Goal: S-off HOX (TEGRA3)

Search This thread

Lloir

Inactive Recognized Developer
Mar 23, 2009
6,236
8,029
Samsung Galaxy Note 8 (2017 Phone)
Hey guys, as i said above, i want to get the HOX+ S-off'd (and maybe the HOX if it's not already, not checked) if anyone has idea's and so on, run through on this thread :) lets get this ball rolling!!

Moderator Warning

Keep discussions speisifc to the goal of getting S-off on the device. All other discussions will be deleted.
 
Last edited by a moderator:

nitrous²

Senior Member
Jun 4, 2010
1,741
1,005
The Grid
IHTC One X+ Infos will be adapted to this as soon as possible.


Names for the devices are:


Model ID: PM35110
Model Name: S728e
aka One X+



Model ID: PJ46100 aka
Model Name: S720e
aka One X



So as the title says, we're facing the problem of not having S-OFF yet, although the One X (S720e) has been released nine months ago. The One X+ is newer but since it has the same processor family, it's accountable to this project. It's possible to unlock the bootloader via HTCdev but it doesn't gives us S-OFF. The Unlock via HTCdev gives us only partially control over Bootloader and Recovery. Since it's release date, some great Devs including Xmoo, Football, Mike1986 and more tried to disable the security check. Unfortunatly without a solution for the masses. Also the One X+ (S728e) is relatively new on the market, so THIS is maybe the first thread in the world regarding S-OFF on the S728e Unlike on other HTC phones, on which hardware solutions like the XTC-Clip, or software solutions like revolutionary or any similar software did the job, on the One X they're not going to work. At the moment the only known method is the official HTC's way.

Ways to set the devices S-OFF
Ways%20to%20set%20the%20S720e%20S-OFF.jpg


--------------DIAG + JAVCARD Route--------------

Infos I could gather. At the moment these infos are only valid for the S720e:

Basically u need adb/android SDK before proceed.

[WITH ROOT ACCESS]
[+] Dump/copy boot.img
Code:
Command prompt :
> adb shell
> su
> dd if=/dev/block/mmcblk0p4 of=/sdcard/boot.img
More partition/img availabe to dump. Will update later.

[WITHOUT ROOT ACCESS]
Currently only /system is usable

1) Android SDK (just need adb)
2) Download busybox
3) Command prompt :
> adb push busybox /data/local/busybox
> adb shell
> cd /sdcard/
> chmod 755 /data/local/busybox
> /data/local/busybox tar cvf sysdump.tar /system
4) Ignore tar: error exit delayed from previous errors'. Is done correctly.

----------------------------------------------------------------------

Just finished dumped my semi-virgin One X system partition from SEA WWE stock ROM :D.
The file would be OneX_SEA_WWE_1.26.707.2_SYSTEM_DUMP.zip 558.3 MB :eek:


Radio (The Radiomodule on S720e is an Intel X-Gold 626 chip [XMM6260]) location (xmoo's post Radio) Documentation of the Radio chip and direct download:
xmoo; said:
Mike found out Radio is probably: \system\etc\QUO_6260.fls.clean
7.96MB

Commands located in QUO_6260.fls.clean
CALIB_NVM
DYNAMIC_NVM
STATIC_NVM
SEC_DATA
PSI_RAM

If I could believe the following:
Found the same commands in a datasheet: "MSM3000Qualcomm, Inc.MOBILE STATION MODEM"
http://www.datasheetarchive.com/MSM3000-datasheet.html

So guess we got the Radio located!

Possible Hboot location (blubber's post Hboot):
blubber; said:
xmoo; said:
How do you know this?

/EBT does not excist on my phone.


mmcblk0p2 -> /dev/block/platform/sdhci-tegra.3/by-name/WDM
mmcblk0p16 -> /dev/block/platform/sdhci-tegra.3/by-name/DUM
mmcblk0p17 -> /dev/block/platform/sdhci-tegra.3/by-name/MSC
mmcblk0p20 -> /dev/block/platform/sdhci-tegra.3/by-name/PDT

of course it does not exist as i have written a few times before!
it is not accessible with a stock kernel!

i know it is there:


Code:
130|root@android:/ # hexdump -C /dev/block/mmcblk0|grep EBT                    
000000e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|

and the EBT partition does contain the bootloader!


CID Check needs to be bypassed (xmoo's post CID check)
xmoo said:
Guys, the diag files have "CIDNUM: 11111111" in it.
Can't change it cause the file gets corrupted.
So only way to boot it up is by passing the CID check.

This is were the Smartcard or Goldcard comes in.
We tried the one from http://psas.revskills.de/?q=goldcard with no success.
I remember for some devices you had to change 00 to 11, or something like that.
Maybe this has to be done for this device aswell. Also I remember something that SDHC cards were not supported, or they are... been a long time ago.
So your help is need.

Create a goldcard which works.

Remember to test it like this: http://xdaforums.com/show....php?t=1714056

Thank you.

Partiton list (Football's post Partition list)
Football said:
After intensive digging in some stuff I have found this. This is whole partition list for One X with all addresses and lengths of partitions...
Code:
[partition]
name=BCT
id=2
start_location=0x00
size=0x400000

[partition]
name=PT
id=3
start_location=0x400000
size=0x200000

[partition]
name=EBT
id=4
type=bootloader
start_location=0x600000
size=0x400000

[partition]
name=DIA
id=5
type=bootloader
start_location=0xA00000
size=0x400000

[partition] (Board Information)
name=BIF
id=6
start_location=0xE00000
size=0x200000


[partition]
name=GP1
id=7
start_location=0x1000000
size=0x200000

### WLAN firmware ###
[partition]
name=WLN
id=8
start_location=0x1200000
size=0x600000
#filename=wlan.img

### WLAN Data + MFG Data ###
[partition]
name=WDM
id=9
start_location=0x1800000
size=0x200000
filename=WDM.img

### Radio Calibration Data ###
[partition]
name=RCA
id=10
filesystem_type=ext3
start_location=0x1A00000
size=0x600000

### Linux Kernel OS ###
[partition]
name=LNX
id=11
start_location=0x2000000
size=0x800000
filename=boot.img

### Recovery ###
[partition]
name=SOS
id=12
start_location=0x2800000
size=0x800000
filename=recovery.img

### PG1FS ###
[partition]
name=PG1
id=13
start_location=0x3000000
size=0x1000000

### PG2FS ###
[partition]
name=PG2
id=14
start_location=0x4000000
size=0x1000000

### PG3FS ###
[partition]
name=PG3
id=15
start_location=0x5000000
size=0x1000000

### Software Info ###
[partition]
name=SIF
id=16
start_location=0x6000000
size=0x400000
filename=SIF.img

### Splash1 ###
[partition]
name=SP1
id=17
start_location=0x6400000
size=0x400000

### Reserve1 ###
[partition]
name=RV1
id=18
start_location=0x6800000
size=0x1C00000

### System ###
[partition]
name=APP
id=19
filesystem_type=ext3
start_location=0x8400000
size=0x50000000
filename=system.img

### Cache ###
[partition]
name=CAC
id=20
filesystem_type=ext3
start_location=0x58400000
size=0x14000000

### Internal SD ###
[partition]
name=ISD
id=21
start_location=0x6C400000
size=0x650000000

### Userdata ###
[partition]
name=UDA
id=22
filesystem_type=ext3
start_location=0x6BC400000
size=0x89400000
filename=userdata.img

### Memory dump ###
[partition]
name=DUM
id=23
start_location=0x745800000
size=0x200000


### MISC Partition ###
[partition]
name=MSC
id=24
start_location=0x745A00000
size=0x200000

### Radio File System ###
[partition]
name=RFS
id=25
start_location=0x745C00000
size=0x600000


### Develop Log ###
[partition]
name=DLG
id=26
start_location=0x746200000
size=0x1600000

### PDATA for MASD ###
[partition]
name=PDT
id=27
start_location=0x747800000
size=0x200000

[partition]
name=GPT
id=28
type=GPT
start_location=0x747A00000
#size=0xFFFFFFFFFFFFFFFF
size=0x200000


Mike1986's Partition Info (mike1986's post One X Partition Info)
This thread's content might brick your device.
This is not a ROM thread, so I'm not going to answer again and again and again the same questions over and over and over again.
You can't read - quit this thread now. You can read but you can't understand more or less simple things - quit as well.
You can read and you understand things, but you are too lazy to read the whole thread before asking the question - watch this first. And quit.

This is what we know so far:

Partitions1.png


Some conclusions:

1. It's very nice to see that finally someone separated "internal sd card" from userdata partition. So it's no longer linked to /data/media, as it used to be on Asus Transformer, Transformer Prime, Galaxy Nexus etc. but it's a separate partition now - mmcblk0p14. Basically the biggest benefit from that is that now formatting userdata partition will no longer erase virtual sd card content.
2. It seems that NFC and WLAN deep settings are stored on separate partitions: mmcblk0p1 (wlan) and ? (NFC).
3. There is a 5th PHYSICAL core, but it's invisible to the system. Android only sees the 4 main cores. The 5th companion core is not controlled by Android. Tegra 3 architecture itself handles the load balancing between the main cores and the companion core. (Thanks to Diamondback)
4. There is no radio.img in current RUUs.


Download firmware for HTC One X (PJ4610000)

Firmware from 1.28.401.9 RUU
--- MD5 checksum: 83375DF988C86E92417AA8949012A1C2 *PJ46IMG.zip ---

Supported devices:
--- CID's added by users requests are marked with green color ---
cidnum: HTC__001
cidnum: HTC__E11
cidnum: HTC__203
cidnum: HTC__Y13
cidnum: HTC__102
cidnum: HTC__405
cidnum: HTC__304
cidnum: HTC__032
cidnum: HTC__J15
cidnum: HTC__A07
cidnum: HTC__016
cidnum: HTC__M27

Why it's better then full RUU:

1. It doesn't contain stock recovery
2. It doesn't contain stock, non rooted system
3. It doesn't contain secured boot.img
4. It wont wipe your data partition
5. It's much smaller :D

PJ46IMG.zip content: [UPDATE: 25.03.2012]

android-info.txt - updated [20.04.2012]
bct.img - updated [25.03.2012]
rcdata.img - updated [20.04.2012]

How to flash:

1. Check your CID using fastboot getvar cid and MID using fastboot getvar mid
2a. If your CID and MID are supported by default, navigate to point 3.
2b. If your CID or MID is not supported by default, do this: (you do it at your own risk)
2c. Open PJ46IMG.zip (don't extract it)
2d. Open android-info.txt in text editor
2e. Add your cidnum: or modelid: to the list, save file and close archive
3. Place PJ46IMG.zip on your SD card
4. Boot your device holding power button + vol down button
5. Follow instructions on the screen

Additional information:

1. Flash above firmware at your own risk!
2. It's recommended to flash it before flashing custom ROM based on proper RUU!
3. Unlocking via htcdev.com will change your CID number into "none".

4. RUU variants:
x.xx.61.x - Orange UK (United Kingdom)
x.xx.75.x - Orange ES (Spain)
x.xx.110.x - T-Mobile UK (United Kingdom)
x.xx.111.x - T-Mobile DE (Germany)
x.xx.112.x - T-Mobile AT (Austria)
x.xx.114.x - T-Mobile NL (Netherlands)
x.xx.118.x - T-Mobile PL (Poland)
x.xx.161.x - Vodafone UK (United Kingdom)
x.xx.166.x - Vodafone CH-DE (Switzerland - Germany)
x.xx.163.x - Vodafone FR (France)
x.xx.169.x - Vodafone AT (Austria)
x.xx.206.x - O2 UK (United Kingdom)
x.xx.207.x - O2 DE (Germany)
x.xx.401.x - World Wide English
x.xx.707.x - Asia WWE (World Wide English)
x.xx.720.x - Asia India
x.xx.771.x - Hutchison 3G UK (United Kingdom)
x.xx.862.x - Voda-Hutch AU (Australia)
x.xx.980.x - Optus AU (Australia)
x.xx.1400.x - HTC China

Please post here your findings, thoughts or experience with after flashing images listed above.



Mike1986's addition (mike1986's post Addition)
mike1986 said:
Something more:

/system/etc/Flash_Loader.conf

boot_port_name=/dev/ttyACMX0
fw_download_port_name=/dev/ttyACMX0
baudrate=921600
BootTimeOut=3000
CommTimeOut=1000
eep_normal_mode=m
file_name=/data/modem_work/QUO_6260.fls
#file_name=QUO_6260.fls
#file_name=XMM6260_SIC.fls
#log_fname=/dev/null
log_fname=/data/modem_work/Flash_Loader.log
also

\system\bin\poweron_modem_fls.sh

Line 55: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
Line 55: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
and

\system\bin\poweron_modem_hboot.sh

Line 50: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
Line 50: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
And from flash_loader.log

Start downloading item 'CODE:../HW/XMM6260_V2_USB-HSIC_FLASHLESS_EDE_1.0/MODEM_DEBUG/QUO_6260.fls'' from file '/data/modem_work/QUO_6260.fls


This is how HTC does it:


My attempt (tried also on locked bootloader with the same output)




Things you'll need for this trick:

- USB OTG-Y-Cable. You can also build your own with this guide : How to make external powered OTG Cable
- USB SD Cardreader
- MicroSD Javacard (if you can bypass cid check, the Javacard is not needed) Xmoo said this one is used by HTC: GO-Trust® Secure microSD Java. It costs 980 US Dollars together with the SDK. Also, even if you have the Javacard you have to build the Application environment.
- 5V+ Power supply (Standard wall charger)
- PJ46DIAG.zip= clean S58 Data program specificly for the S720E/S728e. The correct DIAG has tot have a size of 964kb or 941kb and must contain the string "clean s58..." which can be checked with hexedit or any similar hex editor.

The procedure:

1. Put PJ46DIAG.zip on the Secure MicroSD Javacard
2. Plug it into the USB SD Cardreader
3. Plug the Cardreader into the female end of USB OTG-Y-Cable
4. Plug the OTG-Y-Cable into the USB port of the phone
5. Plug the cable onto the power supply
6. Reboot into bootloader
7. Once in Bootloader the file will be load by the phone and you'll land in S58 Menu. Clean S58 Data and you've successfully set your device S-Off

And here's the problem with this method. 1. A Javacard is really hard to get. I've never saw one, no one I know has ever saw one :D 2. The Diag file can't be leaked. The ones I've attached here are useless as Xmoo said and maybe proved. I have attached them though. So anyone interested and willing to help can investigate them.

As we know, the Diag file's for the One X can't be leaked. They're spread to choosen HTC-Repair centres, so a leak will easily be traced back. This would bring the affected people in some serious trouble. But this is interesting. These guys over on pdacentre use the official method. It's suspicious, kind of. For now, this is the only know method. It cost's around 2000 rubel (65€ | 85$) + shipping depending on your location. Of course this isn't an appropriate solution. Another thing; Why do we need a Javacard? Well, because the DIAG files will only work on devices with SuperCID (11111111) not on normal CID (HTC__XXX). So another way is to bypass the CID check.


Rough diagram of a Javacard
diagram_v21.jpg

Copyright © 2011 GOTrust Technology Inc., All rights reserved.



TOOLBOX
The DIAG files I've linke don't have any function except from superwipe. They're only meant to be used as a test file to check if we can load such DIAG files.:

How do I know that I have the correct DIAG file? ;
The clean DIAG has a size of 964kb or 941kb. Or look at the image above. If your DIAG is called like them it could be the correct one also. But to be really sure, do the following;
Download any HEXeditor you can get. Open the DIAG file with the HEXeditor and search for keywords like "clean", "s58", . If you find these two strings in the DIAG file, it could be the correct one. We'd appreciate it if you could upload the file.

"clean s58"
1.jpg

Known and working DIAG files for the One X

attachment.php



What's already been done:

xmoo; said:
13-04-2012 XDA.CN releases pictures showing someone succesfully has S-OFF'd his device. Tool is for sale here: http://item.taobao.com/item.htm?id=10824156715
17-04-2012 Thread made.
17-04-2012 We have found someone with a S-OFF device, and a newer HBOOT than the one from XDA.CN. Trying to get access to the HBOOT.
18-04-2012 OTA 1.28 brings HBOOT 0.94.
18-04-2012 New member with a S-OFF device is willing to help.
s-off-hboot_HOX.JPG

19-04-2012 HBOOT 0.43 S-OFF rfs.img received and uploaded.
19-04-2012 RFS.img is not the correct file, searching continues...
19-04-2012 Radio located, click here
26-04-2012 HBOOT probably located here
15-05-2012 NVFlash app + APX Drivers added
12-06-2012 Tegra 3 Manual added, see here!
16-06-2012 HBOOT 1.11 from the test-keys uploaded here!
16-06-2012 Huge development, read more about it!
18-06-2012 Need to find a way to by-pass CID check.
19-06-2012 Football Partition list for One X with all addresses and lengths of partitions which can be found here.
27-06-2012 Huhge thread clean-up and update.
04-07-2012 Had the chance to play with a S-OFF device, read more about it here! ENG HBOOT which is used in test, is located here.
09-07-2012 Javacard with DIAG will work, but won't be a good solution cause no one got a legit Javacard and the DIAG files can't be leaked!
14-07-2012 Video added which shows the Javacard with DIAG method. Video can be found here.
14-07-2012 The ENG HBOOT 0.03 that Football uploaded lost it's sign. I re-uploaded it and re-checked the file and it should be good now. You can find the new .zip here.

FAQ.
What is S-OFF?
S-OFF stands for Security-OFF
S-OFF means that the NAND portion of the device is unlocked and can be written to. The default setting for HTC’s devices is S-ON, which means that neither can you access certain areas of the system nor can you guarantee a permanent root. Furthermore, signature check for firmware images is also ensured by the S-ON flag.

What has already been done?
-Tried flashing DIAG file, but with no success. File needs SuperCID.
-Tried flashing ENG HBOOT as zip file, but with no success. File needs SuperCID.
-Tried flashing modified DIAG file, but with no success. File needs SuperCID.
-Tried flashing modified HBOOT as zip file, but with no success. Signature check failed.
-Tried creating a Goldcard, but won't work. The Goldcare is for Qualcomm devices.
-Root while phone is LOCKED, won't work. Only will work on the Qualcomm One X and One XL.
-Ask the Chineese guy with the S-OFF tool. Won't share, cause he needs his money.
-Tried flashing files over recovery, but with no success.
-Tried flashing TETS and MFG ROMs, but with no success. Phone needs S-OFF because the ROMS are not sighned.
-Tried changing CID, but won't work. Only will work on the Qualcomm One X and One XL.
-Tried commands over ADB, but with no success.
-Tried XTC clip, won't work.

How Do I Know If My Device Is S-ON Or S-OFF?
That is easy to verify. Simply boot into HBOOT (bootloader) on your device, and the text on top will show the flag status as either S-OFF or S-ON. A full root generally means S-OFF.
s-off.jpg

S-OFF – What And Why?
HTC have installed a sort of security check whose level is determined by S-OFF/S-ON. Essentially, this security level is a flag stored on the device’s radio that checks signature images for any firmware before it is allowed to be written to system memory. This hinders using any custom ROMs, splash images, recovery etc., and also restricts access to the NAND flash memory. However, when security level is set to S-OFF, the signature check is bypassed, allowing a user to upload custom firmware images, unsigned boot, recovery, splash and HBOOT images, as well as official firmware that has been modified, this enabling maximum customization of your HTC Android device.

Furthermore, S-OFF also reduces restrictions on accessing the NAND flash memory on the device, allowing all partitions (including /system) to be mounted in write mode while the operating system is booted.

Where is it located?
Don't know yet, here are the partitions.

How can I flash through SD?
Tutorial added here!

What HBOOT status have we seen so far?
ENDEAVORU PVT SHIP S-ON RL
ENDEAVORU PVT SHIP S-OFF RL
ENDEAVORU PVT ENG S-OFF RL
ENDEAVORU XE ENG S-OFF RH
ENDEAVORU PVT MFG RH
ENDEAVORU XE SHIP S-OFF RH
ENDEAVORU UNKNOWN ENG S-OFF RH

Partition list for One X with all addresses and lengths of partitions
Football share the full list which can be found here.

How does HTC do it?
They do it with a smartcard/javacard/goldcard (What ever you want to call it) in combination with the DIAG file. Proof is in the attachment.



--------------Alternative APX MODE Route--------------


Hey guys,

Please stop PM'ing me about APX Mode. I get like 10 PM's a day.

How to get in
Nobody really knows. The most common way has been pressing volume up and down together while device is off and then plugin USB while connected to a computer.

How to get out
When your device is in APX Mode, HTC fixes it in repair. Someone here on XDA PM'd me with this video and said it should work: http://www.youtube.com/watch?v=rsnl_LIgzt0
I have not tried it myself, so just give it a try and share with the rest.

All the other discussions about APX can be done here, please stop pm'ing me.
Thank you!


Alright Folks! TripNRaVer has made something rudimentary, awesome, fascinating...words can't describe....Work!! Here You go, APX DRIVERS FOR THE ONE X

semctriplogo.jpg



For those of you that are in APX Mode or want to mess with APX here is the modified driver for the One X.

Now you have acces to the device again through USB.

Todo:
- Plug the usb cable in hox
- Goto device manager
- Search for APX or Unknown device or whatever it is listed
- Choose update driver
- Choose manually select driver
- Select the folder where you extracted the zip file
- Install drivers

Use nvflash to gain acces to the device again.

Download:
http://tripndroid.bindroidroms.com/TripNDroid-HOX-APX-Driver.zip

Nvflash:
- Use nvflash binary to gain acces to the device
- Including flash.cfg for endeavoru to use with nvflash.exe
- Including a bct file

http://tripndroid.bindroidroms.com/tripndroid_nvflash.zip






PLEASE read on the threads I've linked, before you start discussion. People really did some great development.
 
Last edited:

nitrous²

Senior Member
Jun 4, 2010
1,741
1,005
The Grid
My HOX Will be S-OFF soon, got acces to a Java white card to S-OFF in seconds..

Sent from my HTC One X using xda app-developers app

Well, do you have the correct diag file? And do you have HTC's private key to sign the Javacard? You have to be more specific otherwise your post isn't helping us in ANY way...I accidentally hit the thx button, don't be smug.
 
Last edited:
  • Like
Reactions: viizx

bobcoenen

Member
Dec 23, 2007
27
8
Yes my friend has the diag file, his HOX is already S-OFF. I will try to post a screenshot next week when mine is done. I'm not trying to be smug ;)

Sent from my HTC One X using xda app-developers app

---------- Post added at 07:50 PM ---------- Previous post was at 07:46 PM ----------

The S-OFF process is done with a y-cable with a card reader an usb charger on the other end. For what i understood the java card is very rare.



Sent from my HTC One X using xda app-developers app
 

nitrous²

Senior Member
Jun 4, 2010
1,741
1,005
The Grid
well, i've been on HTC since i passed on Android and every HTC device has got S-OFFed 2 or 3 months later from the day one... i don't think this will happen unfortunately, i really believed in this but now is time to be realist. :(

You know that there's NO hard-, software which isn't vulnearable or which hasn't got an exploit, don't you? No need to be pessimistic or realistic :D if we keep staying constructive and productive, somehow this will be done ;) call me a dreamer, but... let's just try to give our best, ok? This would be fine. I just think the One X hasn't got the attention it has actually deserved. Its release date was too close to the release of the gs3. HTC's great devs are mostly familiar with Qualcomm processors. Never before they've worked with a Tegra 3 processor. The available Tegra 3 devices (Asus TFXXX[T]) don't have the problem with S-Off/On, it's enough for them to be unlocked. So none of the devs who managed bootloader unlock on this Tegra devices faced this problem. This and many other avoidable reasons caused the lack of development and it's surely one of the reasons why we didn't got s-off yet.
 
Last edited:

nitrous²

Senior Member
Jun 4, 2010
1,741
1,005
The Grid
I've succeded in overwriting the CID. Just used count= parameter for DD command. (Block size=512b).
I've replaced my CID with another one. disconnected, connected, performed test readout. The CID string is changed.
Unfortunately it looks like it is back-uped somewhere and checked at start-up.
Because after rebooting my CID is back.
Tested 2 times. After changing - I can read it. After reboot it is back to original one.

Does anyone have any other ideas of changing CID and/or S-ON/OFF ?
Link to original Thread.

I posted him to ask him how he did it. It was a week ago and he didn't answered until now. My idea was to do this and try to load PJ46DIAG.zip without rebooting. As you know, if you have superCID you don't need a Javacard. Even if I don't have the correct DIAG, at least we'd have a way to load the DIAG until the correct one is out...somehow...
 
Last edited:

singcheng

Senior Member
Feb 17, 2008
187
33
Singapore
S-OFF via hboot upgrade

TRY AT YOUR OWN RISK. NOT VERIFIED.

I found is an article HERE for S-OFF via HBOOT upgrade. I don't have a CID HTC_621 (taiwan) so I can't try it. Neither I can verify its reliability.

I briefly translate it into english:
My One X (CID HTC_621, hboot 0.94 or 0.95 can't remember the exact version) hboot has to be upgraded to flash Android 4.1.1 so I did a manual upgrade of hboot to 1.31. At the end of the upgrade, I discovered by chance that my One X is now S-OFF. I did a trial by flashing new ROM without flashing boot.img and it works.

So, this S-OFF is done via manual hboot upgrade (for HTC_621) to 1.31. Do not attempt on other CID One X.

Below is the step-by-step procedures:
1. Download RUU for Asia_Taiwan (2.17.709.2 or 2.18.709.x) and Endeavoru_CustomRUU. Make sure One X is locked, go into fastboot and connect to USB. Unzip the Endeavoru_CustomRUU to somewhere. Rename the Official RUU zip to "rom.zip" and put inside the folder of the unzipped Endeavoru_CustomRUU. Run ARUWizard.exe.
2. Make sure the following is run in Windows XP. You will stuck under Windows 7. Make sure all HTC drivers are installed.
3. Download JBFW here and Asia_Taiwan 3.14 OTA here. Unzip the JBFW and the OTA package. Copy the firmware.zip (from OTA package) and the Unlock_code.bin (obtained from htcdev.com) into the JBFW folder.
4. Go into fastboot usb mode, run JBFWFlasher.bat. It will say to put the Unlock_code.bin and custom boot file into the folder (this was done in Step 3 above), and warn this is for certain CID only. I ignore this and click NEXT NEXT NEXT until it is done.
These are the steps I used to obtain (unexpectedly) S-OFF. This is what I want to share and hope you guys get S-OFF soon.

TRY AT YOUR OWN RISK. Neither the author or me will be responsible for your device.
 
  • Like
Reactions: ilustre
0

00Ghz

Guest
TRY AT YOUR OWN RISK. NOT VERIFIED.

I found is an article HERE for S-OFF via HBOOT upgrade. I don't have a CID HTC_621 (taiwan) so I can't try it. Neither I can verify its reliability.

I briefly translate it into english:


TRY AT YOUR OWN RISK. Neither the author or me will be responsible for your device.

Read somewhere that the diag file can't be leaked because it will be traced back to the guy who leaked it. Now can we get it and make our own diag file based on it?
 

lenthele

Senior Member
Nov 24, 2010
311
37
hboot

Hey Guys!
Dunno if its worth much but I downloaded the ENG HBoot File you linked in the first post and opened it in a hex editor and poked a little bit around. I found this:
Code:
Settings memory area 10B 00 01 00 Disable patches 0A 00 01 00 Settings memory area 2 Settings memory area 2 first Settings memory area 2 second Settings memory area 2 third 0B 00 01 01 Settings memory area 3 Flash Code memory area 0B 00 01 02 
Patch Code memory area 0B 00 01 03 Enable  patches 0A 00 01 01 Final Integrity check 0B 00 01 FF%d: SD init
%d: SD init fail !!!%d:SD FAT32 init OK Checking key-card...Checking key-card...
%d: Not key-card !!!%d: Key-card DMCID.dat Open '%s' file success !!!
hFile = 0x%x, file_size = 0x%x
Read '%s' (%d != %d B)
AT@CID=0: Change CID to '%s'4: Change CID to '%s'Alloc data buffer failOpen '%s' file fail###[ End CDMA Cust Mode ]###

It looks like thats the part where it checks for a "key-card". Probably this Java Card??
 
Last edited:

nitrous²

Senior Member
Jun 4, 2010
1,741
1,005
The Grid
Thats well known. With an ENG Bootloader you can do whatever you want including CID Changes.


hexdump of EBT Partition, where Hboot is possibly located. As Footbal said, on a stock kernel this partition is somehow hidden. Even on hboot 1.36.

Code:
u0_a269@android:/ $ su
u0_a269@android:/ # hexdump -C /dev/block/mmcblk0|grep EBT
[COLOR="Red"]000000e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|[/COLOR]
000000f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000010e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000010f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000020e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000020f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000030e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000030f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000040e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000040f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000050e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000050f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000060e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000060f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000070e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000070f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000080e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000080f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000090e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000090f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0000a0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0000a0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0000b0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0000b0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0000c0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0000c0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0000d0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0000d0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0000e0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0000e0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0000f0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0000f0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000100e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000100f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000110e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000110f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000120e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000120f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000130e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000130f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000140e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000140f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000150e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000150f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000160e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000160f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000170e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000170f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000180e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000180f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000190e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000190f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0001a0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0001a0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0001b0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0001b0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0001c0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0001c0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0001d0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0001d0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0001e0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0001e0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0001f0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0001f0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000200e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000200f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000210e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000210f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000220e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000220f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000230e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000230f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000240e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000240f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000250e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000250f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000260e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000260f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000270e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000270f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000280e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000280f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000290e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000290f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0002a0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0002a0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0002b0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0002b0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0002c0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0002c0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0002d0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0002d0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0002e0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0002e0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0002f0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0002f0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000300e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000300f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000310e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000310f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000320e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000320f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000330e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000330f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000340e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000340f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000350e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000350f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000360e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000360f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000370e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000370f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000380e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000380f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000390e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000390f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0003a0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0003a0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0003b0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0003b0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0003c0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0003c0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0003d0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0003d0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0003e0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0003e0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0003f0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0003f0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000400e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000400f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000410e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000410f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000420e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000420f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000430e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000430f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000440e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000440f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000450e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000450f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000460e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000460f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000470e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000470f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000480e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000480f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000490e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000490f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0004a0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0004a0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0004b0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0004b0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0004c0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0004c0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0004d0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0004d0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0004e0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0004e0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0004f0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0004f0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000500e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000500f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000510e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000510f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000520e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000520f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000530e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000530f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000540e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000540f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000550e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000550f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000560e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000560f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000570e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000570f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000580e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000580f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000590e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000590f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0005a0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0005a0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0005b0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0005b0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0005c0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0005c0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0005d0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0005d0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0005e0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0005e0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0005f0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0005f0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000600e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000600f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000610e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000610f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000620e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000620f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000630e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000630f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000640e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000640f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000650e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000650f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000660e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000660f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000670e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000670f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000680e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000680f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
000690e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
000690f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0006a0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0006a0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0006b0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0006b0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0006c0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0006c0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0006d0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0006d0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0006e0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|
0006e0f0  12 00 00 00 03 00 00 00  00 00 00 00 45 42 54 00  |............EBT.|
0006f0e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|


xxx....

these are the partitions seen by the OS:
Code:
APP CAC DLG DUM ISD LNX MSC PDT PG1 PG2 PG3 RCA RFS RV1 SIF SOS SP1 UDA WDM WLN

none of these partitions contain the hboot!


these are the partition actually on the emmc:

Code:
APP BCT BIF CAC DIA DLG DUM EBT GP1 GPT ISD LNX MSC PDT PG1 PG2 PG3 PT RCA RFS RV1 SIF SOS SP1 UDA WDM WLN
so, you won't be able to access the hboot partition (on a s-off device neither) without a bit of work, ;)
 
Last edited:

backXslash

Member
Jun 4, 2009
48
68
QXDM

I poked a bit on my phone. It's the international version, HBOOT 1.30.0000 CID HTC__001.

Anyway, there's a fastboot command called "fastboot oem enableqxdm".

QXDM is a piece of software designed to talk directly with the modem. Has anyone looked at that avenue? If not, I intend to right now.

I'll post findings when I can.

---------- Post added at 04:15 PM ---------- Previous post was at 03:46 PM ----------

OK, turns out, (at least with my setup), the phone WILL allow you to enable QXDM mode. The command "fastboot oem enableqxdm 1" completes successfully.

Now I've just gotta get the phone into diagnostic mode. On CDMA phones, that's ##3424#, which obviously doesn't work on the One X+.

Any ideas?
 

casserly

Member
Jan 8, 2011
33
8
Stockholm
I poked a bit on my phone. It's the international version, HBOOT 1.30.0000 CID HTC__001.

Anyway, there's a fastboot command called "fastboot oem enableqxdm".

QXDM is a piece of software designed to talk directly with the modem. Has anyone looked at that avenue? If not, I intend to right now.

I'll post findings when I can.

---------- Post added at 04:15 PM ---------- Previous post was at 03:46 PM ----------

OK, turns out, (at least with my setup), the phone WILL allow you to enable QXDM mode. The command "fastboot oem enableqxdm 1" completes successfully.

Now I've just gotta get the phone into diagnostic mode. On CDMA phones, that's ##3424#, which obviously doesn't work on the One X+.

Any ideas?

If I understand your question correctly, and you mean the diagnostic menu, then I use: *#*#4636#*#*
Hopefulle thats what you meant. Good luck :)
 

Top Liked Posts

  • There are no posts matching your filters.
  • 69
    I have gained access to some neat tools!

    The tool is also able to boot into diag58, currently i'm running it userspace and can freely set everything i want. I tried entering diag58 but it was waiting on modem. Going to try to read the secure key, it has basicly acces to everything.


    BBVVcZiCEAMtjoX.jpg
    56
    Got this key out of the 0.40 hboot


    0x15d15b4fb63ee0b
    50
    And another thing that also belongs here, have full acces to my device right now during APX mode.

    http://xdaforums.com/showpost.php?p=37133727&postcount=4973
    38
    IHTC One X+ Infos will be adapted to this as soon as possible.


    Names for the devices are:


    Model ID: PM35110
    Model Name: S728e
    aka One X+



    Model ID: PJ46100 aka
    Model Name: S720e
    aka One X



    So as the title says, we're facing the problem of not having S-OFF yet, although the One X (S720e) has been released nine months ago. The One X+ is newer but since it has the same processor family, it's accountable to this project. It's possible to unlock the bootloader via HTCdev but it doesn't gives us S-OFF. The Unlock via HTCdev gives us only partially control over Bootloader and Recovery. Since it's release date, some great Devs including Xmoo, Football, Mike1986 and more tried to disable the security check. Unfortunatly without a solution for the masses. Also the One X+ (S728e) is relatively new on the market, so THIS is maybe the first thread in the world regarding S-OFF on the S728e Unlike on other HTC phones, on which hardware solutions like the XTC-Clip, or software solutions like revolutionary or any similar software did the job, on the One X they're not going to work. At the moment the only known method is the official HTC's way.

    Ways to set the devices S-OFF
    Ways%20to%20set%20the%20S720e%20S-OFF.jpg


    --------------DIAG + JAVCARD Route--------------

    Infos I could gather. At the moment these infos are only valid for the S720e:

    Basically u need adb/android SDK before proceed.

    [WITH ROOT ACCESS]
    [+] Dump/copy boot.img
    Code:
    Command prompt :
    > adb shell
    > su
    > dd if=/dev/block/mmcblk0p4 of=/sdcard/boot.img
    More partition/img availabe to dump. Will update later.

    [WITHOUT ROOT ACCESS]
    Currently only /system is usable

    1) Android SDK (just need adb)
    2) Download busybox
    3) Command prompt :
    > adb push busybox /data/local/busybox
    > adb shell
    > cd /sdcard/
    > chmod 755 /data/local/busybox
    > /data/local/busybox tar cvf sysdump.tar /system
    4) Ignore tar: error exit delayed from previous errors'. Is done correctly.

    ----------------------------------------------------------------------

    Just finished dumped my semi-virgin One X system partition from SEA WWE stock ROM :D.
    The file would be OneX_SEA_WWE_1.26.707.2_SYSTEM_DUMP.zip 558.3 MB :eek:


    Radio (The Radiomodule on S720e is an Intel X-Gold 626 chip [XMM6260]) location (xmoo's post Radio) Documentation of the Radio chip and direct download:
    xmoo; said:
    Mike found out Radio is probably: \system\etc\QUO_6260.fls.clean
    7.96MB

    Commands located in QUO_6260.fls.clean
    CALIB_NVM
    DYNAMIC_NVM
    STATIC_NVM
    SEC_DATA
    PSI_RAM

    If I could believe the following:
    Found the same commands in a datasheet: "MSM3000Qualcomm, Inc.MOBILE STATION MODEM"
    http://www.datasheetarchive.com/MSM3000-datasheet.html

    So guess we got the Radio located!

    Possible Hboot location (blubber's post Hboot):
    blubber; said:
    xmoo; said:
    How do you know this?

    /EBT does not excist on my phone.


    mmcblk0p2 -> /dev/block/platform/sdhci-tegra.3/by-name/WDM
    mmcblk0p16 -> /dev/block/platform/sdhci-tegra.3/by-name/DUM
    mmcblk0p17 -> /dev/block/platform/sdhci-tegra.3/by-name/MSC
    mmcblk0p20 -> /dev/block/platform/sdhci-tegra.3/by-name/PDT

    of course it does not exist as i have written a few times before!
    it is not accessible with a stock kernel!

    i know it is there:


    Code:
    130|root@android:/ # hexdump -C /dev/block/mmcblk0|grep EBT                    
    000000e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|

    and the EBT partition does contain the bootloader!


    CID Check needs to be bypassed (xmoo's post CID check)
    xmoo said:
    Guys, the diag files have "CIDNUM: 11111111" in it.
    Can't change it cause the file gets corrupted.
    So only way to boot it up is by passing the CID check.

    This is were the Smartcard or Goldcard comes in.
    We tried the one from http://psas.revskills.de/?q=goldcard with no success.
    I remember for some devices you had to change 00 to 11, or something like that.
    Maybe this has to be done for this device aswell. Also I remember something that SDHC cards were not supported, or they are... been a long time ago.
    So your help is need.

    Create a goldcard which works.

    Remember to test it like this: http://xdaforums.com/show....php?t=1714056

    Thank you.

    Partiton list (Football's post Partition list)
    Football said:
    After intensive digging in some stuff I have found this. This is whole partition list for One X with all addresses and lengths of partitions...
    Code:
    [partition]
    name=BCT
    id=2
    start_location=0x00
    size=0x400000
    
    [partition]
    name=PT
    id=3
    start_location=0x400000
    size=0x200000
    
    [partition]
    name=EBT
    id=4
    type=bootloader
    start_location=0x600000
    size=0x400000
    
    [partition]
    name=DIA
    id=5
    type=bootloader
    start_location=0xA00000
    size=0x400000
    
    [partition] (Board Information)
    name=BIF
    id=6
    start_location=0xE00000
    size=0x200000
    
    
    [partition]
    name=GP1
    id=7
    start_location=0x1000000
    size=0x200000
    
    ### WLAN firmware ###
    [partition]
    name=WLN
    id=8
    start_location=0x1200000
    size=0x600000
    #filename=wlan.img
    
    ### WLAN Data + MFG Data ###
    [partition]
    name=WDM
    id=9
    start_location=0x1800000
    size=0x200000
    filename=WDM.img
    
    ### Radio Calibration Data ###
    [partition]
    name=RCA
    id=10
    filesystem_type=ext3
    start_location=0x1A00000
    size=0x600000
    
    ### Linux Kernel OS ###
    [partition]
    name=LNX
    id=11
    start_location=0x2000000
    size=0x800000
    filename=boot.img
    
    ### Recovery ###
    [partition]
    name=SOS
    id=12
    start_location=0x2800000
    size=0x800000
    filename=recovery.img
    
    ### PG1FS ###
    [partition]
    name=PG1
    id=13
    start_location=0x3000000
    size=0x1000000
    
    ### PG2FS ###
    [partition]
    name=PG2
    id=14
    start_location=0x4000000
    size=0x1000000
    
    ### PG3FS ###
    [partition]
    name=PG3
    id=15
    start_location=0x5000000
    size=0x1000000
    
    ### Software Info ###
    [partition]
    name=SIF
    id=16
    start_location=0x6000000
    size=0x400000
    filename=SIF.img
    
    ### Splash1 ###
    [partition]
    name=SP1
    id=17
    start_location=0x6400000
    size=0x400000
    
    ### Reserve1 ###
    [partition]
    name=RV1
    id=18
    start_location=0x6800000
    size=0x1C00000
    
    ### System ###
    [partition]
    name=APP
    id=19
    filesystem_type=ext3
    start_location=0x8400000
    size=0x50000000
    filename=system.img
    
    ### Cache ###
    [partition]
    name=CAC
    id=20
    filesystem_type=ext3
    start_location=0x58400000
    size=0x14000000
    
    ### Internal SD ###
    [partition]
    name=ISD
    id=21
    start_location=0x6C400000
    size=0x650000000
    
    ### Userdata ###
    [partition]
    name=UDA
    id=22
    filesystem_type=ext3
    start_location=0x6BC400000
    size=0x89400000
    filename=userdata.img
    
    ### Memory dump ###
    [partition]
    name=DUM
    id=23
    start_location=0x745800000
    size=0x200000
    
    
    ### MISC Partition ###
    [partition]
    name=MSC
    id=24
    start_location=0x745A00000
    size=0x200000
    
    ### Radio File System ###
    [partition]
    name=RFS
    id=25
    start_location=0x745C00000
    size=0x600000
    
    
    ### Develop Log ###
    [partition]
    name=DLG
    id=26
    start_location=0x746200000
    size=0x1600000
    
    ### PDATA for MASD ###
    [partition]
    name=PDT
    id=27
    start_location=0x747800000
    size=0x200000
    
    [partition]
    name=GPT
    id=28
    type=GPT
    start_location=0x747A00000
    #size=0xFFFFFFFFFFFFFFFF
    size=0x200000


    Mike1986's Partition Info (mike1986's post One X Partition Info)
    This thread's content might brick your device.
    This is not a ROM thread, so I'm not going to answer again and again and again the same questions over and over and over again.
    You can't read - quit this thread now. You can read but you can't understand more or less simple things - quit as well.
    You can read and you understand things, but you are too lazy to read the whole thread before asking the question - watch this first. And quit.

    This is what we know so far:

    Partitions1.png


    Some conclusions:

    1. It's very nice to see that finally someone separated "internal sd card" from userdata partition. So it's no longer linked to /data/media, as it used to be on Asus Transformer, Transformer Prime, Galaxy Nexus etc. but it's a separate partition now - mmcblk0p14. Basically the biggest benefit from that is that now formatting userdata partition will no longer erase virtual sd card content.
    2. It seems that NFC and WLAN deep settings are stored on separate partitions: mmcblk0p1 (wlan) and ? (NFC).
    3. There is a 5th PHYSICAL core, but it's invisible to the system. Android only sees the 4 main cores. The 5th companion core is not controlled by Android. Tegra 3 architecture itself handles the load balancing between the main cores and the companion core. (Thanks to Diamondback)
    4. There is no radio.img in current RUUs.


    Download firmware for HTC One X (PJ4610000)

    Firmware from 1.28.401.9 RUU
    --- MD5 checksum: 83375DF988C86E92417AA8949012A1C2 *PJ46IMG.zip ---

    Supported devices:
    --- CID's added by users requests are marked with green color ---
    cidnum: HTC__001
    cidnum: HTC__E11
    cidnum: HTC__203
    cidnum: HTC__Y13
    cidnum: HTC__102
    cidnum: HTC__405
    cidnum: HTC__304
    cidnum: HTC__032
    cidnum: HTC__J15
    cidnum: HTC__A07
    cidnum: HTC__016
    cidnum: HTC__M27

    Why it's better then full RUU:

    1. It doesn't contain stock recovery
    2. It doesn't contain stock, non rooted system
    3. It doesn't contain secured boot.img
    4. It wont wipe your data partition
    5. It's much smaller :D

    PJ46IMG.zip content: [UPDATE: 25.03.2012]

    android-info.txt - updated [20.04.2012]
    bct.img - updated [25.03.2012]
    rcdata.img - updated [20.04.2012]

    How to flash:

    1. Check your CID using fastboot getvar cid and MID using fastboot getvar mid
    2a. If your CID and MID are supported by default, navigate to point 3.
    2b. If your CID or MID is not supported by default, do this: (you do it at your own risk)
    2c. Open PJ46IMG.zip (don't extract it)
    2d. Open android-info.txt in text editor
    2e. Add your cidnum: or modelid: to the list, save file and close archive
    3. Place PJ46IMG.zip on your SD card
    4. Boot your device holding power button + vol down button
    5. Follow instructions on the screen

    Additional information:

    1. Flash above firmware at your own risk!
    2. It's recommended to flash it before flashing custom ROM based on proper RUU!
    3. Unlocking via htcdev.com will change your CID number into "none".

    4. RUU variants:
    x.xx.61.x - Orange UK (United Kingdom)
    x.xx.75.x - Orange ES (Spain)
    x.xx.110.x - T-Mobile UK (United Kingdom)
    x.xx.111.x - T-Mobile DE (Germany)
    x.xx.112.x - T-Mobile AT (Austria)
    x.xx.114.x - T-Mobile NL (Netherlands)
    x.xx.118.x - T-Mobile PL (Poland)
    x.xx.161.x - Vodafone UK (United Kingdom)
    x.xx.166.x - Vodafone CH-DE (Switzerland - Germany)
    x.xx.163.x - Vodafone FR (France)
    x.xx.169.x - Vodafone AT (Austria)
    x.xx.206.x - O2 UK (United Kingdom)
    x.xx.207.x - O2 DE (Germany)
    x.xx.401.x - World Wide English
    x.xx.707.x - Asia WWE (World Wide English)
    x.xx.720.x - Asia India
    x.xx.771.x - Hutchison 3G UK (United Kingdom)
    x.xx.862.x - Voda-Hutch AU (Australia)
    x.xx.980.x - Optus AU (Australia)
    x.xx.1400.x - HTC China

    Please post here your findings, thoughts or experience with after flashing images listed above.



    Mike1986's addition (mike1986's post Addition)
    mike1986 said:
    Something more:

    /system/etc/Flash_Loader.conf

    boot_port_name=/dev/ttyACMX0
    fw_download_port_name=/dev/ttyACMX0
    baudrate=921600
    BootTimeOut=3000
    CommTimeOut=1000
    eep_normal_mode=m
    file_name=/data/modem_work/QUO_6260.fls
    #file_name=QUO_6260.fls
    #file_name=XMM6260_SIC.fls
    #log_fname=/dev/null
    log_fname=/data/modem_work/Flash_Loader.log
    also

    \system\bin\poweron_modem_fls.sh

    Line 55: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
    Line 55: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
    and

    \system\bin\poweron_modem_hboot.sh

    Line 50: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
    Line 50: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
    And from flash_loader.log

    Start downloading item 'CODE:../HW/XMM6260_V2_USB-HSIC_FLASHLESS_EDE_1.0/MODEM_DEBUG/QUO_6260.fls'' from file '/data/modem_work/QUO_6260.fls


    This is how HTC does it:


    My attempt (tried also on locked bootloader with the same output)




    Things you'll need for this trick:

    - USB OTG-Y-Cable. You can also build your own with this guide : How to make external powered OTG Cable
    - USB SD Cardreader
    - MicroSD Javacard (if you can bypass cid check, the Javacard is not needed) Xmoo said this one is used by HTC: GO-Trust® Secure microSD Java. It costs 980 US Dollars together with the SDK. Also, even if you have the Javacard you have to build the Application environment.
    - 5V+ Power supply (Standard wall charger)
    - PJ46DIAG.zip= clean S58 Data program specificly for the S720E/S728e. The correct DIAG has tot have a size of 964kb or 941kb and must contain the string "clean s58..." which can be checked with hexedit or any similar hex editor.

    The procedure:

    1. Put PJ46DIAG.zip on the Secure MicroSD Javacard
    2. Plug it into the USB SD Cardreader
    3. Plug the Cardreader into the female end of USB OTG-Y-Cable
    4. Plug the OTG-Y-Cable into the USB port of the phone
    5. Plug the cable onto the power supply
    6. Reboot into bootloader
    7. Once in Bootloader the file will be load by the phone and you'll land in S58 Menu. Clean S58 Data and you've successfully set your device S-Off

    And here's the problem with this method. 1. A Javacard is really hard to get. I've never saw one, no one I know has ever saw one :D 2. The Diag file can't be leaked. The ones I've attached here are useless as Xmoo said and maybe proved. I have attached them though. So anyone interested and willing to help can investigate them.

    As we know, the Diag file's for the One X can't be leaked. They're spread to choosen HTC-Repair centres, so a leak will easily be traced back. This would bring the affected people in some serious trouble. But this is interesting. These guys over on pdacentre use the official method. It's suspicious, kind of. For now, this is the only know method. It cost's around 2000 rubel (65€ | 85$) + shipping depending on your location. Of course this isn't an appropriate solution. Another thing; Why do we need a Javacard? Well, because the DIAG files will only work on devices with SuperCID (11111111) not on normal CID (HTC__XXX). So another way is to bypass the CID check.


    Rough diagram of a Javacard
    diagram_v21.jpg

    Copyright © 2011 GOTrust Technology Inc., All rights reserved.



    TOOLBOX
    The DIAG files I've linke don't have any function except from superwipe. They're only meant to be used as a test file to check if we can load such DIAG files.:

    How do I know that I have the correct DIAG file? ;
    The clean DIAG has a size of 964kb or 941kb. Or look at the image above. If your DIAG is called like them it could be the correct one also. But to be really sure, do the following;
    Download any HEXeditor you can get. Open the DIAG file with the HEXeditor and search for keywords like "clean", "s58", . If you find these two strings in the DIAG file, it could be the correct one. We'd appreciate it if you could upload the file.

    "clean s58"
    1.jpg

    Known and working DIAG files for the One X

    attachment.php



    What's already been done:

    xmoo; said:
    13-04-2012 XDA.CN releases pictures showing someone succesfully has S-OFF'd his device. Tool is for sale here: http://item.taobao.com/item.htm?id=10824156715
    17-04-2012 Thread made.
    17-04-2012 We have found someone with a S-OFF device, and a newer HBOOT than the one from XDA.CN. Trying to get access to the HBOOT.
    18-04-2012 OTA 1.28 brings HBOOT 0.94.
    18-04-2012 New member with a S-OFF device is willing to help.
    s-off-hboot_HOX.JPG

    19-04-2012 HBOOT 0.43 S-OFF rfs.img received and uploaded.
    19-04-2012 RFS.img is not the correct file, searching continues...
    19-04-2012 Radio located, click here
    26-04-2012 HBOOT probably located here
    15-05-2012 NVFlash app + APX Drivers added
    12-06-2012 Tegra 3 Manual added, see here!
    16-06-2012 HBOOT 1.11 from the test-keys uploaded here!
    16-06-2012 Huge development, read more about it!
    18-06-2012 Need to find a way to by-pass CID check.
    19-06-2012 Football Partition list for One X with all addresses and lengths of partitions which can be found here.
    27-06-2012 Huhge thread clean-up and update.
    04-07-2012 Had the chance to play with a S-OFF device, read more about it here! ENG HBOOT which is used in test, is located here.
    09-07-2012 Javacard with DIAG will work, but won't be a good solution cause no one got a legit Javacard and the DIAG files can't be leaked!
    14-07-2012 Video added which shows the Javacard with DIAG method. Video can be found here.
    14-07-2012 The ENG HBOOT 0.03 that Football uploaded lost it's sign. I re-uploaded it and re-checked the file and it should be good now. You can find the new .zip here.

    FAQ.
    What is S-OFF?
    S-OFF stands for Security-OFF
    S-OFF means that the NAND portion of the device is unlocked and can be written to. The default setting for HTC’s devices is S-ON, which means that neither can you access certain areas of the system nor can you guarantee a permanent root. Furthermore, signature check for firmware images is also ensured by the S-ON flag.

    What has already been done?
    -Tried flashing DIAG file, but with no success. File needs SuperCID.
    -Tried flashing ENG HBOOT as zip file, but with no success. File needs SuperCID.
    -Tried flashing modified DIAG file, but with no success. File needs SuperCID.
    -Tried flashing modified HBOOT as zip file, but with no success. Signature check failed.
    -Tried creating a Goldcard, but won't work. The Goldcare is for Qualcomm devices.
    -Root while phone is LOCKED, won't work. Only will work on the Qualcomm One X and One XL.
    -Ask the Chineese guy with the S-OFF tool. Won't share, cause he needs his money.
    -Tried flashing files over recovery, but with no success.
    -Tried flashing TETS and MFG ROMs, but with no success. Phone needs S-OFF because the ROMS are not sighned.
    -Tried changing CID, but won't work. Only will work on the Qualcomm One X and One XL.
    -Tried commands over ADB, but with no success.
    -Tried XTC clip, won't work.

    How Do I Know If My Device Is S-ON Or S-OFF?
    That is easy to verify. Simply boot into HBOOT (bootloader) on your device, and the text on top will show the flag status as either S-OFF or S-ON. A full root generally means S-OFF.
    s-off.jpg

    S-OFF – What And Why?
    HTC have installed a sort of security check whose level is determined by S-OFF/S-ON. Essentially, this security level is a flag stored on the device’s radio that checks signature images for any firmware before it is allowed to be written to system memory. This hinders using any custom ROMs, splash images, recovery etc., and also restricts access to the NAND flash memory. However, when security level is set to S-OFF, the signature check is bypassed, allowing a user to upload custom firmware images, unsigned boot, recovery, splash and HBOOT images, as well as official firmware that has been modified, this enabling maximum customization of your HTC Android device.

    Furthermore, S-OFF also reduces restrictions on accessing the NAND flash memory on the device, allowing all partitions (including /system) to be mounted in write mode while the operating system is booted.

    Where is it located?
    Don't know yet, here are the partitions.

    How can I flash through SD?
    Tutorial added here!

    What HBOOT status have we seen so far?
    ENDEAVORU PVT SHIP S-ON RL
    ENDEAVORU PVT SHIP S-OFF RL
    ENDEAVORU PVT ENG S-OFF RL
    ENDEAVORU XE ENG S-OFF RH
    ENDEAVORU PVT MFG RH
    ENDEAVORU XE SHIP S-OFF RH
    ENDEAVORU UNKNOWN ENG S-OFF RH

    Partition list for One X with all addresses and lengths of partitions
    Football share the full list which can be found here.

    How does HTC do it?
    They do it with a smartcard/javacard/goldcard (What ever you want to call it) in combination with the DIAG file. Proof is in the attachment.



    --------------Alternative APX MODE Route--------------


    Hey guys,

    Please stop PM'ing me about APX Mode. I get like 10 PM's a day.

    How to get in
    Nobody really knows. The most common way has been pressing volume up and down together while device is off and then plugin USB while connected to a computer.

    How to get out
    When your device is in APX Mode, HTC fixes it in repair. Someone here on XDA PM'd me with this video and said it should work: http://www.youtube.com/watch?v=rsnl_LIgzt0
    I have not tried it myself, so just give it a try and share with the rest.

    All the other discussions about APX can be done here, please stop pm'ing me.
    Thank you!


    Alright Folks! TripNRaVer has made something rudimentary, awesome, fascinating...words can't describe....Work!! Here You go, APX DRIVERS FOR THE ONE X

    semctriplogo.jpg



    For those of you that are in APX Mode or want to mess with APX here is the modified driver for the One X.

    Now you have acces to the device again through USB.

    Todo:
    - Plug the usb cable in hox
    - Goto device manager
    - Search for APX or Unknown device or whatever it is listed
    - Choose update driver
    - Choose manually select driver
    - Select the folder where you extracted the zip file
    - Install drivers

    Use nvflash to gain acces to the device again.

    Download:
    http://tripndroid.bindroidroms.com/TripNDroid-HOX-APX-Driver.zip

    Nvflash:
    - Use nvflash binary to gain acces to the device
    - Including flash.cfg for endeavoru to use with nvflash.exe
    - Including a bct file

    http://tripndroid.bindroidroms.com/tripndroid_nvflash.zip






    PLEASE read on the threads I've linked, before you start discussion. People really did some great development.