[S-OFF]Development

Status
Not open for further replies.
Search This thread
By:
Advanced…
xmoo

xmoo

Retired Recognized Developer
Aug 19, 2006
5,450
1,803
34
Eindhoven
www.Mohammad.Moghtader.net
KaoMinerva said:
If I had the One X, I'd ship mine to xmoo for s-off.

***Cooking The Work With Them Gloves On, So The Junkies Can Get They Grub On***
Click to expand...
Click to collapse

As I said 100000000 times before. I had the javacard for a day to do some testing!
Please stop pm'ing me and asking for shipping the device to me etc...

Football and me tried a lot of stuff and are now at a dead end.
Mid next week I hope to get some more info about APX.
 
  • Like
Reactions: thecoby, Arka88, deepsky303 and 16 others
KrisPerry

KrisPerry

Senior Member
Oct 23, 2010
532
63
xmoo said:
As I said 100000000 times before. I had the javacard for a day to do some testing!
Please stop pm'ing me and asking for shipping the device to me etc...

Football and me tried a lot of stuff and are now at a dead end.
Mid next week I hope to get some more info about APX.
Click to expand...
Click to collapse

Apx mode is the only way, and we are a million miles from that

Sent from my HTC One X using Tapatalk 2
 
viper619

viper619

Senior Member
Dec 18, 2010
277
39
Cairo
OnePlus 8 Pro
Moto G9 Plus
xmoo said:
As I said 100000000 times before. I had the javacard for a day to do some testing!
Please stop pm'ing me and asking for shipping the device to me etc...

Football and me tried a lot of stuff and are now at a dead end.
Mid next week I hope to get some more info about APX.[/QUOTE

is it possible to get into apx mode by a different way, maybe your contact could get some info about that, if there is an easy way we could make a program that gets us into apx mode even if it needs to cancel the ruu installation midway to get the phone into it, or a step by step guide.
its just an idea and i hope the info u'll get will help somehow

cheers XD
Click to expand...
Click to collapse
 
Jhinta

Jhinta

Senior Member
Dec 20, 2010
704
276
i realy am seeing mmcblkboot 0 and 1, dont know what there are.
cant do anything yet have to get some hardware but those partitions are there ( +/-2mb in size )
 
  • Like
Reactions: Mischaseb
B

bunny0007

Senior Member
Jun 14, 2006
253
58
Randers
Google Pixel 6 Pro
viper619 said:
xmoo said:
As I said 100000000 times before. I had the javacard for a day to do some testing!
Please stop pm'ing me and asking for shipping the device to me etc...

Football and me tried a lot of stuff and are now at a dead end.
Mid next week I hope to get some more info about APX.[/QUOTE

is it possible to get into apx mode by a different way, maybe your contact could get some info about that, if there is an easy way we could make a program that gets us into apx mode even if it needs to cancel the ruu installation midway to get the phone into it, or a step by step guide.
its just an idea and i hope the info u'll get will help somehow

cheers XD
Click to expand...
Click to collapse

It will be a dead end.

You cannot fool the bootloader in any way, if you disconnect the power under flash of recovery the signature fail in next, boot becasuse the bootloader are locked and only accept signed recovery.

APX might be the way, if htc not have made an encrypted protocol.

As i see it we will not se s-off, before some are leaked from service center or htc.
Click to expand...
Click to collapse
 
viper619

viper619

Senior Member
Dec 18, 2010
277
39
Cairo
OnePlus 8 Pro
Moto G9 Plus
bunny0007 said:
viper619 said:
It will be a dead end.

You cannot fool the bootloader in any way, if you disconnect the power under flash of recovery the signature fail in next, boot becasuse the bootloader are locked and only accept signed recovery.

APX might be the way, if htc not have made an encrypted protocol.

As i see it we will not se s-off, before some are leaked from service center or htc.
Click to expand...
Click to collapse

:s you didn't get my point, i said maybe we can get into apx mode in some way we can all manage, we still don't have information and i realy hope the info xmoo is getting will help us in that. XD

EDIT:- some pple managed to get into apx mode when they dropped their phone or when it heated up, and i read that u can also get the device into it if you interrupted the RUU flashing in a way it gets corrupted and the phone senses a very big malfunction or a problem (correct me if i'm wrong please).
Click to expand...
Click to collapse
 
Last edited:
  • Like
Reactions: bobmarsh72 and Squirrels
ZeDestructor

ZeDestructor

Senior Member
Apr 12, 2011
333
59
viper619 said:
bunny0007 said:
:s you didn't get my point, i said maybe we can get into apx mode in some way we can all manage, we still don't have information and i realy hope the info xmoo is getting will help us in that. XD

EDIT:- some pple managed to get into apx mode when they dropped their phone or when it heated up, and i read that u can also get the device into it if you interrupted the RUU flashing in a way it gets corrupted and the phone senses a very big malfunction or a problem (correct me if i'm wrong please).
Click to expand...
Click to collapse

Correct. Getting into APX mode at the moment seems feasible (break RUU flash by pulling battery seems like the safest way - the One X is almost identical structurally to a Sensation). Interacting with APX to flip the relevant S-OFF bits however is where we are stumped. Until that hurdle is cleared, S-OFF via APX is not possible.
Click to expand...
Click to collapse
 
  • Like
Reactions: Tony Tan and viper619
Jhinta

Jhinta

Senior Member
Dec 20, 2010
704
276
xmoo said:
Hmz. 2mb is size of a hboot.
Tell me more about this.

Sent from my HTC One X using xda app-developers app
Click to expand...
Click to collapse

From what I read online this is the protected space of mmc detected as mmcblk0boot0 . I'm trying to run native but need a keyboard connected to type I already have fb and terminal

Verstuurd van mijn HTC One X met Tapatalk
 
C

Cristianop

Senior Member
May 5, 2009
688
132
Germany
VIIRU§ said:
With that said this thread should be locked until someone has s-off to release.

Sent from my HTC One X using xda premium
Click to expand...
Click to collapse

Omg always those ungrateful comments.do you have some development to contribute to s-off? If not please, stay out this thread (and use instead the s-off discussion thread) until someone has s-off!

Thx


Sent from my HTC One X
 
  • Like
Reactions: cccy and Willieumm
Fightspit

Fightspit

Senior Member
May 13, 2010
1,060
338
Paris
Since a few hours, HTCdev has released supplement files for 2.17 kernel. One of the files called mtd.c may shows something interesting for understanding the partition of the OneX. There are functions which can read or write blocs of the mtds and many more.
 
  • Like
Reactions: CrisisCorE, wph and xmoo
MrT69

MrT69

Senior Member
May 9, 2006
1,748
4,422
54
Königsbrunn
www.keweon.de
Based on the idea to change the SUPER CID on the "mmcblk0p4" partition I imaged all partitions on the HOX.

It seems "mmcblk0p19" contain logfiles where i.e. HTC can find and see who has done changes within the bootloader.

But more interesting is this log file:

[ 0.000000] Lowering sbus maximum rate from 334000000 to 267000000
[ 0.000000] Lowering vi maximum rate from 425000000 to 409000000
[ 0.000000] Lowering vde maximum rate from 520000000 to 416000000
[ 0.000000] Lowering mpe maximum rate from 520000000 to 416000000
[ 0.000000] Lowering 2d maximum rate from 520000000 to 416000000
[ 0.000000] Lowering epp maximum rate from 520000000 to 416000000
[ 0.000000] Lowering 3d maximum rate from 520000000 to 416000000
[ 0.000000] Lowering 3d2 maximum rate from 520000000 to 416000000
[ 0.000000] Lowering se maximum rate from 520000000 to 416000000
[ 0.000000] Lowering cbus maximum rate from 700000000 to 416000000
[ 0.000000] Lowering pll_c maximum rate from 1400000000 to 1066000000
[ 0.000000] Lowering ndflash maximum rate from 240000000 to 200000000
[ 0.000000] Lowering sbc1 maximum rate from 160000000 to 100000000
[ 0.000000] Lowering sbc2 maximum rate from 160000000 to 100000000
[ 0.000000] Lowering sbc3 maximum rate from 160000000 to 100000000
[ 0.000000] Lowering sbc4 maximum rate from 160000000 to 100000000
[ 0.000000] Lowering sbc5 maximum rate from 160000000 to 100000000
[ 0.000000] Lowering sbc6 maximum rate from 160000000 to 100000000
[ 0.000000] Lowering dsia maximum rate from 500000000 to 275000000
[ 0.000000] Lowering dsib maximum rate from 500000000 to 275000000
[ 0.000000] Lowering cpu_g maximum rate from 1700000000 to 1500000000
[ 0.000000] tegra dvfs: VDD_CPU nominal 1150mV, scaling enabled
[ 0.000000] tegra dvfs: VDD_CORE nominal 1200mV, scaling enabled
[ 0.000000] [BOOT_LOG] Entering <machine>_init_power
[ 0.000000] [BOOT_LOG] Entering <machine>_init_cache
[ 0.000000] L310 cache controller enabled
[ 0.000000] l2x0: 8 ways, CACHE_ID 0x410000c7, AUX_CTRL 0x7e080001, Cache size: 1048576 B
[ 0.000000] PERCPU: Embedded 8 pages/cpu @c1718000 s8416 r8192 d16160 u32768
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 254736
[ 0.000000] Kernel command line: tegraid=30.1.3.0.0 mem=1016M@2048M vmalloc=668M video=tegrafb zygote_oneshot=off kmemleak=off androidboot.lb=1 androidboot.carrier=TMD led=1 androidboot.keycaps=qwertz console=none debug_uartport=lsport usbcore.old_scheme_first=1 lp0_vec=8192@0xbc0a8000 nvdumper_reserved=0xbf7ff000 tegra_fbmem=3689280@0xbc0ab000 panel_id=0x4940014 tegraboot=sdmmc gpt gpt_sector=61063167 androidboot.mode=recovery modem_id=0 androidboot.baseband=1.1204.103.14 androidboot.emmc=true androidboot.cid=T-MOB101 androidboot.mid=PJ4610000 androidboot.serialno=HTXXXXXX35 androidboot.mb_serialno=41xxxxxxxxxx4 androidboot.bootloader=0.96.0000 last_off_event=long_press_key start_on_event=none hw_rst_reason=0x0 sw_rst_reason=0x776655aa project_phase=UNKNOWN radioflag=0x0
[ 0.000000] Found panel_vendor: 4940014
[ 0.000000] board_bootloader_setup: 0.96.0000
[ 0.000000] board_bootloader_setup: SHIP BUILD
[ 0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
[ 0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Memory: 1003MB = 1003MB total
[ 0.000000] Memory: 997732k/997732k available, 42652k reserved, 789988K highmem
[ 0.000000] Virtual kernel memory layout:
[ 0.000000] vector : 0xffff0000 - 0xffff1000 ( 4 kB)
[ 0.000000] fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
[ 0.000000] DMA : 0xff000000 - 0xffe00000 ( 14 MB)
[ 0.000000] vmalloc : 0xce800000 - 0xf8000000 ( 664 MB)
[ 0.000000] lowmem : 0xc0000000 - 0xce400000 ( 228 MB)
[ 0.000000] pkmap : 0xbfe00000 - 0xc0000000 ( 2 MB)
[ 0.000000] modules : 0xbf000000 - 0xbfe00000 ( 14 MB)
[ 0.000000] .init : 0xc0008000 - 0xc004b000 ( 268 kB)
[ 0.000000] .text : 0xc004b000 - 0xc07531f0 (7201 kB)
[ 0.000000] .data : 0xc0d00000 - 0xc0de4db0 ( 916 kB)
[ 0.000000] Preemptable hierarchical RCU implementation.
[ 0.000000] RCU-based detection of stalled CPUs is disabled.
[ 0.000000] Verbose stalled-CPUs detection is disabled.
[ 0.000000] NR_IRQS:816
[ 0.000000] sched_clock: 32 bits at 1000kHz, resolution 1000ns, wraps every 4294967ms
[ 0.000377] Calibrating delay loop... 1993.93 BogoMIPS (lpj=9969664)
[ 0.060076] pid_max: default: 32768 minimum: 301
[ 0.060515] Mount-cache hash table entries: 512
[ 0.061542] Initializing cgroup subsys debug
[ 0.061554] Initializing cgroup subsys cpuacct
[ 0.061616] Initializing cgroup subsys freezer
[ 0.061683] CPU: Testing write buffer coherency: ok
[ 0.192700] CPU1: Booted secondary processor
[ 0.262660] CPU2: Booted secondary processor
[ 0.332668] CPU3: Booted secondary processor
[ 0.351965] Brought up 4 CPUs
[ 0.351977] SMP: Total of 4 processors activated (7975.73 BogoMIPS).
[ 0.357491] [BOOT_LOG] Entering do_initcalls
[ 0.358438] print_constraints: dummy:
[ 0.358778] NET: Registered protocol family 16
[ 0.360149] host1x bus init
[ 0.360731] [BOOT_LOG] Entering <machine>.init_machine
[ 0.361814] The pingroup LCD_PWR1 was configured to RSVD2 instead of <UNKNOWN>
[ 0.361877] The pingroup LCD_DC1 was configured to RSVD2 instead of <UNKNOWN>
[ 0.361942] The pingroup LCD_D8 was configured to RSVD2 instead of <UNKNOWN>
[ 0.362003] The pingroup LCD_D14 was configured to RSVD2 instead of <UNKNOWN>
[ 0.362018] The pingroup LCD_D15 was configured to RSVD2 instead of <UNKNOWN>
[ 0.362032] The pingroup GMI_AD0 was configured to RSVD2 instead of <UNKNOWN>
Click to expand...
Click to collapse

Take a look at the KERNEL COMMAND LINE. Never have seen this bevore.
 
  • Like
Reactions: PAGOT
Thunder07

Thunder07

Inactive RC / RD
Sep 22, 2007
1,541
2,415
MrT69 said:
Based on the idea to change the SUPER CID on the "mmcblk0p4" partition I imaged all partitions on the HOX.

It seems "mmcblk0p19" contain logfiles where i.e. HTC can find and see who has done changes within the bootloader.

But more interesting is this log file:



Take a look at the KERNEL COMMAND LINE. Never have seen this bevore.
Click to expand...
Click to collapse

sure to have to tell you this... but mmcblk0p19 is devlog partition is you can access it through /devlog
and as for the cmdline its in /proc/cmdline and is controlled by the kernel if i wasnt wrong...
considering how all the kernels developers are proper developers if thy though its any use they would have done something with it...

Off-topic....
to all the *****ing *****es....
i know of people working behind the scene away from your *****ness...
now i hope you're turning in your graves as i wont tell you of any of their progress until they decide to speak themselves :mad:
 
  • Like
Reactions: CrisisCorE, Segnale007, avensakias and 9 others
viper619

viper619

Senior Member
Dec 18, 2010
277
39
Cairo
OnePlus 8 Pro
Moto G9 Plus
thunder07 said:
Off-topic....
to all the *****ing *****es....
i know of people working behind the scene away from your *****ness...
now i hope you're turning in your graves as i wont tell you of any of their progress until they decide to speak themselves :mad:
Click to expand...
Click to collapse

Just don't answer back to them and we all know who they are, anyone who would like to help will add something usefull others *****ing leave them.
we have a saying (Dogs bark, but the Convoy still moves forward).
cheers
 
V

VIIRU§

Senior Member
Jul 15, 2012
476
233
Newark
Cristianop said:
Omg always those ungrateful comments.do you have some development to contribute to s-off? If not please, stay out this thread (and use instead the s-off discussion thread) until someone has s-off!

Thx


Sent from my HTC One X
Click to expand...
Click to collapse

That's what we all should be doing. Everyone its just trolling or arguing and its way off topic. This thread should be closed until xmoo is ready for it to be reopened.

Sent from my HTC One X using xda premium
 
Status
Not open for further replies.

Similar threads

tbalden
[ROM][official] HTC OneX CyanogenMod 10.1 (4.2) release
Replies
16K
Views
3M
IllUMINATUz
IllUMINATUz
mike1986.
[ROM] Android Revolution HD 33.1 | High Quality & Performance | Sense 5 | 4.18.401.3
Replies
50K
Views
9M
C
cmaz
m0narx
[ROM][05.06] Team Venom presents: ViperX 4.1.1 - welcome to the future
Replies
26K
Views
4M
izzulhafiz
izzulhafiz
L
Goal: S-off HOX (TEGRA3)
Replies
359
Views
306K
D
Douglas Longfellow
T
[ROM][official] HTC One X CyanogenMod 11.0 nightlies + M-releases
Replies
4K
Views
816K
Petert87
Petert87

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 141
    xmoo
    xmoo
    Read post #2 before posting!!

    So Football and me are busy with trying to get S-OFF for this Badboy, but it seems to be a hard job. Please be patient!
    Code: 
    /*
 * Your warranty is now void.
 *
 * We are not responsible for bricked devices, dead SD cards,
 * thermonuclear war, or you getting fired because the alarm app failed. Please
 * do some research if you have any concerns about content included in this thread
 * read before doing anything! YOU are choosing to make these modifications, and if
 * you point the finger at me for messing up your device, We will laugh at you.
 *
 */


    13-04-2012 XDA.CN releases pictures showing someone succesfully has S-OFF'd his device. Tool is for sale here: http://item.taobao.com/item.htm?id=10824156715
    17-04-2012 Thread made.
    17-04-2012 We have found someone with a S-OFF device, and a newer HBOOT than the one from XDA.CN. Trying to get access to the HBOOT.
    18-04-2012 OTA 1.28 brings HBOOT 0.94.
    18-04-2012 New member with a S-OFF device is willing to help.
    s-off-hboot_HOX.JPG

    19-04-2012 HBOOT 0.43 S-OFF rfs.img received and uploaded.
    19-04-2012 RFS.img is not the correct file, searching continues...
    19-04-2012 Radio located, click here
    26-04-2012 HBOOT probably located here
    15-05-2012 NVFlash app + APX Drivers added
    12-06-2012 Tegra 3 Manual added, see here!
    16-06-2012 HBOOT 1.11 from the test-keys uploaded here!
    16-06-2012 Huge development, read more about it!
    18-06-2012 Need to find a way to by-pass CID check.
    19-06-2012 Football Partition list for One X with all addresses and lengths of partitions which can be found here.
    27-06-2012 Huhge thread clean-up and update.
    04-07-2012 Had the chance to play with a S-OFF device, read more about it here! ENG HBOOT which is used in test, is located here.
    09-07-2012 Javacard with DIAG will work, but won't be a good solution cause no one got a legit Javacard and the DIAG files can't be leaked!
    14-07-2012 Video added which shows the Javacard with DIAG method. Video can be found here.
    14-07-2012 The ENG HBOOT 0.03 that Football uploaded lost it's sign. I re-uploaded it and re-checked the file and it should be good now. You can find the new .zip here.

    HBOOT versions
    Past: 0.03, 0.04, 0.32, 0.43, 0.94, 0.95, 0.96, 1.01
    Current: 1.11

    More to come, please stop PM'ing me!

    View
    89
    xmoo
    xmoo
    My story

    Kantoor.jpg

    The guys of Tweakers.net invited my to there office the play with there Engineering HTC One X device which they got by HTC Netherlands. It is so good to see a huge tech website like Tweakers.net trying to help the community getting S-OFF. Tweakers.net wants to write a review about the new ROM and by this way they could write a official review about the 2.x based ROM of the HTC One X. They want to help the community and the community will help them back ;)

    205.JPG

    Beginning situation:
    Device was running the 1.29.401.11 SHIP ROM with the 1.1204.105.14 RADIO.
    It is a engineering device, in the bootloader it said XE and RH instead of the PVT and RL.
    HBOOT located was version number 0.95, May 8th. CID of device is: HTC__E11.
    The device has a option for RAM Dump, but when I tried to dump the RAM, the phone would just reboot.
    Did not check SD if something was dumped or not.

    First attempt:
    Tried the flash a ENG HBOOT and tried running the DIAG with USB OTG but it failed. The cable did not work because it did not have a extra power supply (no Y USB).
    So basically I gave up. I promised Tweakers.net to flash the 2.05.401.2 TEST ROM (Which comes with a SHIP HBOOT) in return for me to play with his device.

    Test-Device.JPG

    2.05:
    I flashed the 2.05.401.2 ROM with the 2.1204.119.17 RADIO. I flashed the RUU using my MacBook Pro (Virtual Windows 7). That one succeeded and the reviewer did couple of benchmarks. On normal benchmarks it did not have massive improvements, but the browser benchmark went through the roof. HBOOT is now 1.11, May 25th. Suddenly I came with the idea to flash RUU again but change the rom.zip just like I did on past HTC Android phones.

    PJ46IMG.JPG

    Second attempt:
    I ran the RUU and replaced the rom.zip with PJ46IMG.zip (which includes ENG HBOOT 0.03.200, Jan 20th). The RUU tool recognized it as version 0.87.401.0 and I was able to flash it. Flashing went OK. HBOOT is DOWNGRADED!! But the OS would not boot :(

    205-flash.JPG

    Bricked:
    The downgrading of the HBOOT did succeed and the phone is now XE ENG S-OFF but the OS wont boot.
    The bootloader gave SECURITY WARNING. Recovery, Factory reset, clearing cache did not boot or work… So I was in deep ****, don't want to leave him with a bricked device.
    The phone did recognize everything, so I knew the phone was not fully bricked.
    Tried flashing the 2.05 TEST ROM but it would gave me Model error. Flashing the 1.29 SHIP ROM gave me Image error.
    So still only access to HBOOT and nothing else.

    096-hboot.JPG
    096.JPG

    Experience:
    I remembered from the HTC Leo (HD2) and ACE (Desire HD) that the early ENG/MFG/DEV HBOOT's only worked with 0.x based ROMS.
    I did not have the 0.87.401.0 ROM but I did have 0.96.401.2 TEST ROM (Which weird enough has a SHIP HBOOT).
    I tried installing the 0.96.401.2 TEST ROM. It did first flash HBOOT 0.04, Feb 4th reboot and then it started to flash the ROM again. Flashing the ROM almost succeeded but got aborted/failed installing something regarding NFC.

    205-2.JPG

    So bricked again:
    Because of the 0.96.401.2 TEST ROM failing on NFC, the phone did not boot but was in RUU mode. I knew because of the phone being in the RUU mode I was still able to flash it. I ran the 2.05.401.2 TEST ROM and it flashed successfully (Funny enough on this ROM there was nothing regarding NFC which needed to be flashed) and the phone booted. Thank god everything was fine again!! Funny thing is that on all the firmwares (TEST/MFG/ENG/SHIP), the OS did recognize it as a engineering device. So I guess that it is hard-coded or whatsoever in the NAND of the phone.

    What about the DIAG:
    Tried running the DIAG file in the same way I got the HBOOT to flash using the RUU. But it failed because it was not a flashable file. Suddenly I got the phone to read the DIAG file through the root of my MacBook PRO. The file did pass the CID check but then it got cancelled because of the needed for a SmartSD (same as Smartcard/Javacard). So I couldn't do ****. But the DIAG was legit and has version number 0.06.

    So what have we learned:
    HTC One X (ENDEAVOR) was originally the EDGE, the first renders were real and legit. The software was designed for that device but got a final as ENDEAVOR. The ENG HBOOT located in the PJ46IMG.zip is the ENG HBOOT that made the software to work on the ENDEAVOR. The SHIP HBOOT 0.04 was the first legit SHIP HBOOT for the device.

    The HBOOT is downgradable using the .zip but the OS won't work. The good thing is that the ENG HBOOT located in PJ46IMG.zip will work on none SuperCID devices. The file is not restricted to SuperCID just like the PJ46DIAG.zip. BUT… you can't flash the 0.96.401.2 TEST ROM because it is unsigned and replaces your HBOOT to a SHIP HBOOT. Theoretically you would be able to flash a SHIP ROM after the ENG HBOOT 0.03 is upgraded to SHIP HBOOT 0.04 with the 0.96.401.2 TEST ROM. So this gives us a ENG HBOOT which maybe allows us to perm remove secuflag or erase the locking state, so the device goes back to LOCKED using command which are allowed on ENG HBOOT.

    The DIAG file is basically a dead-end without having a SmartSD (Smartcard/Javacard).

    The 2,5 hour meeting brought blood/sweat/tears/happiness. Only thing now left is for someone to be brave enough to Flash the PJ46IMG.zip (which includes ENG HBOOT 0.03.200, Jan 20th) try commands and then get his/her phone back to life using the 0.96.401.2 TEST ROM. CIDs that will be able to flash the PJ46IMG.zip are: HTC__001, HTC__E11, HTC__203, HTC__Y13, HTC__102, HTC__405, HTC__304, HTC__032, HTC__J15, HTC__A07, HTC__016


    It was a 2hour trip to get there and another 2hour trip to go back home. Remember this is a hobby of mine, so please stop asking ETA's, other files or what so ever. Want to show some love? Donate to me and/or Football
    View
    84
    xmoo
    xmoo
    Ok you guys little summary for today.

    Today a XDA Veteran joined the development team! I welcome Football. We did several test and tried to flash couple of stuff.

    1. APX Mode, My device came in APX mode today, but because of lack of drivers I failed to send any commands or what so ever. Howto: Shutdown phone (Disable fast boot), Press volume down, keep it pressed, plugin USB cable to device (while it is connected t your laptop/desktop), wait till you here the sound of new hardware found, release the volume button. You device is in APX mode. Well I think it is APX mode, because my device did not recognize it but did say new hardware.

    2. Flashing through HBOOT. We did couple of check with filename PJ46IMG.zip. We managed to get the boot loader to read the files, some files did flash and other stopped at security check. We tried a modified diag file, we succeeded to let it load, but got canceled on CID check. So we now have found a way to flash to the boot loader but need something to bypass the security check. If we bypass the security check, the modified diag file will be able to load, and we be able to reset security. What gives us S-OFF and LOCKED again!
    Proof is in the attachment.

    3. Downgrading did work, but not possible because of version check. When S-OFF you will be able to downgrade.

    Setup:
    You need to relock boot loader and be on stock rom again, or else it won't work.
    Phone, Y Cable, Cardreader, Microsdcard, PJ46IMG.zip

    Will add a huge summary on post #1 after we finish dinner.
    View
    62
    orb3000
    orb3000
    .

    Closed until xmoo wants to re open
    View
    60
    xmoo
    xmoo
    FAQ.
    What is S-OFF?
    S-OFF stands for Security-OFF
    S-OFF means that the NAND portion of the device is unlocked and can be written to. The default setting for HTC’s devices is S-ON, which means that neither can you access certain areas of the system nor can you guarantee a permanent root. Furthermore, signature check for firmware images is also ensured by the S-ON flag.

    What has already been done?
    -Tried flashing DIAG file, but with no success. File needs SuperCID.
    -Tried flashing ENG HBOOT as zip file, but with no success. File needs SuperCID.
    -Tried flashing modified DIAG file, but with no success. File needs SuperCID.
    -Tried flashing modified HBOOT as zip file, but with no success. Signature check failed.
    -Tried creating a Goldcard, but won't work. The Goldcare is for Qualcomm devices.
    -Root while phone is LOCKED, won't work. Only will work on the Qualcomm One X and One XL.
    -Ask the Chineese guy with the S-OFF tool. Won't share, cause he needs his money.
    -Tried flashing files over recovery, but with no success.
    -Tried flashing TETS and MFG ROMs, but with no success. Phone needs S-OFF because the ROMS are not sighned.
    -Tried changing CID, but won't work. Only will work on the Qualcomm One X and One XL.
    -Tried commands over ADB, but with no success.
    -Tried XTC clip, won't work.

    How Do I Know If My Device Is S-ON Or S-OFF?
    That is easy to verify. Simply boot into HBOOT (bootloader) on your device, and the text on top will show the flag status as either S-OFF or S-ON. A full root generally means S-OFF.
    s-off.jpg


    S-OFF – What And Why?
    HTC have installed a sort of security check whose level is determined by S-OFF/S-ON. Essentially, this security level is a flag stored on the device’s radio that checks signature images for any firmware before it is allowed to be written to system memory. This hinders using any custom ROMs, splash images, recovery etc., and also restricts access to the NAND flash memory. However, when security level is set to S-OFF, the signature check is bypassed, allowing a user to upload custom firmware images, unsigned boot, recovery, splash and HBOOT images, as well as official firmware that has been modified, this enabling maximum customization of your HTC Android device.

    Furthermore, S-OFF also reduces restrictions on accessing the NAND flash memory on the device, allowing all partitions (including /system) to be mounted in write mode while the operating system is booted.

    Where is it located?
    Don't know yet, here are the partitions.

    How can I flash through SD?
    Tutorial added here!

    What HBOOT status have we seen so far?
    ENDEAVORU PVT SHIP S-ON RL
    ENDEAVORU PVT SHIP S-OFF RL
    ENDEAVORU PVT ENG S-OFF RL
    ENDEAVORU XE ENG S-OFF RH
    ENDEAVORU PVT MFG RH
    ENDEAVORU XE SHIP S-OFF RH
    ENDEAVORU UNKNOWN ENG S-OFF RH

    Partition list for One X with all addresses and lengths of partitions
    Football share the full list which can be found here.

    How does HTC do it?
    They do it with a smartcard/javacard/goldcard (What ever you want to call it) in combination with the DIAG file. Proof is in the attachment.
    View

New posts