Regain Double Tap to Wake Functionality on the Nexus 6

A few months ago, Google announced its newest flagship device, the Nexus 6, alongside … more

Clean Your Recent Apps – XDA Xposed Tuesday

In this day and age, you have quite a few apps installed and running on your Android … more

Android Studio Reaches Release Candidate Status

Android app developers have a few options when comes to Android IDEs. One of the most … more

Connect ALL THE THINGS with Xender

Smartphones, with all of their all connectivity options courtesy of OEMs, can easily connect themselves … more

Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

S-on after xtc-clip - use riff box jtag - how to ?

OP Kamil1987

30th May 2012, 05:12 PM   |  #11  
heavy_metal_man's Avatar
Recognized Contributor
Thanks Meter: 709
 
2,611 posts
Join Date:Joined: Nov 2011
Donate to Me
More
Wink
well, once you have s-off you can map the all of the nand via fastboot kernal commands, but like the wildfire s we would need to work out the size of all the partitions and "write in" the information for the radio. if we did that and then xtc clipped a buzz on the revolutionary hboot it may show you where the the s-0n s-0ff "bit" is. then, in theory you could write to the nand and overwrite the bit to change it. in theory this would also work to properly s-0ff the device so all hboots could be flashed. but that would imply that the s-0ff s0n bit is actually in the unmapped partition of the nand. i would like to try this idea just to see how far we could get, as i may be getting another s-on buzz in july but we would have to get the mappings for the mtd partitions. oh, and gfree only works on emcc devices i think, thats why it wont work for us as it is mtd.
30th May 2012, 06:37 PM   |  #12  
Junior Member
Thanks Meter: 0
 
19 posts
Join Date:Joined: Apr 2009
gfree only works on devices that use emmc and have this vulnerability, that is to say only the HTC Desire Z...but it does not matter.

Be careful with what is below, it may brick your device so do it at your own risk.

I managed to set the S-ON flag back on the HTC Desire Z with the following command: AT@SIMLOCK?7,1. This can be sent to the device by first putting the device in HBOOT mode, then issuing "rtask C" and then talking to the radio with AT commands (see http://tjworld.net/wiki/Android/HTC/...kingtotheRadio).

But it did not work on a HTC Desire S.

Quote:
Originally Posted by heavy_metal_man

well, once you have s-off you can map the all of the nand via fastboot kernal commands, but like the wildfire s we would need to work out the size of all the partitions and "write in" the information for the radio. if we did that and then xtc clipped a buzz on the revolutionary hboot it may show you where the the s-0n s-0ff "bit" is. then, in theory you could write to the nand and overwrite the bit to change it. in theory this would also work to properly s-0ff the device so all hboots could be flashed. but that would imply that the s-0ff s0n bit is actually in the unmapped partition of the nand. i would like to try this idea just to see how far we could get, as i may be getting another s-on buzz in july but we would have to get the mappings for the mtd partitions. oh, and gfree only works on emcc devices i think, thats why it wont work for us as it is mtd.

1) Could you develop on your "fastboot kernal" commands ? How do you do what you are talking about ?

2) I know where the security flag is for the HTC Desire Z but not for the Desire S, I would need to backup all the partitions, S-OFF it and then make a diff to identify it.
30th May 2012, 07:50 PM   |  #13  
heavy_metal_man's Avatar
Recognized Contributor
Thanks Meter: 709
 
2,611 posts
Join Date:Joined: Nov 2011
Donate to Me
More
Quote:
Originally Posted by saidelike

gfree only works on devices that use emmc and have this vulnerability, that is to say only the HTC Desire Z...but it does not matter.

Be careful with what is below, it may brick your device so do it at your own risk.

I managed to set the S-ON flag back on the HTC Desire Z with the following command: AT@SIMLOCK?7,1. This can be sent to the device by first putting the device in HBOOT mode, then issuing "rtask C" and then talking to the radio with AT commands (see http://tjworld.net/wiki/Android/HTC/...kingtotheRadio).

But it did not work on a HTC Desire S.



1) Could you develop on your "fastboot kernal" commands ? How do you do what you are talking about ?

2) I know where the security flag is for the HTC Desire Z but not for the Desire S, I would need to backup all the partitions, S-OFF it and then make a diff to identify it.

Well, this idea actually belongs to the guys over at the wildfire s s-off campaign( had to be said )
The way it works is that you issue a kernal, or clockworkmod recovery for that matter, with new paramiters for the mtd partitions via fastboot and when that new kernal is loaded the "unmaped areas will then be mapped. Then as you said for point 2 you would dump both before and after the xtc clip and !hopefully! It would show the location of the s-off. The partition information will be device specific, so each device and hboot would need to be accounted for. But, the theory is solid. The only issue the wfs guys are having is trying to write to the nand. But with an s-off device I hope this wouldn't be an issue. If you head over to there s-off campaign you will find out alot more on this idea.

Sent from my HTC Sensation XE with Beats Audio using xda premium
1st June 2012, 09:16 AM   |  #14  
Junior Member
Thanks Meter: 0
 
19 posts
Join Date:Joined: Apr 2009
Quote:
Originally Posted by heavy_metal_man

Well, this idea actually belongs to the guys over at the wildfire s s-off campaign( had to be said )
The way it works is that you issue a kernal, or clockworkmod recovery for that matter, with new paramiters for the mtd partitions via fastboot and when that new kernal is loaded the "unmaped areas will then be mapped. Then as you said for point 2 you would dump both before and after the xtc clip and !hopefully! It would show the location of the s-off. The partition information will be device specific, so each device and hboot would need to be accounted for. But, the theory is solid. The only issue the wfs guys are having is trying to write to the nand. But with an s-off device I hope this wouldn't be an issue. If you head over to there s-off campaign you will find out alot more on this idea.

Sent from my HTC Sensation XE with Beats Audio using xda premium

Great. Thanks for pointing me to [WFSdev][THE S-OFF CAMPAIGN] Kernal experts needed - exploit is being developed!. Even if they "only" want to get HBOOT S-OFF (different from radio S-OFF that we get with the XTC Clip), the idea behind consisting in using "fastboot boot" to boot a kernel and mapping the usually unallowed partitions differently is an idea that needs to be look at deeply.

The magic is with the following command:
Code:
./fastboot -c "mtdparts=msm_nand:0x00100000@0x1ff00000(misc),0x00500000@0x02fc0000(recovery),0x00340000@0x034c0000(boot),0x10400000@0x03800000(system),0x02300000@0x13c00000(cache),0x09600000@0x16900000(userdata),0x00a00000@0x15f00000(devlog),0x00080000@0x02b00000(hboot)" boot recovery-clockwork-5.0.2.8-marvel.img
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes