FORUMS

OnePlus 2 Forums: Discuss Everything About The OP2!

Now that the OnePlus 2 has been officially unveiled and that we have had close-up … more

Intel & Micron Announce “Revolutionary” Storage Tech

Intel & Micron have announced 3D Xpoint technology—”the … more

Google Now Interfaces With Third-Party Messaging Apps

Google has announced that Ok Google voice commands can now be used to send … more

Make Your Lockscreen More Productive With Widgets

Are you running Android Lollipop? Do you miss the ability to add widgets to your lock … more

[WIP][DEV] S-Off [off-topic discussion prohibited]

1,960 posts
Thanks Meter: 1,433
 
By sk806, Senior Member on 7th May 2012, 02:15 AM
Thread Closed Subscribe to Thread Email Thread
20th June 2012, 08:10 AM |#1211  
Member
Thanks Meter: 8
 
More
Quote:
Originally Posted by scottspa74

You all at&t guys? That sucks for you. On Evo LTE (which is superior hardware-wise, and aesthetically, to the One X) we have htcdev unlock, AND it allows us to flash kernels, ROMs and splash screens. So it's really NOT like being s-off (oh yeah, we can flash radios, too) . HTC didn't F you, AT&T did. Move yo sprint if you hive a sh1t about Modding.

sent from a shining jewel 4g LTE

How's that LTE working out for ya? Oh wait...
I got tired of sprints joke of a network. Best I had ever gotten 3g wise was 800kbps and wimax was pathetic. So don't pity us. We can use all of our phones hardware.

On the other hand, I'm loving the 40Mbps I'm getting now.
Last edited by Loneeagle14; 20th June 2012 at 08:25 AM.
 
 
20th June 2012, 08:39 AM |#1212  
corythug's Avatar
Senior Member
Flag PA
Thanks Meter: 210
 
More
Quote:
Originally Posted by Loneeagle14

How's that LTE working out for ya? Oh wait...
I got tired of sprints joke of a network. Best I had ever gotten 3g wise was 800kbps and wimax was pathetic. So don't pity us. We can use all of our phones hardware.

On the other hand, I'm loving the 40Mbps I'm getting now.

Truth, I just jumped from sprint and chose this over the evo lte. No regrets whatsoever.

Sent from my HTC One X using Tapatalk 2
20th June 2012, 09:45 AM |#1213  
designgears's Avatar
Recognized Developer
Flag SLC
Thanks Meter: 8,830
 
Donate to Me
More
what output do you get when you try to run;

fastboot oem writesecureflag 0
20th June 2012, 09:57 AM |#1214  
broncogr's Avatar
Senior Moderator
XDA Central
Thanks Meter: 4,329
 
More
OK guys, I have cleaned the thread a bit.
Some people's attitude and language are totally unacceptable.
What the point in turning this thread in a flame war?
Are you going to get closer to S-off by doing that?
Consider this a warning...
The Following 13 Users Say Thank You to broncogr For This Useful Post: [ View ]
20th June 2012, 10:19 AM |#1215  
Senior Member
Flag So Cal, California
Thanks Meter: 379
 
More
Quote:
Originally Posted by scottspa74

You all at&t guys? That sucks for you. On Evo LTE (which is superior hardware-wise, and aesthetically, to the One X) we have htcdev unlock, AND it allows us to flash kernels, ROMs and splash screens. So it's really NOT like being s-off (oh yeah, we can flash radios, too) . HTC didn't F you, AT&T did. Move yo sprint if you hive a sh1t about Modding.

sent from a shining jewel 4g LTE

Not sure of serious
Sent from my HTC One X using xda premium
20th June 2012, 11:45 AM |#1216  
K4get's Avatar
Senior Member
Flag PLANTATION,FLORIDA
Thanks Meter: 123
 
More
Quote:
Originally Posted by broncogr

OK guys, I have cleaned the thread a bit.
Some people's attitude and language are totally unacceptable.
What the point in turning this thread in a flame war?
Are you going to get closer to S-off by doing that?
Consider this a warning...

Thanks you. For the much needed moderation.

Sent from my HTC One X using xda premium
The Following User Says Thank You to K4get For This Useful Post: [ View ]
20th June 2012, 12:43 PM |#1217  
h8rift's Avatar
Recognized Developer
Thanks Meter: 9,857
 
Donate to Me
More
Quote:
Originally Posted by scottspa74

You all at&t guys? That sucks for you. On Evo LTE (which is superior hardware-wise, and aesthetically, to the One X) we have htcdev unlock, AND it allows us to flash kernels, ROMs and splash screens. So it's really NOT like being s-off (oh yeah, we can flash radios, too) . HTC didn't F you, AT&T did. Move yo sprint if you hive a sh1t about Modding.

sent from a shining jewel 4g LTE

The funny part about this comment is.....

We can flash all of those things too. The only thing we are unable to do, which everyone wants S-Off for is:

* Get rid of tampered/relocked message
* Not have HTCDEV have a list of your phone in their database (a list of warranty forfeitures).

Thats all. Thats all this whining, complaining, cracking your phone open, etc. is for.

So how about everyone that info about where these guys are at and what they are doing just simply.....go to the IRC channel they are working in and get the info there. I do agree with nugzo that I would NOT be posting such a 'hardcore mod' with such a high possibility of failure here until it is 100% proven and completed.

I really am rooting for anyone able to S-Off this device....but its really not necessary unless you want to lie about your warranty to be honest at this point .

Good luck to everyone, and lets just stop posting here in general unless you are ACTUALLY contributing to this (or maybe not at all until there are actual findings).

Thanks,
-h8
The Following User Says Thank You to h8rift For This Useful Post: [ View ]
20th June 2012, 02:53 PM |#1218  
JeepFreak's Avatar
Senior Member
Thanks Meter: 217
 
More
Quote:
Originally Posted by designgears

what output do you get when you try to run;

fastboot oem writesecureflag 0

Code:
billy:~/android$ fastboot oem writesecureflag 0
...
(bootloader)  elite_init_sd, SD card already power on
(bootloader) sdhw_7xxx_open: id=0
(bootloader) [SD_HW_ERR] SD: No device attached
(bootloader) 902910 902E20
FAILED (status read failed (No such device))
finished. total time: 6.260s
And then Fastboot locks up. If I try 'fastboot oem h' or anything else, it just says <waiting for device> and I have to hold the power button to get it to restart.

HTH,
Billy
Last edited by JeepFreak; 20th June 2012 at 02:55 PM.
The Following User Says Thank You to JeepFreak For This Useful Post: [ View ]
20th June 2012, 04:15 PM |#1219  
PeartFan40's Avatar
Senior Member
Flag South Hadley, Ma. USA
Thanks Meter: 1,406
 
More
Ok, thread has been cleaned up again. From thid point forward, I don't want to see anymore bickering, flaming, or disruptive behavior. If you see anybody being disruptive, DO NOT engage or participate, just report it, and one of us Mods will deal with it. Engaging in disruptive behavior only makes things worse. Let's all show respect to the OP for his work. The next person who is disruptive will receive an infraction.

With that said, have fun, and please be.respectful to each other.

Thread Re-Opened.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

"If you choose not to decide, you still have made a choice"~Rush

Sent from my HTC One X, using XDA Premium.
Last edited by PeartFan40; 21st June 2012 at 05:53 AM.
The Following 7 Users Say Thank You to PeartFan40 For This Useful Post: [ View ]
20th June 2012, 05:58 PM |#1220  
JeepFreak's Avatar
Senior Member
Thanks Meter: 217
 
More
OK, so I'm nearly certain that 0x8400 in mmcblk0p3 is the S-OFF bit, as was discussed a while back (page ~80 or so). I believe I found the tampered flag and the unlocked bootloader flag too. By dumping my partitions, then unlocking for the first time, dumping again, relocking, and dumping a third time. I then hashed all the dumps and compared them. Then I compared the images where the hashes that didn't match.

0x8400 is '00' on the two S-OFF devices we have dumps from, and it's '03' from every other phone I've checked, regardless of if it's locked, unlocked, or re-locked. '0' and '3' are consistant with the 'fastboot oem writesecurityflag' command too.

Everything else, on every partition, is either inconsistent on devices of similar security status, or it changes from lock to unlock to relock.

To reiterate what was said earlier in this thread in the interest of organization, I've tried dd'ing a modified version mmcblk0p3 and it seems to complete successfully, but you can pull it again immediately afterwards and it's unchanged. I tried "cat mmcblk0p3.img > /dev/block/mmcblk0p3", which either froze or powered off my phone at some point in the process, but that didn't work either.

The permissions of /dev/block/mmcblk0p3 is BRW------ root.root, but I tried chmod'ing it 777, but that didn't help anything.

Do we know anything else about mmcblk0p3? What else is contained within it? It's a big file 130mb. If we can determine when the device is expecting it to be modified, maybe we can take advantage and modify it ourselves.

Billy
20th June 2012, 06:08 PM |#1221  
Senior Recognized Developer
Thanks Meter: 5,989
 
Donate to Me
More
Quote:
Originally Posted by JeepFreak

OK, so I'm nearly certain that 0x8400 in mmcblk0p3 is the S-OFF bit, as was discussed a while back (page ~80 or so). I believe I found the tampered flag and the unlocked bootloader flag too. By dumping my partitions, then unlocking for the first time, dumping again, relocking, and dumping a third time. I then hashed all the dumps and compared them. Then I compared the images where the hashes that didn't match.

0x8400 is '00' on the two S-OFF devices we have dumps from, and it's '03' from every other phone I've checked, regardless of if it's locked, unlocked, or re-locked. '0' and '3' are consistant with the 'fastboot oem writesecurityflag' command too.

Everything else, on every partition, is either inconsistent on devices of similar security status, or it changes from lock to unlock to relock.

To reiterate what was said earlier in this thread in the interest of organization, I've tried dd'ing a modified version mmcblk0p3 and it seems to complete successfully, but you can pull it again immediately afterwards and it's unchanged. I tried "cat mmcblk0p3.img > /dev/block/mmcblk0p3", which either froze or powered off my phone at some point in the process, but that didn't work either.

The permissions of /dev/block/mmcblk0p3 is BRW------ root.root, but I tried chmod'ing it 777, but that didn't help anything.

Do we know anything else about mmcblk0p3? What else is contained within it? It's a big file 130mb. If we can determine when the device is expecting it to be modified, maybe we can take advantage and modify it ourselves.

Billy

Great observations and great find. That partition is probably nand-locked by security built into h-boot. Perhaps with the correct tools (qpst, etc) we can write to it.

Did you notice any other changes to that partition when you made the lock/relock change? Hopefully there's not a hash or signature of some sort that needs to be updated when that byte gets updated.

ADD: And I know it's a total longshot, but anyone try editing that partition from ADB in CWM? Perhaps the kernel is blocking the write and not h-boot. Longshot, I know.
Last edited by beaups; 20th June 2012 at 06:11 PM.
The Following User Says Thank You to beaups For This Useful Post: [ View ]

Read More
Thread Closed Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes