That's not the correct ID then if its the same as the device ID is it?
Hence it's under dummy_usb_serial_number in /platform/android_usb/
Hence it's under dummy_usb_serial_number in /platform/android_usb/
Using nvflash on a Asus tf201 makes you get the SBK the same way based on UID. Toshiba SBK also the same way.
this gets you the same as
orCode:cat /sys/devices/platform/android_usb/usb_serial_number
Code:adb devices
which device is the bct from?
either way, we don't have access to the bct/ebt partitions as they are somehow masked, even to the kernel; or you could dump them from the raw block device mmcblk0
If some one will give me an output of first 32-128 bit how the file header may look like, I will decrypt the rest.
So if i understand you correctly this file is good as is and can be used as is with nvflash..?
We have the bct and cfg for nvflash then.
edit:
some crazy tought, just want to make sure
is there some way to change version number of hboot?
if yes we can just flash the ENG hboot as long as it has a higher version number then the current one..?
not without direct access to partitions....
the thing i've noticed is that in all OTA's firmware.zip and ruu.zip
they'd include both mainvar & radio version in android-info.txt but not the hboot's...
which means the hboot checks for it's own version from within itself and not from a fixed location which we could change... well, you can always risk bricking your hboot and editing the 1st few lines and see if it works
having said that... we dont have access to any of the partitions to verify..
you could atleast release a full access read only kernel which we can use to look for the location of these values.. though i've been having for sometime for full access kernel
with all that said,
i know the hboot "checks for hboot version" before updating itself...
though we don't know if its just a fake print or is it done for real..
as a hboot always contains a higher mainver(which is definitely checked).. so whats the use of checking for hboot version if the update will fail anyway when mainver is lower.
Then we change the mainver of a firmware package? Firmware package isnt signed so that wont be a problem.
i just tried to flash firmware.zip within the official OTA though the HTC (RUU) screen
sending 'zip' (10910 KB)...
OKAY [ 1.457s]
writing 'zip'...
(bootloader) adopting the signature contained in this image...
FAILED (remote: 99 unknown fail)
finished. total time: 2.067s
so though it wont flash it does have a signature
sending 'zip' (4322 KB)...i edited the android-info.txt and added my actual CID
OKAY [ 0.582s]
writing 'zip'...
(bootloader) checking model ID...
(bootloader) checking custom ID...
(bootloader) checking main version...
(bootloader) checking hboot version...
(bootloader) start image[boot] unzipping & flushing...
(bootloader) Format partition LNX done
(bootloader) [RUU]WP,boot,100
(bootloader) ERASE backup cid
(bootloader) ERASE GPT partition
OKAY [ 1.818s]
finished. total time: 2.401s
flashing just the kernel works fine...
i added hboot img and it failed straight away
it wont go.... but i found an unfortunate side effect...for me away
my mainver was 1.26 after flashing this it was updated to 1.29 :/
which means i wont be able to use an ruu less than that, and the newest ruu for my cid is 1.26 :cyclops:
recovery seems to be flash able aswell.... testing ahead...
i might try these with a locked bootloader.... backup ahead
may guess is anything we can flash through fastboot is flashable that way
So if i understand you correctly this file is good as is and can be used as is with nvflash..?
We have the bct and cfg for nvflash then.
edit:
some crazy tought, just want to make sure
is there some way to change version number of hboot?
if yes we can just flash the ENG hboot as long as it has a higher version number then the current one..?
Version = 0x00030001;
BlockSize = 0x00004000;
PageSize = 0x00000200;
PartitionSize = 0x02000000;
# Bootloader used = 1;
# Bootloaders max = 4;
# BCT size = 6128;
# Hash size = 16;
# Crypto offset = 16;
# Crypto length = 6112;
# Max BCT search blocks = 64;
#
# These values are set by cbootimage using the
# bootloader provided by the Bootloader=...
# configuration option.
#
# Bootloader[0].Version = 0x00000001;
# Bootloader[0].Start block = 384;
# Bootloader[0].Start page = 0;
# Bootloader[0].Length = 2097168;
# Bootloader[0].Load address = 0x80108000;
# Bootloader[0].Entry point = 0x80108000;
# Bootloader[0].Attributes = 0x00000004;
SDRAM[0].MemoryType = NvBootMemoryType_LpDdr2;
SDRAM[0].PllMChargePumpSetupControl = 0x00000008;
SDRAM[0].PllMLoopFilterSetupControl = 0x00000000;
SDRAM[0].PllMInputDivider = 0x0000001a;
SDRAM[0].PllMFeedbackDivider = 0x00000215;
SDRAM[0].PllMPostDivider = 0x00000000;
SDRAM[0].PllMStableTime = 0x0000012c;
SDRAM[0].EmcClockDivider = 0x00000000;
SDRAM[0].EmcAutoCalInterval = 0x001fffff;
SDRAM[0].EmcAutoCalConfig = 0xa0f10000;
SDRAM[0].EmcAutoCalWait = 0x00000064;
SDRAM[0].EmcPinProgramWait = 0x00000000;
SDRAM[0].EmcRc = 0x0000001f;
SDRAM[0].EmcRfc = 0x00000045;
SDRAM[0].EmcRas = 0x00000016;
SDRAM[0].EmcRp = 0x00000009;
SDRAM[0].EmcR2w = 0x00000008;
SDRAM[0].EmcW2r = 0x00000009;
SDRAM[0].EmcR2p = 0x00000003;
SDRAM[0].EmcW2p = 0x0000000d;
SDRAM[0].EmcRrd = 0x00000005;
SDRAM[0].EmcRdRcd = 0x00000009;
SDRAM[0].EmcWrRcd = 0x00000009;
SDRAM[0].EmcRext = 0x00000003;
SDRAM[0].EmcWdv = 0x00000004;
SDRAM[0].EmcQUseExtra = 0x00000000;
SDRAM[0].EmcQUse = 0x00000009;
SDRAM[0].EmcQRst = 0x00000006;
SDRAM[0].EmcQSafe = 0x0000000d;
SDRAM[0].EmcRdv = 0x00000010;
SDRAM[0].EmcRefresh = 0x000007df;
SDRAM[0].EmcBurstRefreshNum = 0x00000000;
SDRAM[0].EmcPdEx2Wr = 0x00000003;
SDRAM[0].EmcPdEx2Rd = 0x00000003;
SDRAM[0].EmcPChg2Pden = 0x00000009;
SDRAM[0].EmcAct2Pden = 0x00000000;
SDRAM[0].EmcAr2Pden = 0x00000001;
SDRAM[0].EmcRw2Pden = 0x0000000f;
SDRAM[0].EmcTxsr = 0x0000004b;
SDRAM[0].EmcTcke = 0x00000008;
SDRAM[0].EmcTfaw = 0x0000001b;
SDRAM[0].EmcTrpab = 0x0000000c;
SDRAM[0].EmcTClkStable = 0x00000004;
SDRAM[0].EmcTClkStop = 0x00000002;
SDRAM[0].EmcTRefBw = 0x000008aa;
SDRAM[0].EmcFbioCfg5 = 0x00006282;
SDRAM[0].EmcFbioCfg6 = 0x00000006;
SDRAM[0].EmcFbioSpare = 0xe0000000;
SDRAM[0].EmcMrsResetDllWait = 0x00000000;
SDRAM[0].EmcMrsResetDll = 0x00000000;
SDRAM[0].EmcMrsDdr2DllReset = 0x00000000;
SDRAM[0].EmcMrs = 0x00000000;
SDRAM[0].EmcEmrsEmr2 = 0x00000000;
SDRAM[0].EmcEmrsEmr3 = 0x00000000;
SDRAM[0].EmcEmrsDdr2DllEnable = 0x00000000;
SDRAM[0].EmcEmrsDdr2OcdCalib = 0x00000000;
SDRAM[0].EmcEmrs = 0x00000000;
SDRAM[0].EmcMrw1 = 0x000100c2;
SDRAM[0].EmcMrw2 = 0x00020006;
SDRAM[0].EmcMrw3 = 0x00030001;
SDRAM[0].EmcMrwResetCommand = 0x003f0000;
SDRAM[0].EmcMrwResetNInitWait = 0x0000000a;
SDRAM[0].EmcAdrCfg = 0x00000001;
SDRAM[0].McEmemCfg = 0x00000400;
SDRAM[0].EmcCfg2 = 0x000c009b;
SDRAM[0].EmcCfgDigDll = 0xf0120091;
SDRAM[0].EmcCfgDigDllPeriod = 0x00008000;
SDRAM[0].EmcCfg = 0xa3e00000;
SDRAM[0].EmcDbg = 0x01000400;
SDRAM[0].WarmBootWait = 0x00000001;
SDRAM[0].EmcCttTermCtrl = 0x00000802;
SDRAM[0].EmcOdtWrite = 0x00000000;
SDRAM[0].EmcOdtRead = 0x00000000;
SDRAM[0].EmcZcalWaitCnt = 0x00000030;
SDRAM[0].EmcZcalMrwCmd = 0x000a0056;
SDRAM[0].EmcDdr2Wait = 0x00000000;
SDRAM[0].PmcDdrPwr = 0x00000003;
SDRAM[0].EmcClockSource = 0x00000000;
SDRAM[0].EmcClockUsePllMUD = 0x00000001;
SDRAM[0].EmcPinExtraWait = 0x00000000;
SDRAM[0].EmcTimingControlWait = 0x00000000;
SDRAM[0].EmcWext = 0x00000000;
SDRAM[0].EmcCtt = 0x00000000;
SDRAM[0].EmcCttDuration = 0x00000000;
SDRAM[0].EmcPreRefreshReqCnt = 0x000001f7;
SDRAM[0].EmcTxsrDll = 0x0000004b;
SDRAM[0].EmcCfgRsv = 0xff00ff88;
SDRAM[0].EmcMrwExtra = 0x000100c2;
SDRAM[0].EmcWarmBootMrw1 = 0x000100c2;
SDRAM[0].EmcWarmBootMrw2 = 0x00020006;
SDRAM[0].EmcWarmBootMrw3 = 0x00030001;
SDRAM[0].EmcWarmBootMrwExtra = 0x00020006;
SDRAM[0].EmcWarmBootExtraModeRegWriteEnable = 0x00000000;
SDRAM[0].EmcExtraModeRegWriteEnable = 0x00000000;
SDRAM[0].EmcMrsWaitCnt = 0x000e000e;
SDRAM[0].EmcCmdQ = 0x10004408;
SDRAM[0].EmcMc2EmcQ = 0x06000404;
SDRAM[0].EmcDynSelfRefControl = 0x800010d9;
SDRAM[0].AhbArbitrationXbarCtrlMemInitDone = 0x00000001;
SDRAM[0].EmcDevSelect = 0x00000000;
SDRAM[0].EmcSelDpdCtrl = 0x0004032c;
SDRAM[0].EmcDllXformDqs0 = 0x0000000a;
SDRAM[0].EmcDllXformDqs1 = 0x0000000a;
SDRAM[0].EmcDllXformDqs2 = 0x0000000a;
SDRAM[0].EmcDllXformDqs3 = 0x0000000a;
SDRAM[0].EmcDllXformDqs4 = 0x0000000a;
SDRAM[0].EmcDllXformDqs5 = 0x0000000a;
SDRAM[0].EmcDllXformDqs6 = 0x0000000a;
SDRAM[0].EmcDllXformDqs7 = 0x0000000a;
SDRAM[0].EmcDllXformQUse0 = 0x00000000;
SDRAM[0].EmcDllXformQUse1 = 0x00000000;
SDRAM[0].EmcDllXformQUse2 = 0x00000000;
SDRAM[0].EmcDllXformQUse3 = 0x00000000;
SDRAM[0].EmcDllXformQUse4 = 0x00000000;
SDRAM[0].EmcDllXformQUse5 = 0x00000000;
SDRAM[0].EmcDllXformQUse6 = 0x00000000;
SDRAM[0].EmcDllXformQUse7 = 0x00000000;
SDRAM[0].EmcDliTrimTxDqs0 = 0x00000000;
SDRAM[0].EmcDliTrimTxDqs1 = 0x00000000;
SDRAM[0].EmcDliTrimTxDqs2 = 0x00000000;
SDRAM[0].EmcDliTrimTxDqs3 = 0x00000000;
SDRAM[0].EmcDliTrimTxDqs4 = 0x00000000;
SDRAM[0].EmcDliTrimTxDqs5 = 0x00000000;
SDRAM[0].EmcDliTrimTxDqs6 = 0x00000000;
SDRAM[0].EmcDliTrimTxDqs7 = 0x00000000;
SDRAM[0].EmcDllXformDq0 = 0x0000000c;
SDRAM[0].EmcDllXformDq1 = 0x0000000c;
SDRAM[0].EmcDllXformDq2 = 0x0000000c;
SDRAM[0].EmcDllXformDq3 = 0x0000000c;
SDRAM[0].EmcZcalInterval = 0x00064000;
SDRAM[0].EmcZcalInitDev0 = 0x800a00ff;
SDRAM[0].EmcZcalInitDev1 = 0x400a00ff;
SDRAM[0].EmcZcalInitWait = 0x00000001;
SDRAM[0].EmcZcalColdBootEnable = 0x00000001;
SDRAM[0].EmcZcalWarmBootEnable = 0x00000001;
SDRAM[0].EmcMrwLpddr2ZcalWarmBoot = 0x000a00ab;
SDRAM[0].EmcZqCalDdr3WarmBoot = 0x00000011;
SDRAM[0].EmcZcalWarmBootWait = 0x00000001;
SDRAM[0].EmcMrsWarmBootEnable = 0x00000001;
SDRAM[0].EmcMrsExtra = 0x00000000;
SDRAM[0].EmcWarmBootMrs = 0x00000000;
SDRAM[0].EmcWarmBootEmrs = 0x00000000;
SDRAM[0].EmcWarmBootEmr2 = 0x00000000;
SDRAM[0].EmcWarmBootEmr3 = 0x00000000;
SDRAM[0].EmcWarmBootMrsExtra = 0x00000000;
SDRAM[0].EmcClkenOverride = 0x00000000;
SDRAM[0].EmcExtraRefreshNum = 0x00000002;
SDRAM[0].EmcClkenOverrideAllWarmBoot = 0x00000000;
SDRAM[0].McClkenOverrideAllWarmBoot = 0x00000000;
SDRAM[0].EmcCfgDigDllPeriodWarmBoot = 0x00000003;
SDRAM[0].PmcVddpSel = 0x00000000;
SDRAM[0].PmcDdrCfg = 0x00000000;
SDRAM[0].PmcIoDpdReq = 0x82a00000;
SDRAM[0].PmcENoVttGen = 0x00000000;
SDRAM[0].PmcNoIoPower = 0x00000000;
SDRAM[0].EmcXm2CmdPadCtrl = 0x00090220;
SDRAM[0].EmcXm2CmdPadCtrl2 = 0x770c0000;
SDRAM[0].EmcXm2DqsPadCtrl = 0x770c1414;
SDRAM[0].EmcXm2DqsPadCtrl2 = 0x0800003d;
SDRAM[0].EmcXm2DqsPadCtrl3 = 0x08000000;
SDRAM[0].EmcXm2DqPadCtrl = 0x770c2990;
SDRAM[0].EmcXm2DqPadCtrl2 = 0x00000000;
SDRAM[0].EmcXm2ClkPadCtrl = 0x77ffc004;
SDRAM[0].EmcXm2CompPadCtrl = 0x01f1f408;
SDRAM[0].EmcXm2VttGenPadCtrl = 0x00000000;
SDRAM[0].EmcXm2VttGenPadCtrl2 = 0x00000007;
SDRAM[0].EmcXm2QUsePadCtrl = 0x08000068;
SDRAM[0].McEmemAdrCfg = 0x00000001;
SDRAM[0].McEmemAdrCfgDev0 = 0x00070303;
SDRAM[0].McEmemAdrCfgDev1 = 0x00070303;
SDRAM[0].McEmemArbCfg = 0x00000008;
SDRAM[0].McEmemArbOutstandingReq = 0x80000060;
SDRAM[0].McEmemArbTimingRcd = 0x00000003;
SDRAM[0].McEmemArbTimingRp = 0x00000004;
SDRAM[0].McEmemArbTimingRc = 0x00000010;
SDRAM[0].McEmemArbTimingRas = 0x0000000a;
SDRAM[0].McEmemArbTimingFaw = 0x0000000d;
SDRAM[0].McEmemArbTimingRrd = 0x00000002;
SDRAM[0].McEmemArbTimingRap2Pre = 0x00000002;
SDRAM[0].McEmemArbTimingWap2Pre = 0x00000008;
SDRAM[0].McEmemArbTimingR2R = 0x00000002;
SDRAM[0].McEmemArbTimingW2W = 0x00000000;
SDRAM[0].McEmemArbTimingR2W = 0x00000004;
SDRAM[0].McEmemArbTimingW2R = 0x00000005;
SDRAM[0].McEmemArbDaTurns = 0x05040002;
SDRAM[0].McEmemArbDaCovers = 0x00110b10;
SDRAM[0].McEmemArbMisc0 = 0x70281811;
SDRAM[0].McEmemArbMisc1 = 0x70000000;
SDRAM[0].McEmemArbRing1Throttle = 0x001f0000;
SDRAM[0].McEmemArbOverride = 0x00000080;
SDRAM[0].McEmemArbRsv = 0xff00ff00;
SDRAM[0].McClkenOverride = 0x00000000;
this is the decoded bct, so yes it should be useable as-is, it is definitifly not encrypted
Code:Version = 0x00030001; BlockSize = 0x00004000; PageSize = 0x00000200; PartitionSize = 0x02000000; # Bootloader used = 1; # Bootloaders max = 4; # BCT size = 6128; # Hash size = 16; # Crypto offset = 16; # Crypto length = 6112; # Max BCT search blocks = 64; # # These values are set by cbootimage using the # bootloader provided by the Bootloader=... # configuration option. # # Bootloader[0].Version = 0x00000001; # Bootloader[0].Start block = 384; # Bootloader[0].Start page = 0; # Bootloader[0].Length = 2097168; # Bootloader[0].Load address = 0x80108000; # Bootloader[0].Entry point = 0x80108000; # Bootloader[0].Attributes = 0x00000004; SDRAM[0].MemoryType = NvBootMemoryType_LpDdr2; SDRAM[0].PllMChargePumpSetupControl = 0x00000008; SDRAM[0].PllMLoopFilterSetupControl = 0x00000000; SDRAM[0].PllMInputDivider = 0x0000001a; SDRAM[0].PllMFeedbackDivider = 0x00000215; SDRAM[0].PllMPostDivider = 0x00000000; SDRAM[0].PllMStableTime = 0x0000012c; SDRAM[0].EmcClockDivider = 0x00000000; SDRAM[0].EmcAutoCalInterval = 0x001fffff; SDRAM[0].EmcAutoCalConfig = 0xa0f10000; SDRAM[0].EmcAutoCalWait = 0x00000064; SDRAM[0].EmcPinProgramWait = 0x00000000; SDRAM[0].EmcRc = 0x0000001f; SDRAM[0].EmcRfc = 0x00000045; SDRAM[0].EmcRas = 0x00000016; SDRAM[0].EmcRp = 0x00000009; SDRAM[0].EmcR2w = 0x00000008; SDRAM[0].EmcW2r = 0x00000009; SDRAM[0].EmcR2p = 0x00000003; SDRAM[0].EmcW2p = 0x0000000d; SDRAM[0].EmcRrd = 0x00000005; SDRAM[0].EmcRdRcd = 0x00000009; SDRAM[0].EmcWrRcd = 0x00000009; SDRAM[0].EmcRext = 0x00000003; SDRAM[0].EmcWdv = 0x00000004; SDRAM[0].EmcQUseExtra = 0x00000000; SDRAM[0].EmcQUse = 0x00000009; SDRAM[0].EmcQRst = 0x00000006; SDRAM[0].EmcQSafe = 0x0000000d; SDRAM[0].EmcRdv = 0x00000010; SDRAM[0].EmcRefresh = 0x000007df; SDRAM[0].EmcBurstRefreshNum = 0x00000000; SDRAM[0].EmcPdEx2Wr = 0x00000003; SDRAM[0].EmcPdEx2Rd = 0x00000003; SDRAM[0].EmcPChg2Pden = 0x00000009; SDRAM[0].EmcAct2Pden = 0x00000000; SDRAM[0].EmcAr2Pden = 0x00000001; SDRAM[0].EmcRw2Pden = 0x0000000f; SDRAM[0].EmcTxsr = 0x0000004b; SDRAM[0].EmcTcke = 0x00000008; SDRAM[0].EmcTfaw = 0x0000001b; SDRAM[0].EmcTrpab = 0x0000000c; SDRAM[0].EmcTClkStable = 0x00000004; SDRAM[0].EmcTClkStop = 0x00000002; SDRAM[0].EmcTRefBw = 0x000008aa; SDRAM[0].EmcFbioCfg5 = 0x00006282; SDRAM[0].EmcFbioCfg6 = 0x00000006; SDRAM[0].EmcFbioSpare = 0xe0000000; SDRAM[0].EmcMrsResetDllWait = 0x00000000; SDRAM[0].EmcMrsResetDll = 0x00000000; SDRAM[0].EmcMrsDdr2DllReset = 0x00000000; SDRAM[0].EmcMrs = 0x00000000; SDRAM[0].EmcEmrsEmr2 = 0x00000000; SDRAM[0].EmcEmrsEmr3 = 0x00000000; SDRAM[0].EmcEmrsDdr2DllEnable = 0x00000000; SDRAM[0].EmcEmrsDdr2OcdCalib = 0x00000000; SDRAM[0].EmcEmrs = 0x00000000; SDRAM[0].EmcMrw1 = 0x000100c2; SDRAM[0].EmcMrw2 = 0x00020006; SDRAM[0].EmcMrw3 = 0x00030001; SDRAM[0].EmcMrwResetCommand = 0x003f0000; SDRAM[0].EmcMrwResetNInitWait = 0x0000000a; SDRAM[0].EmcAdrCfg = 0x00000001; SDRAM[0].McEmemCfg = 0x00000400; SDRAM[0].EmcCfg2 = 0x000c009b; SDRAM[0].EmcCfgDigDll = 0xf0120091; SDRAM[0].EmcCfgDigDllPeriod = 0x00008000; SDRAM[0].EmcCfg = 0xa3e00000; SDRAM[0].EmcDbg = 0x01000400; SDRAM[0].WarmBootWait = 0x00000001; SDRAM[0].EmcCttTermCtrl = 0x00000802; SDRAM[0].EmcOdtWrite = 0x00000000; SDRAM[0].EmcOdtRead = 0x00000000; SDRAM[0].EmcZcalWaitCnt = 0x00000030; SDRAM[0].EmcZcalMrwCmd = 0x000a0056; SDRAM[0].EmcDdr2Wait = 0x00000000; SDRAM[0].PmcDdrPwr = 0x00000003; SDRAM[0].EmcClockSource = 0x00000000; SDRAM[0].EmcClockUsePllMUD = 0x00000001; SDRAM[0].EmcPinExtraWait = 0x00000000; SDRAM[0].EmcTimingControlWait = 0x00000000; SDRAM[0].EmcWext = 0x00000000; SDRAM[0].EmcCtt = 0x00000000; SDRAM[0].EmcCttDuration = 0x00000000; SDRAM[0].EmcPreRefreshReqCnt = 0x000001f7; SDRAM[0].EmcTxsrDll = 0x0000004b; SDRAM[0].EmcCfgRsv = 0xff00ff88; SDRAM[0].EmcMrwExtra = 0x000100c2; SDRAM[0].EmcWarmBootMrw1 = 0x000100c2; SDRAM[0].EmcWarmBootMrw2 = 0x00020006; SDRAM[0].EmcWarmBootMrw3 = 0x00030001; SDRAM[0].EmcWarmBootMrwExtra = 0x00020006; SDRAM[0].EmcWarmBootExtraModeRegWriteEnable = 0x00000000; SDRAM[0].EmcExtraModeRegWriteEnable = 0x00000000; SDRAM[0].EmcMrsWaitCnt = 0x000e000e; SDRAM[0].EmcCmdQ = 0x10004408; SDRAM[0].EmcMc2EmcQ = 0x06000404; SDRAM[0].EmcDynSelfRefControl = 0x800010d9; SDRAM[0].AhbArbitrationXbarCtrlMemInitDone = 0x00000001; SDRAM[0].EmcDevSelect = 0x00000000; SDRAM[0].EmcSelDpdCtrl = 0x0004032c; SDRAM[0].EmcDllXformDqs0 = 0x0000000a; SDRAM[0].EmcDllXformDqs1 = 0x0000000a; SDRAM[0].EmcDllXformDqs2 = 0x0000000a; SDRAM[0].EmcDllXformDqs3 = 0x0000000a; SDRAM[0].EmcDllXformDqs4 = 0x0000000a; SDRAM[0].EmcDllXformDqs5 = 0x0000000a; SDRAM[0].EmcDllXformDqs6 = 0x0000000a; SDRAM[0].EmcDllXformDqs7 = 0x0000000a; SDRAM[0].EmcDllXformQUse0 = 0x00000000; SDRAM[0].EmcDllXformQUse1 = 0x00000000; SDRAM[0].EmcDllXformQUse2 = 0x00000000; SDRAM[0].EmcDllXformQUse3 = 0x00000000; SDRAM[0].EmcDllXformQUse4 = 0x00000000; SDRAM[0].EmcDllXformQUse5 = 0x00000000; SDRAM[0].EmcDllXformQUse6 = 0x00000000; SDRAM[0].EmcDllXformQUse7 = 0x00000000; SDRAM[0].EmcDliTrimTxDqs0 = 0x00000000; SDRAM[0].EmcDliTrimTxDqs1 = 0x00000000; SDRAM[0].EmcDliTrimTxDqs2 = 0x00000000; SDRAM[0].EmcDliTrimTxDqs3 = 0x00000000; SDRAM[0].EmcDliTrimTxDqs4 = 0x00000000; SDRAM[0].EmcDliTrimTxDqs5 = 0x00000000; SDRAM[0].EmcDliTrimTxDqs6 = 0x00000000; SDRAM[0].EmcDliTrimTxDqs7 = 0x00000000; SDRAM[0].EmcDllXformDq0 = 0x0000000c; SDRAM[0].EmcDllXformDq1 = 0x0000000c; SDRAM[0].EmcDllXformDq2 = 0x0000000c; SDRAM[0].EmcDllXformDq3 = 0x0000000c; SDRAM[0].EmcZcalInterval = 0x00064000; SDRAM[0].EmcZcalInitDev0 = 0x800a00ff; SDRAM[0].EmcZcalInitDev1 = 0x400a00ff; SDRAM[0].EmcZcalInitWait = 0x00000001; SDRAM[0].EmcZcalColdBootEnable = 0x00000001; SDRAM[0].EmcZcalWarmBootEnable = 0x00000001; SDRAM[0].EmcMrwLpddr2ZcalWarmBoot = 0x000a00ab; SDRAM[0].EmcZqCalDdr3WarmBoot = 0x00000011; SDRAM[0].EmcZcalWarmBootWait = 0x00000001; SDRAM[0].EmcMrsWarmBootEnable = 0x00000001; SDRAM[0].EmcMrsExtra = 0x00000000; SDRAM[0].EmcWarmBootMrs = 0x00000000; SDRAM[0].EmcWarmBootEmrs = 0x00000000; SDRAM[0].EmcWarmBootEmr2 = 0x00000000; SDRAM[0].EmcWarmBootEmr3 = 0x00000000; SDRAM[0].EmcWarmBootMrsExtra = 0x00000000; SDRAM[0].EmcClkenOverride = 0x00000000; SDRAM[0].EmcExtraRefreshNum = 0x00000002; SDRAM[0].EmcClkenOverrideAllWarmBoot = 0x00000000; SDRAM[0].McClkenOverrideAllWarmBoot = 0x00000000; SDRAM[0].EmcCfgDigDllPeriodWarmBoot = 0x00000003; SDRAM[0].PmcVddpSel = 0x00000000; SDRAM[0].PmcDdrCfg = 0x00000000; SDRAM[0].PmcIoDpdReq = 0x82a00000; SDRAM[0].PmcENoVttGen = 0x00000000; SDRAM[0].PmcNoIoPower = 0x00000000; SDRAM[0].EmcXm2CmdPadCtrl = 0x00090220; SDRAM[0].EmcXm2CmdPadCtrl2 = 0x770c0000; SDRAM[0].EmcXm2DqsPadCtrl = 0x770c1414; SDRAM[0].EmcXm2DqsPadCtrl2 = 0x0800003d; SDRAM[0].EmcXm2DqsPadCtrl3 = 0x08000000; SDRAM[0].EmcXm2DqPadCtrl = 0x770c2990; SDRAM[0].EmcXm2DqPadCtrl2 = 0x00000000; SDRAM[0].EmcXm2ClkPadCtrl = 0x77ffc004; SDRAM[0].EmcXm2CompPadCtrl = 0x01f1f408; SDRAM[0].EmcXm2VttGenPadCtrl = 0x00000000; SDRAM[0].EmcXm2VttGenPadCtrl2 = 0x00000007; SDRAM[0].EmcXm2QUsePadCtrl = 0x08000068; SDRAM[0].McEmemAdrCfg = 0x00000001; SDRAM[0].McEmemAdrCfgDev0 = 0x00070303; SDRAM[0].McEmemAdrCfgDev1 = 0x00070303; SDRAM[0].McEmemArbCfg = 0x00000008; SDRAM[0].McEmemArbOutstandingReq = 0x80000060; SDRAM[0].McEmemArbTimingRcd = 0x00000003; SDRAM[0].McEmemArbTimingRp = 0x00000004; SDRAM[0].McEmemArbTimingRc = 0x00000010; SDRAM[0].McEmemArbTimingRas = 0x0000000a; SDRAM[0].McEmemArbTimingFaw = 0x0000000d; SDRAM[0].McEmemArbTimingRrd = 0x00000002; SDRAM[0].McEmemArbTimingRap2Pre = 0x00000002; SDRAM[0].McEmemArbTimingWap2Pre = 0x00000008; SDRAM[0].McEmemArbTimingR2R = 0x00000002; SDRAM[0].McEmemArbTimingW2W = 0x00000000; SDRAM[0].McEmemArbTimingR2W = 0x00000004; SDRAM[0].McEmemArbTimingW2R = 0x00000005; SDRAM[0].McEmemArbDaTurns = 0x05040002; SDRAM[0].McEmemArbDaCovers = 0x00110b10; SDRAM[0].McEmemArbMisc0 = 0x70281811; SDRAM[0].McEmemArbMisc1 = 0x70000000; SDRAM[0].McEmemArbRing1Throttle = 0x001f0000; SDRAM[0].McEmemArbOverride = 0x00000080; SDRAM[0].McEmemArbRsv = 0xff00ff00; SDRAM[0].McClkenOverride = 0x00000000;
as for the hboot, i see no reason why an ENG/MFG hboot should give you s-off, it should still check for the s-off flag regardless of it's type.
If it is correct what you say, then they changed it aswell.
BEcause one of the easiest s-off methods back in the days was replacing the hboot.
I believe ENG and MFG don't have secuflag on. I haven't seen any ENG/MFG phones with S-ON. So theoretically it should be able to provide s-off.
If it is correct what you say, then they changed it aswell.
BEcause one of the easiest s-off methods back in the days was replacing the hboot.
I believe ENG and MFG don't have secuflag on. I haven't seen any ENG/MFG phones with S-ON. So theoretically it should be able to provide s-off.
i don't know about that, but if you can replace the hboot, you can replace it with a modified SHIP hboot as well... i've already uploaded a patched hboot a few months ago
http://xdaforums.com/showthread.php?p=25819078#post25819078
Can you please make a 1.33 patched hboot? I want to test a couple of things. Would be nice if you could make one. It needs to be 1.33 tough.
Basically u need adb/android SDK before proceed.
[WITH ROOT ACCESS]
[+] Dump/copy boot.img
More partition/img availabe to dump. Will update later.Code:Command prompt : > adb shell > su > dd if=/dev/block/mmcblk0p4 of=/sdcard/boot.img
[WITHOUT ROOT ACCESS]
Currently only /system is usable
1) Android SDK (just need adb)
2) Download busybox
3) Command prompt :
> adb push busybox /data/local/busybox
> adb shell
> cd /sdcard/
> chmod 755 /data/local/busybox
> /data/local/busybox tar cvf sysdump.tar /system
4) Ignore tar: error exit delayed from previous errors'. Is done correctly.
----------------------------------------------------------------------
Just finished dumped my semi-virgin One X system partition from SEA WWE stock ROM .
The file would be OneX_SEA_WWE_1.26.707.2_SYSTEM_DUMP.zip 558.3 MB
xmoo; said:Mike found out Radio is probably: \system\etc\QUO_6260.fls.clean
7.96MB
Commands located in QUO_6260.fls.clean
CALIB_NVM
DYNAMIC_NVM
STATIC_NVM
SEC_DATA
PSI_RAM
If I could believe the following:
Found the same commands in a datasheet: "MSM3000Qualcomm, Inc.MOBILE STATION MODEM"
http://www.datasheetarchive.com/MSM3000-datasheet.html
So guess we got the Radio located!
blubber; said:xmoo; said:How do you know this?
/EBT does not excist on my phone.
mmcblk0p2 -> /dev/block/platform/sdhci-tegra.3/by-name/WDM
mmcblk0p16 -> /dev/block/platform/sdhci-tegra.3/by-name/DUM
mmcblk0p17 -> /dev/block/platform/sdhci-tegra.3/by-name/MSC
mmcblk0p20 -> /dev/block/platform/sdhci-tegra.3/by-name/PDT
of course it does not exist as i have written a few times before!
it is not accessible with a stock kernel!
i know it is there:
Code:130|root@android:/ # hexdump -C /dev/block/mmcblk0|grep EBT 000000e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
and the EBT partition does contain the bootloader!
xmoo said:Guys, the diag files have "CIDNUM: 11111111" in it.
Can't change it cause the file gets corrupted.
So only way to boot it up is by passing the CID check.
This is were the Smartcard or Goldcard comes in.
We tried the one from http://psas.revskills.de/?q=goldcard with no success.
I remember for some devices you had to change 00 to 11, or something like that.
Maybe this has to be done for this device aswell. Also I remember something that SDHC cards were not supported, or they are... been a long time ago.
So your help is need.
Create a goldcard which works.
Remember to test it like this: http://xdaforums.com/show....php?t=1714056
Thank you.
Football said:After intensive digging in some stuff I have found this. This is whole partition list for One X with all addresses and lengths of partitions...Code:[partition] name=BCT id=2 start_location=0x00 size=0x400000 [partition] name=PT id=3 start_location=0x400000 size=0x200000 [partition] name=EBT id=4 type=bootloader start_location=0x600000 size=0x400000 [partition] name=DIA id=5 type=bootloader start_location=0xA00000 size=0x400000 [partition] (Board Information) name=BIF id=6 start_location=0xE00000 size=0x200000 [partition] name=GP1 id=7 start_location=0x1000000 size=0x200000 ### WLAN firmware ### [partition] name=WLN id=8 start_location=0x1200000 size=0x600000 #filename=wlan.img ### WLAN Data + MFG Data ### [partition] name=WDM id=9 start_location=0x1800000 size=0x200000 filename=WDM.img ### Radio Calibration Data ### [partition] name=RCA id=10 filesystem_type=ext3 start_location=0x1A00000 size=0x600000 ### Linux Kernel OS ### [partition] name=LNX id=11 start_location=0x2000000 size=0x800000 filename=boot.img ### Recovery ### [partition] name=SOS id=12 start_location=0x2800000 size=0x800000 filename=recovery.img ### PG1FS ### [partition] name=PG1 id=13 start_location=0x3000000 size=0x1000000 ### PG2FS ### [partition] name=PG2 id=14 start_location=0x4000000 size=0x1000000 ### PG3FS ### [partition] name=PG3 id=15 start_location=0x5000000 size=0x1000000 ### Software Info ### [partition] name=SIF id=16 start_location=0x6000000 size=0x400000 filename=SIF.img ### Splash1 ### [partition] name=SP1 id=17 start_location=0x6400000 size=0x400000 ### Reserve1 ### [partition] name=RV1 id=18 start_location=0x6800000 size=0x1C00000 ### System ### [partition] name=APP id=19 filesystem_type=ext3 start_location=0x8400000 size=0x50000000 filename=system.img ### Cache ### [partition] name=CAC id=20 filesystem_type=ext3 start_location=0x58400000 size=0x14000000 ### Internal SD ### [partition] name=ISD id=21 start_location=0x6C400000 size=0x650000000 ### Userdata ### [partition] name=UDA id=22 filesystem_type=ext3 start_location=0x6BC400000 size=0x89400000 filename=userdata.img ### Memory dump ### [partition] name=DUM id=23 start_location=0x745800000 size=0x200000 ### MISC Partition ### [partition] name=MSC id=24 start_location=0x745A00000 size=0x200000 ### Radio File System ### [partition] name=RFS id=25 start_location=0x745C00000 size=0x600000 ### Develop Log ### [partition] name=DLG id=26 start_location=0x746200000 size=0x1600000 ### PDATA for MASD ### [partition] name=PDT id=27 start_location=0x747800000 size=0x200000 [partition] name=GPT id=28 type=GPT start_location=0x747A00000 #size=0xFFFFFFFFFFFFFFFF size=0x200000
This thread's content might brick your device.
This is not a ROM thread, so I'm not going to answer again and again and again the same questions over and over and over again.
You can't read - quit this thread now. You can read but you can't understand more or less simple things - quit as well.
You can read and you understand things, but you are too lazy to read the whole thread before asking the question - watch this first. And quit.
This is what we know so far:
Some conclusions:
1. It's very nice to see that finally someone separated "internal sd card" from userdata partition. So it's no longer linked to /data/media, as it used to be on Asus Transformer, Transformer Prime, Galaxy Nexus etc. but it's a separate partition now - mmcblk0p14. Basically the biggest benefit from that is that now formatting userdata partition will no longer erase virtual sd card content.
2. It seems that NFC and WLAN deep settings are stored on separate partitions: mmcblk0p1 (wlan) and ? (NFC).
3. There is a 5th PHYSICAL core, but it's invisible to the system. Android only sees the 4 main cores. The 5th companion core is not controlled by Android. Tegra 3 architecture itself handles the load balancing between the main cores and the companion core. (Thanks to Diamondback)
4. There is no radio.img in current RUUs.
Download firmware for HTC One X (PJ4610000)
Firmware from 1.28.401.9 RUU
--- MD5 checksum: 83375DF988C86E92417AA8949012A1C2 *PJ46IMG.zip ---
Supported devices:
--- CID's added by users requests are marked with green color ---
cidnum: HTC__001
cidnum: HTC__E11
cidnum: HTC__203
cidnum: HTC__Y13
cidnum: HTC__102
cidnum: HTC__405
cidnum: HTC__304
cidnum: HTC__032
cidnum: HTC__J15
cidnum: HTC__A07
cidnum: HTC__016
cidnum: HTC__M27
Why it's better then full RUU:
1. It doesn't contain stock recovery
2. It doesn't contain stock, non rooted system
3. It doesn't contain secured boot.img
4. It wont wipe your data partition
5. It's much smaller
PJ46IMG.zip content: [UPDATE: 25.03.2012]
android-info.txt - updated [20.04.2012]
bct.img - updated [25.03.2012]
rcdata.img - updated [20.04.2012]
How to flash:
1. Check your CID using fastboot getvar cid and MID using fastboot getvar mid
2a. If your CID and MID are supported by default, navigate to point 3.
2b. If your CID or MID is not supported by default, do this: (you do it at your own risk)
2c. Open PJ46IMG.zip (don't extract it)
2d. Open android-info.txt in text editor
2e. Add your cidnum: or modelid: to the list, save file and close archive
3. Place PJ46IMG.zip on your SD card
4. Boot your device holding power button + vol down button
5. Follow instructions on the screen
Additional information:
1. Flash above firmware at your own risk!
2. It's recommended to flash it before flashing custom ROM based on proper RUU!
3. Unlocking via htcdev.com will change your CID number into "none".
4. RUU variants:
x.xx.61.x - Orange UK (United Kingdom)
x.xx.75.x - Orange ES (Spain)
x.xx.110.x - T-Mobile UK (United Kingdom)
x.xx.111.x - T-Mobile DE (Germany)
x.xx.112.x - T-Mobile AT (Austria)
x.xx.114.x - T-Mobile NL (Netherlands)
x.xx.118.x - T-Mobile PL (Poland)
x.xx.161.x - Vodafone UK (United Kingdom)
x.xx.166.x - Vodafone CH-DE (Switzerland - Germany)
x.xx.163.x - Vodafone FR (France)
x.xx.169.x - Vodafone AT (Austria)
x.xx.206.x - O2 UK (United Kingdom)
x.xx.207.x - O2 DE (Germany)
x.xx.401.x - World Wide English
x.xx.707.x - Asia WWE (World Wide English)
x.xx.720.x - Asia India
x.xx.771.x - Hutchison 3G UK (United Kingdom)
x.xx.862.x - Voda-Hutch AU (Australia)
x.xx.980.x - Optus AU (Australia)
x.xx.1400.x - HTC China
Please post here your findings, thoughts or experience with after flashing images listed above.
mike1986 said:Something more:
/system/etc/Flash_Loader.conf
alsoboot_port_name=/dev/ttyACMX0
fw_download_port_name=/dev/ttyACMX0
baudrate=921600
BootTimeOut=3000
CommTimeOut=1000
eep_normal_mode=m
file_name=/data/modem_work/QUO_6260.fls
#file_name=QUO_6260.fls
#file_name=XMM6260_SIC.fls
#log_fname=/dev/null
log_fname=/data/modem_work/Flash_Loader.log
\system\bin\poweron_modem_fls.sh
andLine 55: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
Line 55: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
\system\bin\poweron_modem_hboot.sh
And from flash_loader.logLine 50: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
Line 50: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
Start downloading item 'CODE:../HW/XMM6260_V2_USB-HSIC_FLASHLESS_EDE_1.0/MODEM_DEBUG/QUO_6260.fls'' from file '/data/modem_work/QUO_6260.fls
xmoo; said:13-04-2012 XDA.CN releases pictures showing someone succesfully has S-OFF'd his device. Tool is for sale here: http://item.taobao.com/item.htm?id=10824156715
17-04-2012 Thread made.
17-04-2012 We have found someone with a S-OFF device, and a newer HBOOT than the one from XDA.CN. Trying to get access to the HBOOT.
18-04-2012 OTA 1.28 brings HBOOT 0.94.
18-04-2012 New member with a S-OFF device is willing to help.
19-04-2012 HBOOT 0.43 S-OFF rfs.img received and uploaded.
19-04-2012 RFS.img is not the correct file, searching continues...
19-04-2012 Radio located, click here
26-04-2012 HBOOT probably located here
15-05-2012 NVFlash app + APX Drivers added
12-06-2012 Tegra 3 Manual added, see here!
16-06-2012 HBOOT 1.11 from the test-keys uploaded here!
16-06-2012 Huge development, read more about it!
18-06-2012 Need to find a way to by-pass CID check.
19-06-2012 Football Partition list for One X with all addresses and lengths of partitions which can be found here.
27-06-2012 Huhge thread clean-up and update.
04-07-2012 Had the chance to play with a S-OFF device, read more about it here! ENG HBOOT which is used in test, is located here.
09-07-2012 Javacard with DIAG will work, but won't be a good solution cause no one got a legit Javacard and the DIAG files can't be leaked!
14-07-2012 Video added which shows the Javacard with DIAG method. Video can be found here.
14-07-2012 The ENG HBOOT 0.03 that Football uploaded lost it's sign. I re-uploaded it and re-checked the file and it should be good now. You can find the new .zip here.
FAQ.
What is S-OFF?
S-OFF stands for Security-OFF
S-OFF means that the NAND portion of the device is unlocked and can be written to. The default setting for HTC’s devices is S-ON, which means that neither can you access certain areas of the system nor can you guarantee a permanent root. Furthermore, signature check for firmware images is also ensured by the S-ON flag.
What has already been done?
-Tried flashing DIAG file, but with no success. File needs SuperCID.
-Tried flashing ENG HBOOT as zip file, but with no success. File needs SuperCID.
-Tried flashing modified DIAG file, but with no success. File needs SuperCID.
-Tried flashing modified HBOOT as zip file, but with no success. Signature check failed.
-Tried creating a Goldcard, but won't work. The Goldcare is for Qualcomm devices.
-Root while phone is LOCKED, won't work. Only will work on the Qualcomm One X and One XL.
-Ask the Chineese guy with the S-OFF tool. Won't share, cause he needs his money.
-Tried flashing files over recovery, but with no success.
-Tried flashing TETS and MFG ROMs, but with no success. Phone needs S-OFF because the ROMS are not sighned.
-Tried changing CID, but won't work. Only will work on the Qualcomm One X and One XL.
-Tried commands over ADB, but with no success.
-Tried XTC clip, won't work.
How Do I Know If My Device Is S-ON Or S-OFF?
That is easy to verify. Simply boot into HBOOT (bootloader) on your device, and the text on top will show the flag status as either S-OFF or S-ON. A full root generally means S-OFF.
S-OFF – What And Why?
HTC have installed a sort of security check whose level is determined by S-OFF/S-ON. Essentially, this security level is a flag stored on the device’s radio that checks signature images for any firmware before it is allowed to be written to system memory. This hinders using any custom ROMs, splash images, recovery etc., and also restricts access to the NAND flash memory. However, when security level is set to S-OFF, the signature check is bypassed, allowing a user to upload custom firmware images, unsigned boot, recovery, splash and HBOOT images, as well as official firmware that has been modified, this enabling maximum customization of your HTC Android device.
Furthermore, S-OFF also reduces restrictions on accessing the NAND flash memory on the device, allowing all partitions (including /system) to be mounted in write mode while the operating system is booted.
Where is it located?
Don't know yet, here are the partitions.
How can I flash through SD?
Tutorial added here!
What HBOOT status have we seen so far?
ENDEAVORU PVT SHIP S-ON RL
ENDEAVORU PVT SHIP S-OFF RL
ENDEAVORU PVT ENG S-OFF RL
ENDEAVORU XE ENG S-OFF RH
ENDEAVORU PVT MFG RH
ENDEAVORU XE SHIP S-OFF RH
ENDEAVORU UNKNOWN ENG S-OFF RH
Partition list for One X with all addresses and lengths of partitions
Football share the full list which can be found here.
How does HTC do it?
They do it with a smartcard/javacard/goldcard (What ever you want to call it) in combination with the DIAG file. Proof is in the attachment.
Hey guys,
Please stop PM'ing me about APX Mode. I get like 10 PM's a day.
How to get in
Nobody really knows. The most common way has been pressing volume up and down together while device is off and then plugin USB while connected to a computer.
How to get out
When your device is in APX Mode, HTC fixes it in repair. Someone here on XDA PM'd me with this video and said it should work: http://www.youtube.com/watch?v=rsnl_LIgzt0
I have not tried it myself, so just give it a try and share with the rest.
All the other discussions about APX can be done here, please stop pm'ing me.
Thank you!
For those of you that are in APX Mode or want to mess with APX here is the modified driver for the One X.
Now you have acces to the device again through USB.
Todo:
- Plug the usb cable in hox
- Goto device manager
- Search for APX or Unknown device or whatever it is listed
- Choose update driver
- Choose manually select driver
- Select the folder where you extracted the zip file
- Install drivers
Use nvflash to gain acces to the device again.
Download:
http://tripndroid.bindroidroms.com/TripNDroid-HOX-APX-Driver.zip
Nvflash:
- Use nvflash binary to gain acces to the device
- Including flash.cfg for endeavoru to use with nvflash.exe
- Including a bct file
http://tripndroid.bindroidroms.com/tripndroid_nvflash.zip