Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,741,151 Members 49,526 Now Online
XDA Developers Android and Mobile Development Forum

S-on after xtc-clip - use riff box jtag - how to ?

Tip us?
 
heavy_metal_man
Old
#11  
heavy_metal_man's Avatar
Recognized Contributor
Thanks Meter 681
Posts: 2,492
Join Date: Nov 2011

 
DONATE TO ME
well, once you have s-off you can map the all of the nand via fastboot kernal commands, but like the wildfire s we would need to work out the size of all the partitions and "write in" the information for the radio. if we did that and then xtc clipped a buzz on the revolutionary hboot it may show you where the the s-0n s-0ff "bit" is. then, in theory you could write to the nand and overwrite the bit to change it. in theory this would also work to properly s-0ff the device so all hboots could be flashed. but that would imply that the s-0ff s0n bit is actually in the unmapped partition of the nand. i would like to try this idea just to see how far we could get, as i may be getting another s-on buzz in july but we would have to get the mappings for the mtd partitions. oh, and gfree only works on emcc devices i think, thats why it wont work for us as it is mtd.

 
Devices
-> HTC wildfire (buzz)- currently testing all sorts.

-> HTC wildfire BEE
s-on HTC-dev unlocked
rom: my cooked rom
-> HTC sensation XE
Died a horrible overheating death
-> Nexus 7 32gb wifi
Bootloader unlocked
Rom: ParanoidAndroid 3.1
-> Htc desire s
xtc clip s-off/simunlocked/supercid
revolutionary hboot 7.00.1002
testing roms....
 
saidelike
Old
#12  
Junior Member
Thanks Meter 0
Posts: 19
Join Date: Apr 2009
gfree only works on devices that use emmc and have this vulnerability, that is to say only the HTC Desire Z...but it does not matter.

Be careful with what is below, it may brick your device so do it at your own risk.

I managed to set the S-ON flag back on the HTC Desire Z with the following command: AT@SIMLOCK?7,1. This can be sent to the device by first putting the device in HBOOT mode, then issuing "rtask C" and then talking to the radio with AT commands (see http://tjworld.net/wiki/Android/HTC/...kingtotheRadio).

But it did not work on a HTC Desire S.

Quote:
Originally Posted by heavy_metal_man View Post
well, once you have s-off you can map the all of the nand via fastboot kernal commands, but like the wildfire s we would need to work out the size of all the partitions and "write in" the information for the radio. if we did that and then xtc clipped a buzz on the revolutionary hboot it may show you where the the s-0n s-0ff "bit" is. then, in theory you could write to the nand and overwrite the bit to change it. in theory this would also work to properly s-0ff the device so all hboots could be flashed. but that would imply that the s-0ff s0n bit is actually in the unmapped partition of the nand. i would like to try this idea just to see how far we could get, as i may be getting another s-on buzz in july but we would have to get the mappings for the mtd partitions. oh, and gfree only works on emcc devices i think, thats why it wont work for us as it is mtd.
1) Could you develop on your "fastboot kernal" commands ? How do you do what you are talking about ?

2) I know where the security flag is for the HTC Desire Z but not for the Desire S, I would need to backup all the partitions, S-OFF it and then make a diff to identify it.
 
heavy_metal_man
Old
#13  
heavy_metal_man's Avatar
Recognized Contributor
Thanks Meter 681
Posts: 2,492
Join Date: Nov 2011

 
DONATE TO ME
Quote:
Originally Posted by saidelike View Post
gfree only works on devices that use emmc and have this vulnerability, that is to say only the HTC Desire Z...but it does not matter.

Be careful with what is below, it may brick your device so do it at your own risk.

I managed to set the S-ON flag back on the HTC Desire Z with the following command: AT@SIMLOCK?7,1. This can be sent to the device by first putting the device in HBOOT mode, then issuing "rtask C" and then talking to the radio with AT commands (see http://tjworld.net/wiki/Android/HTC/...kingtotheRadio).

But it did not work on a HTC Desire S.



1) Could you develop on your "fastboot kernal" commands ? How do you do what you are talking about ?

2) I know where the security flag is for the HTC Desire Z but not for the Desire S, I would need to backup all the partitions, S-OFF it and then make a diff to identify it.
Well, this idea actually belongs to the guys over at the wildfire s s-off campaign( had to be said )
The way it works is that you issue a kernal, or clockworkmod recovery for that matter, with new paramiters for the mtd partitions via fastboot and when that new kernal is loaded the "unmaped areas will then be mapped. Then as you said for point 2 you would dump both before and after the xtc clip and !hopefully! It would show the location of the s-off. The partition information will be device specific, so each device and hboot would need to be accounted for. But, the theory is solid. The only issue the wfs guys are having is trying to write to the nand. But with an s-off device I hope this wouldn't be an issue. If you head over to there s-off campaign you will find out alot more on this idea.

Sent from my HTC Sensation XE with Beats Audio using xda premium

 
Devices
-> HTC wildfire (buzz)- currently testing all sorts.

-> HTC wildfire BEE
s-on HTC-dev unlocked
rom: my cooked rom
-> HTC sensation XE
Died a horrible overheating death
-> Nexus 7 32gb wifi
Bootloader unlocked
Rom: ParanoidAndroid 3.1
-> Htc desire s
xtc clip s-off/simunlocked/supercid
revolutionary hboot 7.00.1002
testing roms....
 
saidelike
Old
#14  
Junior Member
Thanks Meter 0
Posts: 19
Join Date: Apr 2009
Quote:
Originally Posted by heavy_metal_man View Post
Well, this idea actually belongs to the guys over at the wildfire s s-off campaign( had to be said )
The way it works is that you issue a kernal, or clockworkmod recovery for that matter, with new paramiters for the mtd partitions via fastboot and when that new kernal is loaded the "unmaped areas will then be mapped. Then as you said for point 2 you would dump both before and after the xtc clip and !hopefully! It would show the location of the s-off. The partition information will be device specific, so each device and hboot would need to be accounted for. But, the theory is solid. The only issue the wfs guys are having is trying to write to the nand. But with an s-off device I hope this wouldn't be an issue. If you head over to there s-off campaign you will find out alot more on this idea.

Sent from my HTC Sensation XE with Beats Audio using xda premium
Great. Thanks for pointing me to [WFSdev][THE S-OFF CAMPAIGN] Kernal experts needed - exploit is being developed!. Even if they "only" want to get HBOOT S-OFF (different from radio S-OFF that we get with the XTC Clip), the idea behind consisting in using "fastboot boot" to boot a kernel and mapping the usually unallowed partitions differently is an idea that needs to be look at deeply.

The magic is with the following command:
Code:
Select Code
./fastboot -c "mtdparts=msm_nand:0x00100000@0x1ff00000(misc),0x00500000@0x02fc0000(recovery),0x00340000@0x034c0000(boot),0x10400000@0x03800000(system),0x02300000@0x13c00000(cache),0x09600000@0x16900000(userdata),0x00a00000@0x15f00000(devlog),0x00080000@0x02b00000(hboot)" boot recovery-clockwork-5.0.2.8-marvel.img
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


TRENDING IN THEMER...