Introducing XDA:DevCon – A Conference For Developers By Developers
XDA Developers Android and Mobile Development Forum
Forgot your password?
Page 13 of 23    31112 13 1415 >>
 
Post Reply+
Tip us?
 
TripNRaVeR 		Old
24th January 2013, 12:04 AM
(Last edited by TripNRaVeR; 24th January 2013 at 12:09 AM.)
#121  
TripNRaVeR's Avatar
Senior Member
Thanks Meter 10734
Posts: 1,845
Join Date: Jun 2010
Location: Stevensweert

 
DONATE TO ME
I have gained access to some neat tools!

The tool is also able to boot into diag58, currently i'm running it userspace and can freely set everything i want. I tried entering diag58 but it was waiting on modem. Going to try to read the secure key, it has basicly acces to everything.



If you like my work.. you may always buy me a ice cold beer
join #TripNDroid on IRC server: freenode
 
REPLY
The Following 69 Users Say Thank You to TripNRaVeR For This Useful Post: [ Click to Expand ]
 
MrT69 		Old
24th January 2013, 07:01 AM
#122  
Senior Member
Thanks Meter 256
Posts: 252
Join Date: May 2006
Location: Odelzhausen
Default Re: Goal: S-off HOX+ and maybe the HOX (TEGRA3)
Found this:

http://a500bootloaderflash.tk/sbkcalc/

May be lcd047 could help at this point also for the HOX.

Sent from my EndeavorU using xda app-developers app
 
REPLY
The Following User Says Thank You to MrT69 For This Useful Post: [ Click to Expand ]
 
thunder07 		Old
24th January 2013, 11:27 AM
#123  
thunder07's Avatar
Recognized Contributor / Recognized Developer
Thanks Meter 1025
Posts: 956
Join Date: Sep 2007

 
DONATE TO ME
Quote:
Originally Posted by MrT69 View Post
Found this:

http://a500bootloaderflash.tk/sbkcalc/

May be lcd047 could help at this point also for the HOX.

Sent from my EndeavorU using xda app-developers app
unfortunately our sbk is very much different,
" It should be a 16 character long string containing only hexadecimal characters"
our only CPUID is one number long :/
i think ours is referred to as sbk v2 as well and it's yet to be cracked.


i know guys i'm shooting down everything you're coming up with..
but i have to before someone starts a discussion & fill the thread with it...
i've been there and tried ALOT of stuff
 
REPLY
The Following 4 Users Say Thank You to thunder07 For This Useful Post: [ Click to Expand ]
 
TripNRaVeR 		Old
24th January 2013, 11:49 AM
#124  
TripNRaVeR's Avatar
Senior Member
Thanks Meter 10734
Posts: 1,845
Join Date: Jun 2010
Location: Stevensweert

 
DONATE TO ME
Set odm production mode from 0x00000001 to 0x00000000 and we have what we want. How?

Well that isnt as easy as expected..

Somewhere during boot there is a check if we are in production mode or not. If we are in production mode then all locks are set. If we arent in production mode all locks are off and we have s-off.

Then we remove the check and its done. We know that the flag can be set in the fuse directory. However it requires a kernel patch, the write protection can be turned of for that section.

Where to find it?
Look at nv-tegra git, there is bootloader source and try to find it (probably htc renamed it)

If you like my work.. you may always buy me a ice cold beer
join #TripNDroid on IRC server: freenode
 
REPLY
The Following 32 Users Say Thank You to TripNRaVeR For This Useful Post: [ Click to Expand ]
 
blubbers 		Old
24th January 2013, 02:49 PM
#125  
Senior Member
Thanks Meter 254
Posts: 269
Join Date: Jan 2011
Quote:
Originally Posted by TripNRaVeR View Post
Set odm production mode from 0x00000001 to 0x00000000 and we have what we want. How?

Well that isnt as easy as expected..

Somewhere during boot there is a check if we are in production mode or not. If we are in production mode then all locks are set. If we arent in production mode all locks are off and we have s-off.

Then we remove the check and its done. We know that the flag can be set in the fuse directory. However it requires a kernel patch, the write protection can be turned of for that section.

Where to find it?
Look at nv-tegra git, there is bootloader source and try to find it (probably htc renamed it)
tried that back in may, but i couldn't get the fuses to be writeable, tried this instead;
Code:
endeavoru-2.6.39-86aa44d/arch/arm/mach-tegra/tegra_odm_fuses.c

static bool fuse_odm_prod_mode(void)
{
        u32 odm_prod_mode = 0;

        clk_enable(clk_fuse);
        get_fuse(ODM_PROD_MODE, &odm_prod_mode);
        clk_disable(clk_fuse);
        return false;
        return (odm_prod_mode ? true : false);
}
 
REPLY
The Following 3 Users Say Thank You to blubbers For This Useful Post: [ Click to Expand ]
 
TripNRaVeR 		Old
24th January 2013, 02:56 PM
(Last edited by TripNRaVeR; 24th January 2013 at 03:03 PM.)
#126  
TripNRaVeR's Avatar
Senior Member
Thanks Meter 10734
Posts: 1,845
Join Date: Jun 2010
Location: Stevensweert

 
DONATE TO ME
Quote:
Originally Posted by blubbers View Post
tried that back in may, but i couldn't get the fuses to be writeable, tried this instead;
Code:
endeavoru-2.6.39-86aa44d/arch/arm/mach-tegra/tegra_odm_fuses.c

static bool fuse_odm_prod_mode(void)
{
        u32 odm_prod_mode = 0;

        clk_enable(clk_fuse);
        get_fuse(ODM_PROD_MODE, &odm_prod_mode);
        clk_disable(clk_fuse);
        return false;
        return (odm_prod_mode ? true : false);
}
You also need to have the vdd_fuse voltage line enabled to gain write acces, you can find the source in my kernel tree on github

Edit:
https://github.com/TripNRaVeR/tripnd...52d4ea27624646

Somehow this brings the device into APX mode when u have a ENG kernel, these bricks somehow could be usefull to gain s-off.

If we write the fuses correctly it is done.

If you like my work.. you may always buy me a ice cold beer
join #TripNDroid on IRC server: freenode
 
REPLY
The Following 26 Users Say Thank You to TripNRaVeR For This Useful Post: [ Click to Expand ]
 
MrT69 		Old
24th January 2013, 05:46 PM
#127  
Senior Member
Thanks Meter 256
Posts: 252
Join Date: May 2006
Location: Odelzhausen
Also for the A500 Series - but Tegra chipset.
Some interesting informations and also the links within:

http://projects.pappkartong.se/a500/
 
REPLY
The Following User Says Thank You to MrT69 For This Useful Post: [ Click to Expand ]
 
TripNRaVeR 		Old
24th January 2013, 06:10 PM
#128  
TripNRaVeR's Avatar
Senior Member
Thanks Meter 10734
Posts: 1,845
Join Date: Jun 2010
Location: Stevensweert

 
DONATE TO ME
And another thing that also belongs here, have full acces to my device right now during APX mode.

http://forum.xda-developers.com/show...postcount=4973

If you like my work.. you may always buy me a ice cold beer
join #TripNDroid on IRC server: freenode
 
REPLY
The Following 50 Users Say Thank You to TripNRaVeR For This Useful Post: [ Click to Expand ]
 
TripNRaVeR 		Old
24th January 2013, 07:24 PM
#129  
TripNRaVeR's Avatar
Senior Member
Thanks Meter 10734
Posts: 1,845
Join Date: Jun 2010
Location: Stevensweert

 
DONATE TO ME
Got this key out of the 0.40 hboot


0x15d15b4fb63ee0b

If you like my work.. you may always buy me a ice cold beer
join #TripNDroid on IRC server: freenode
 
REPLY
The Following 56 Users Say Thank You to TripNRaVeR For This Useful Post: [ Click to Expand ]
 
xmoo 		Old
24th January 2013, 09:30 PM
#130  
xmoo's Avatar
Recognized Developer
Thanks Meter 1768
Posts: 5,296
Join Date: Aug 2006
Location: Eindhoven

 
DONATE TO ME
Default Re: Goal: S-off HOX+ and maybe the HOX (TEGRA3)
Quote:
Originally Posted by TripNRaVeR View Post
Got this key out of the 0.40 hboot


0x15d15b4fb63ee0b
I got 2 ENG and 2 MFG HBOOTs for you as .img to play with.

Sent from my HTC One X using xda app-developers app
Follow me on Twitter
 
REPLY

The Following 18 Users Say Thank You to xmoo For This Useful Post: [ Click to Expand ]
 
Post Reply+
Page 13 of 23    31112 13 1415 >>
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Go to top of page...