]
    name=RFS
    id=25
    start_location=0x745C00000
    size=0x600000
    
    
    ### Develop Log ###
    [partition]
    name=DLG
    id=26
    start_location=0x746200000
    size=0x1600000
    
    ### PDATA for MASD ###
    [partition]
    name=PDT
    id=27
    start_location=0x747800000
    size=0x200000
    
    [partition]
    name=GPT
    id=28
    type=GPT
    start_location=0x747A00000
    #size=0xFFFFFFFFFFFFFFFF
    size=0x200000


    Mike1986's Partition Info (mike1986's post One X Partition Info)
    This thread's content might brick your device.
    This is not a ROM thread, so I'm not going to answer again and again and again the same questions over and over and over again.
    You can't read - quit this thread now. You can read but you can't understand more or less simple things - quit as well.
    You can read and you understand things, but you are too lazy to read the whole thread before asking the question - watch this first. And quit.

    This is what we know so far:

    Partitions1.png


    Some conclusions:

    1. It's very nice to see that finally someone separated "internal sd card" from userdata partition. So it's no longer linked to /data/media, as it used to be on Asus Transformer, Transformer Prime, Galaxy Nexus etc. but it's a separate partition now - mmcblk0p14. Basically the biggest benefit from that is that now formatting userdata partition will no longer erase virtual sd card content.
    2. It seems that NFC and WLAN deep settings are stored on separate partitions: mmcblk0p1 (wlan) and ? (NFC).
    3. There is a 5th PHYSICAL core, but it's invisible to the system. Android only sees the 4 main cores. The 5th companion core is not controlled by Android. Tegra 3 architecture itself handles the load balancing between the main cores and the companion core. (Thanks to Diamondback)
    4. There is no radio.img in current RUUs.


    Download firmware for HTC One X (PJ4610000)

    Firmware from 1.28.401.9 RUU
    --- MD5 checksum: 83375DF988C86E92417AA8949012A1C2 *PJ46IMG.zip ---

    Supported devices:
    --- CID's added by users requests are marked with green color ---
    cidnum: HTC__001
    cidnum: HTC__E11
    cidnum: HTC__203
    cidnum: HTC__Y13
    cidnum: HTC__102
    cidnum: HTC__405
    cidnum: HTC__304
    cidnum: HTC__032
    cidnum: HTC__J15
    cidnum: HTC__A07
    cidnum: HTC__016
    cidnum: HTC__M27

    Why it's better then full RUU:

    1. It doesn't contain stock recovery
    2. It doesn't contain stock, non rooted system
    3. It doesn't contain secured boot.img
    4. It wont wipe your data partition
    5. It's much smaller :D

    PJ46IMG.zip content: [UPDATE: 25.03.2012]

    android-info.txt - updated [20.04.2012]
    bct.img - updated [25.03.2012]
    rcdata.img - updated [20.04.2012]

    How to flash:

    1. Check your CID using fastboot getvar cid and MID using fastboot getvar mid
    2a. If your CID and MID are supported by default, navigate to point 3.
    2b. If your CID or MID is not supported by default, do this: (you do it at your own risk)
    2c. Open PJ46IMG.zip (don't extract it)
    2d. Open android-info.txt in text editor
    2e. Add your cidnum: or modelid: to the list, save file and close archive
    3. Place PJ46IMG.zip on your SD card
    4. Boot your device holding power button + vol down button
    5. Follow instructions on the screen

    Additional information:

    1. Flash above firmware at your own risk!
    2. It's recommended to flash it before flashing custom ROM based on proper RUU!
    3. Unlocking via htcdev.com will change your CID number into "none".

    4. RUU variants:
    x.xx.61.x - Orange UK (United Kingdom)
    x.xx.75.x - Orange ES (Spain)
    x.xx.110.x - T-Mobile UK (United Kingdom)
    x.xx.111.x - T-Mobile DE (Germany)
    x.xx.112.x - T-Mobile AT (Austria)
    x.xx.114.x - T-Mobile NL (Netherlands)
    x.xx.118.x - T-Mobile PL (Poland)
    x.xx.161.x - Vodafone UK (United Kingdom)
    x.xx.166.x - Vodafone CH-DE (Switzerland - Germany)
    x.xx.163.x - Vodafone FR (France)
    x.xx.169.x - Vodafone AT (Austria)
    x.xx.206.x - O2 UK (United Kingdom)
    x.xx.207.x - O2 DE (Germany)
    x.xx.401.x - World Wide English
    x.xx.707.x - Asia WWE (World Wide English)
    x.xx.720.x - Asia India
    x.xx.771.x - Hutchison 3G UK (United Kingdom)
    x.xx.862.x - Voda-Hutch AU (Australia)
    x.xx.980.x - Optus AU (Australia)
    x.xx.1400.x - HTC China

    Please post here your findings, thoughts or experience with after flashing images listed above.



    Mike1986's addition (mike1986's post Addition)
    mike1986 said:
    Something more:

    /system/etc/Flash_Loader.conf

    boot_port_name=/dev/ttyACMX0
    fw_download_port_name=/dev/ttyACMX0
    baudrate=921600
    BootTimeOut=3000
    CommTimeOut=1000
    eep_normal_mode=m
    file_name=/data/modem_work/QUO_6260.fls
    #file_name=QUO_6260.fls
    #file_name=XMM6260_SIC.fls
    #log_fname=/dev/null
    log_fname=/data/modem_work/Flash_Loader.log
    also

    \system\bin\poweron_modem_fls.sh

    Line 55: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
    Line 55: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
    and

    \system\bin\poweron_modem_hboot.sh

    Line 50: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
    Line 50: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
    And from flash_loader.log

    Start downloading item 'CODE:../HW/XMM6260_V2_USB-HSIC_FLASHLESS_EDE_1.0/MODEM_DEBUG/QUO_6260.fls'' from file '/data/modem_work/QUO_6260.fls


    This is how HTC does it:


    My attempt (tried also on locked bootloader with the same output)




    Things you'll need for this trick:

    - USB OTG-Y-Cable. You can also build your own with this guide : How to make external powered OTG Cable
    - USB SD Cardreader
    - MicroSD Javacard (if you can bypass cid check, the Javacard is not needed) Xmoo said this one is used by HTC: GO-Trust® Secure microSD Java. It costs 980 US Dollars together with the SDK. Also, even if you have the Javacard you have to build the Application environment.
    - 5V+ Power supply (Standard wall charger)
    - PJ46DIAG.zip= clean S58 Data program specificly for the S720E/S728e. The correct DIAG has tot have a size of 964kb or 941kb and must contain the string "clean s58..." which can be checked with hexedit or any similar hex editor.

    The procedure:

    1. Put PJ46DIAG.zip on the Secure MicroSD Javacard
    2. Plug it into the USB SD Cardreader
    3. Plug the Cardreader into the female end of USB OTG-Y-Cable
    4. Plug the OTG-Y-Cable into the USB port of the phone
    5. Plug the cable onto the power supply
    6. Reboot into bootloader
    7. Once in Bootloader the file will be load by the phone and you'll land in S58 Menu. Clean S58 Data and you've successfully set your device S-Off

    And here's the problem with this method. 1. A Javacard is really hard to get. I've never saw one, no one I know has ever saw one :D 2. The Diag file can't be leaked. The ones I've attached here are useless as Xmoo said and maybe proved. I have attached them though. So anyone interested and willing to help can investigate them.

    As we know, the Diag file's for the One X can't be leaked. They're spread to choosen HTC-Repair centres, so a leak will easily be traced back. This would bring the affected people in some serious trouble. But this is interesting. These guys over on pdacentre use the official method. It's suspicious, kind of. For now, this is the only know method. It cost's around 2000 rubel (65€ | 85$) + shipping depending on your location. Of course this isn't an appropriate solution. Another thing; Why do we need a Javacard? Well, because the DIAG files will only work on devices with SuperCID (11111111) not on normal CID (HTC__XXX). So another way is to bypass the CID check.


    Rough diagram of a Javacard
    diagram_v21.jpg

    Copyright © 2011 GOTrust Technology Inc., All rights reserved.



    TOOLBOX
    The DIAG files I've linke don't have any function except from superwipe. They're only meant to be used as a test file to check if we can load such DIAG files.:

    How do I know that I have the correct DIAG file? ;
    The clean DIAG has a size of 964kb or 941kb. Or look at the image above. If your DIAG is called like them it could be the correct one also. But to be really sure, do the following;
    Download any HEXeditor you can get. Open the DIAG file with the HEXeditor and search for keywords like "clean", "s58", . If you find these two strings in the DIAG file, it could be the correct one. We'd appreciate it if you could upload the file.

    "clean s58"
    1.jpg

    Known and working DIAG files for the One X

    attachment.php



    What's already been done:

    xmoo; said:
    13-04-2012 XDA.CN releases pictures showing someone succesfully has S-OFF'd his device. Tool is for sale here: http://item.taobao.com/item.htm?id=10824156715
    17-04-2012 Thread made.
    17-04-2012 We have found someone with a S-OFF device, and a newer HBOOT than the one from XDA.CN. Trying to get access to the HBOOT.
    18-04-2012 OTA 1.28 brings HBOOT 0.94.
    18-04-2012 New member with a S-OFF device is willing to help.
    s-off-hboot_HOX.JPG

    19-04-2012 HBOOT 0.43 S-OFF rfs.img received and uploaded.
    19-04-2012 RFS.img is not the correct file, searching continues...
    19-04-2012 Radio located, click here
    26-04-2012 HBOOT probably located here
    15-05-2012 NVFlash app + APX Drivers added
    12-06-2012 Tegra 3 Manual added, see here!
    16-06-2012 HBOOT 1.11 from the test-keys uploaded here!
    16-06-2012 Huge development, read more about it!
    18-06-2012 Need to find a way to by-pass CID check.
    19-06-2012 Football Partition list for One X with all addresses and lengths of partitions which can be found here.
    27-06-2012 Huhge thread clean-up and update.
    04-07-2012 Had the chance to play with a S-OFF device, read more about it here! ENG HBOOT which is used in test, is located here.
    09-07-2012 Javacard with DIAG will work, but won't be a good solution cause no one got a legit Javacard and the DIAG files can't be leaked!
    14-07-2012 Video added which shows the Javacard with DIAG method. Video can be found here.
    14-07-2012 The ENG HBOOT 0.03 that Football uploaded lost it's sign. I re-uploaded it and re-checked the file and it should be good now. You can find the new .zip here.

    FAQ.
    What is S-OFF?
    S-OFF stands for Security-OFF
    S-OFF means that the NAND portion of the device is unlocked and can be written to. The default setting for HTC’s devices is S-ON, which means that neither can you access certain areas of the system nor can you guarantee a permanent root. Furthermore, signature check for firmware images is also ensured by the S-ON flag.

    What has already been done?
    -Tried flashing DIAG file, but with no success. File needs SuperCID.
    -Tried flashing ENG HBOOT as zip file, but with no success. File needs SuperCID.
    -Tried flashing modified DIAG file, but with no success. File needs SuperCID.
    -Tried flashing modified HBOOT as zip file, but with no success. Signature check failed.
    -Tried creating a Goldcard, but won't work. The Goldcare is for Qualcomm devices.
    -Root while phone is LOCKED, won't work. Only will work on the Qualcomm One X and One XL.
    -Ask the Chineese guy with the S-OFF tool. Won't share, cause he needs his money.
    -Tried flashing files over recovery, but with no success.
    -Tried flashing TETS and MFG ROMs, but with no success. Phone needs S-OFF because the ROMS are not sighned.
    -Tried changing CID, but won't work. Only will work on the Qualcomm One X and One XL.
    -Tried commands over ADB, but with no success.
    -Tried XTC clip, won't work.

    How Do I Know If My Device Is S-ON Or S-OFF?
    That is easy to verify. Simply boot into HBOOT (bootloader) on your device, and the text on top will show the flag status as either S-OFF or S-ON. A full root generally means S-OFF.
    s-off.jpg

    S-OFF – What And Why?
    HTC have installed a sort of security check whose level is determined by S-OFF/S-ON. Essentially, this security level is a flag stored on the device’s radio that checks signature images for any firmware before it is allowed to be written to system memory. This hinders using any custom ROMs, splash images, recovery etc., and also restricts access to the NAND flash memory. However, when security level is set to S-OFF, the signature check is bypassed, allowing a user to upload custom firmware images, unsigned boot, recovery, splash and HBOOT images, as well as official firmware that has been modified, this enabling maximum customization of your HTC Android device.

    Furthermore, S-OFF also reduces restrictions on accessing the NAND flash memory on the device, allowing all partitions (including /system) to be mounted in write mode while the operating system is booted.

    Where is it located?
    Don't know yet, here are the partitions.

    How can I flash through SD?
    Tutorial added here!

    What HBOOT status have we seen so far?
    ENDEAVORU PVT SHIP S-ON RL
    ENDEAVORU PVT SHIP S-OFF RL
    ENDEAVORU PVT ENG S-OFF RL
    ENDEAVORU XE ENG S-OFF RH
    ENDEAVORU PVT MFG RH
    ENDEAVORU XE SHIP S-OFF RH
    ENDEAVORU UNKNOWN ENG S-OFF RH

    Partition list for One X with all addresses and lengths of partitions
    Football share the full list which can be found here.

    How does HTC do it?
    They do it with a smartcard/javacard/goldcard (What ever you want to call it) in combination with the DIAG file. Proof is in the attachment.



    --------------Alternative APX MODE Route--------------


    Hey guys,

    Please stop PM'ing me about APX Mode. I get like 10 PM's a day.

    How to get in
    Nobody really knows. The most common way has been pressing volume up and down together while device is off and then plugin USB while connected to a computer.

    How to get out
    When your device is in APX Mode, HTC fixes it in repair. Someone here on XDA PM'd me with this video and said it should work: http://www.youtube.com/watch?v=rsnl_LIgzt0
    I have not tried it myself, so just give it a try and share with the rest.

    All the other discussions about APX can be done here, please stop pm'ing me.
    Thank you!


    Alright Folks! TripNRaVer has made something rudimentary, awesome, fascinating...words can't describe....Work!! Here You go, APX DRIVERS FOR THE ONE X

    semctriplogo.jpg



    For those of you that are in APX Mode or want to mess with APX here is the modified driver for the One X.

    Now you have acces to the device again through USB.

    Todo:
    - Plug the usb cable in hox
    - Goto device manager
    - Search for APX or Unknown device or whatever it is listed
    - Choose update driver
    - Choose manually select driver
    - Select the folder where you extracted the zip file
    - Install drivers

    Use nvflash to gain acces to the device again.

    Download:
    http://tripndroid.bindroidroms.com/TripNDroid-HOX-APX-Driver.zip

    Nvflash:
    - Use nvflash binary to gain acces to the device
    - Including flash.cfg for endeavoru to use with nvflash.exe
    - Including a bct file

    http://tripndroid.bindroidroms.com/tripndroid_nvflash.zip






    PLEASE read on the threads I've linked, before you start discussion. People really did some great development.