Goal: S-off HOX (TEGRA3)

monx® said:

Basically u need adb/android SDK before proceed.

[WITH ROOT ACCESS]
[+] Dump/copy boot.img

Code:

Command prompt :
> adb shell
> su
> dd if=/dev/block/mmcblk0p4 of=/sdcard/boot.img

More partition/img availabe to dump. Will update later.

[WITHOUT ROOT ACCESS]
Currently only /system is usable

1) Android SDK (just need adb)
2) Download busybox
3) Command prompt :
> adb push busybox /data/local/busybox
> adb shell
> cd /sdcard/
> chmod 755 /data/local/busybox
> /data/local/busybox tar cvf sysdump.tar /system
4) Ignore tar: error exit delayed from previous errors'. Is done correctly.

----------------------------------------------------------------------

Just finished dumped my semi-virgin One X system partition from SEA WWE stock ROM .
The file would be OneX_SEA_WWE_1.26.707.2_SYSTEM_DUMP.zip 558.3 MB

Click to expand...

Click to collapse

xmoo; said:

Mike found out Radio is probably: \system\etc\QUO_6260.fls.clean
7.96MB

Commands located in QUO_6260.fls.clean
CALIB_NVM
DYNAMIC_NVM
STATIC_NVM
SEC_DATA
PSI_RAM

If I could believe the following:
Found the same commands in a datasheet: "MSM3000Qualcomm, Inc.MOBILE STATION MODEM"
http://www.datasheetarchive.com/MSM3000-datasheet.html

So guess we got the Radio located!

Click to expand...

Click to collapse

blubber; said:

xmoo; said:

How do you know this?

/EBT does not excist on my phone.


mmcblk0p2 -> /dev/block/platform/sdhci-tegra.3/by-name/WDM
mmcblk0p16 -> /dev/block/platform/sdhci-tegra.3/by-name/DUM
mmcblk0p17 -> /dev/block/platform/sdhci-tegra.3/by-name/MSC
mmcblk0p20 -> /dev/block/platform/sdhci-tegra.3/by-name/PDT

Click to expand...

Click to collapse

of course it does not exist as i have written a few times before!
it is not accessible with a stock kernel!

i know it is there:

Code:

130|root@android:/ # hexdump -C /dev/block/mmcblk0|grep EBT                    
000000e0  03 00 00 00 00 00 00 00  04 00 00 00 45 42 54 00  |............EBT.|

and the EBT partition does contain the bootloader!

Click to expand...

Click to collapse

xmoo said:

Guys, the diag files have "CIDNUM: 11111111" in it.
Can't change it cause the file gets corrupted.
So only way to boot it up is by passing the CID check.

This is were the Smartcard or Goldcard comes in.
We tried the one from http://psas.revskills.de/?q=goldcard with no success.
I remember for some devices you had to change 00 to 11, or something like that.
Maybe this has to be done for this device aswell. Also I remember something that SDHC cards were not supported, or they are... been a long time ago.
So your help is need.

Create a goldcard which works.

Remember to test it like this: http://xdaforums.com/show....php?t=1714056

Thank you.

Click to expand...

Click to collapse

Football said:

After intensive digging in some stuff I have found this. This is whole partition list for One X with all addresses and lengths of partitions...

Code:

[partition]
name=BCT
id=2
start_location=0x00
size=0x400000

[partition]
name=PT
id=3
start_location=0x400000
size=0x200000

[partition]
name=EBT
id=4
type=bootloader
start_location=0x600000
size=0x400000

[partition]
name=DIA
id=5
type=bootloader
start_location=0xA00000
size=0x400000

[partition] (Board Information)
name=BIF
id=6
start_location=0xE00000
size=0x200000


[partition]
name=GP1
id=7
start_location=0x1000000
size=0x200000

### WLAN firmware ###
[partition]
name=WLN
id=8
start_location=0x1200000
size=0x600000
#filename=wlan.img

### WLAN Data + MFG Data ###
[partition]
name=WDM
id=9
start_location=0x1800000
size=0x200000
filename=WDM.img

### Radio Calibration Data ###
[partition]
name=RCA
id=10
filesystem_type=ext3
start_location=0x1A00000
size=0x600000

### Linux Kernel OS ###
[partition]
name=LNX
id=11
start_location=0x2000000
size=0x800000
filename=boot.img

### Recovery ###
[partition]
name=SOS
id=12
start_location=0x2800000
size=0x800000
filename=recovery.img

### PG1FS ###
[partition]
name=PG1
id=13
start_location=0x3000000
size=0x1000000

### PG2FS ###
[partition]
name=PG2
id=14
start_location=0x4000000
size=0x1000000

### PG3FS ###
[partition]
name=PG3
id=15
start_location=0x5000000
size=0x1000000

### Software Info ###
[partition]
name=SIF
id=16
start_location=0x6000000
size=0x400000
filename=SIF.img

### Splash1 ###
[partition]
name=SP1
id=17
start_location=0x6400000
size=0x400000

### Reserve1 ###
[partition]
name=RV1
id=18
start_location=0x6800000
size=0x1C00000

### System ###
[partition]
name=APP
id=19
filesystem_type=ext3
start_location=0x8400000
size=0x50000000
filename=system.img

### Cache ###
[partition]
name=CAC
id=20
filesystem_type=ext3
start_location=0x58400000
size=0x14000000

### Internal SD ###
[partition]
name=ISD
id=21
start_location=0x6C400000
size=0x650000000

### Userdata ###
[partition]
name=UDA
id=22
filesystem_type=ext3
start_location=0x6BC400000
size=0x89400000
filename=userdata.img

### Memory dump ###
[partition]
name=DUM
id=23
start_location=0x745800000
size=0x200000


### MISC Partition ###
[partition]
name=MSC
id=24
start_location=0x745A00000
size=0x200000

### Radio File System ###
[partition]
name=RFS
id=25
start_location=0x745C00000
size=0x600000


### Develop Log ###
[partition]
name=DLG
id=26
start_location=0x746200000
size=0x1600000

### PDATA for MASD ###
[partition]
name=PDT
id=27
start_location=0x747800000
size=0x200000

[partition]
name=GPT
id=28
type=GPT
start_location=0x747A00000
#size=0xFFFFFFFFFFFFFFFF
size=0x200000

Click to expand...

Click to collapse

mike1986. said:

This thread's content might brick your device.
This is not a ROM thread, so I'm not going to answer again and again and again the same questions over and over and over again.
You can't read - quit this thread now. You can read but you can't understand more or less simple things - quit as well.
You can read and you understand things, but you are too lazy to read the whole thread before asking the question - watch this first. And quit.​

This is what we know so far:

Some conclusions:

1. It's very nice to see that finally someone separated "internal sd card" from userdata partition. So it's no longer linked to /data/media, as it used to be on Asus Transformer, Transformer Prime, Galaxy Nexus etc. but it's a separate partition now - mmcblk0p14. Basically the biggest benefit from that is that now formatting userdata partition will no longer erase virtual sd card content.
2. It seems that NFC and WLAN deep settings are stored on separate partitions: mmcblk0p1 (wlan) and ? (NFC).
3. There is a 5th PHYSICAL core, but it's invisible to the system. Android only sees the 4 main cores. The 5th companion core is not controlled by Android. Tegra 3 architecture itself handles the load balancing between the main cores and the companion core. (Thanks to Diamondback)
4. There is no radio.img in current RUUs.

Download firmware for HTC One X (PJ4610000)

Firmware from 1.28.401.9 RUU
--- MD5 checksum: 83375DF988C86E92417AA8949012A1C2 *PJ46IMG.zip ---

Supported devices:
--- CID's added by users requests are marked with green color ---
cidnum: HTC__001
cidnum: HTC__E11
cidnum: HTC__203
cidnum: HTC__Y13
cidnum: HTC__102
cidnum: HTC__405
cidnum: HTC__304
cidnum: HTC__032
cidnum: HTC__J15
cidnum: HTC__A07
cidnum: HTC__016
cidnum: HTC__M27
​

Why it's better then full RUU:

1. It doesn't contain stock recovery
2. It doesn't contain stock, non rooted system
3. It doesn't contain secured boot.img
4. It wont wipe your data partition
5. It's much smaller

PJ46IMG.zip content: [UPDATE: 25.03.2012]

android-info.txt - updated [20.04.2012]
bct.img - updated [25.03.2012]
rcdata.img - updated [20.04.2012]

How to flash:

1. Check your CID using fastboot getvar cid and MID using fastboot getvar mid
2a. If your CID and MID are supported by default, navigate to point 3.
2b. If your CID or MID is not supported by default, do this: (you do it at your own risk)
2c. Open PJ46IMG.zip (don't extract it)
2d. Open android-info.txt in text editor
2e. Add your cidnum: or modelid: to the list, save file and close archive
3. Place PJ46IMG.zip on your SD card
4. Boot your device holding power button + vol down button
5. Follow instructions on the screen

Additional information:

1. Flash above firmware at your own risk!
2. It's recommended to flash it before flashing custom ROM based on proper RUU!
3. Unlocking via htcdev.com will change your CID number into "none".

4. RUU variants:
x.xx.61.x - Orange UK (United Kingdom)
x.xx.75.x - Orange ES (Spain)
x.xx.110.x - T-Mobile UK (United Kingdom)
x.xx.111.x - T-Mobile DE (Germany)
x.xx.112.x - T-Mobile AT (Austria)
x.xx.114.x - T-Mobile NL (Netherlands)
x.xx.118.x - T-Mobile PL (Poland)
x.xx.161.x - Vodafone UK (United Kingdom)
x.xx.166.x - Vodafone CH-DE (Switzerland - Germany)
x.xx.163.x - Vodafone FR (France)
x.xx.169.x - Vodafone AT (Austria)
x.xx.206.x - O2 UK (United Kingdom)
x.xx.207.x - O2 DE (Germany)
x.xx.401.x - World Wide English
x.xx.707.x - Asia WWE (World Wide English)
x.xx.720.x - Asia India
x.xx.771.x - Hutchison 3G UK (United Kingdom)
x.xx.862.x - Voda-Hutch AU (Australia)
x.xx.980.x - Optus AU (Australia)
x.xx.1400.x - HTC China

Please post here your findings, thoughts or experience with after flashing images listed above.

Click to expand...

Click to collapse

mike1986 said:

Something more:

/system/etc/Flash_Loader.conf

boot_port_name=/dev/ttyACMX0
fw_download_port_name=/dev/ttyACMX0
baudrate=921600
BootTimeOut=3000
CommTimeOut=1000
eep_normal_mode=m
file_name=/data/modem_work/QUO_6260.fls
#file_name=QUO_6260.fls
#file_name=XMM6260_SIC.fls
#log_fname=/dev/null
log_fname=/data/modem_work/Flash_Loader.log

Click to expand...

Click to collapse

also

\system\bin\poweron_modem_fls.sh

Line 55: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
Line 55: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}

Click to expand...

Click to collapse

and

\system\bin\poweron_modem_hboot.sh

Line 50: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
Line 50: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}

Click to expand...

Click to collapse

And from flash_loader.log

Start downloading item 'CODE:../HW/XMM6260_V2_USB-HSIC_FLASHLESS_EDE_1.0/MODEM_DEBUG/QUO_6260.fls'' from file '/data/modem_work/QUO_6260.fls

Click to expand...

Click to collapse

Click to expand...

Click to collapse

xmoo; said:

13-04-2012 XDA.CN releases pictures showing someone succesfully has S-OFF'd his device. Tool is for sale here: http://item.taobao.com/item.htm?id=10824156715
17-04-2012 Thread made.
17-04-2012 We have found someone with a S-OFF device, and a newer HBOOT than the one from XDA.CN. Trying to get access to the HBOOT.
18-04-2012 OTA 1.28 brings HBOOT 0.94.
18-04-2012 New member with a S-OFF device is willing to help.

19-04-2012 HBOOT 0.43 S-OFF rfs.img received and uploaded.
19-04-2012 RFS.img is not the correct file, searching continues...
19-04-2012 Radio located, click here
26-04-2012 HBOOT probably located here
15-05-2012 NVFlash app + APX Drivers added
12-06-2012 Tegra 3 Manual added, see here!
16-06-2012 HBOOT 1.11 from the test-keys uploaded here!
16-06-2012 Huge development, read more about it!
18-06-2012 Need to find a way to by-pass CID check.
19-06-2012 Football Partition list for One X with all addresses and lengths of partitions which can be found here.
27-06-2012 Huhge thread clean-up and update.
04-07-2012 Had the chance to play with a S-OFF device, read more about it here! ENG HBOOT which is used in test, is located here.
09-07-2012 Javacard with DIAG will work, but won't be a good solution cause no one got a legit Javacard and the DIAG files can't be leaked!
14-07-2012 Video added which shows the Javacard with DIAG method. Video can be found here.
14-07-2012 The ENG HBOOT 0.03 that Football uploaded lost it's sign. I re-uploaded it and re-checked the file and it should be good now. You can find the new .zip here.

FAQ.
What is S-OFF?
S-OFF stands for Security-OFF
S-OFF means that the NAND portion of the device is unlocked and can be written to. The default setting for HTC’s devices is S-ON, which means that neither can you access certain areas of the system nor can you guarantee a permanent root. Furthermore, signature check for firmware images is also ensured by the S-ON flag.

What has already been done?
-Tried flashing DIAG file, but with no success. File needs SuperCID.
-Tried flashing ENG HBOOT as zip file, but with no success. File needs SuperCID.
-Tried flashing modified DIAG file, but with no success. File needs SuperCID.
-Tried flashing modified HBOOT as zip file, but with no success. Signature check failed.
-Tried creating a Goldcard, but won't work. The Goldcare is for Qualcomm devices.
-Root while phone is LOCKED, won't work. Only will work on the Qualcomm One X and One XL.
-Ask the Chineese guy with the S-OFF tool. Won't share, cause he needs his money.
-Tried flashing files over recovery, but with no success.
-Tried flashing TETS and MFG ROMs, but with no success. Phone needs S-OFF because the ROMS are not sighned.
-Tried changing CID, but won't work. Only will work on the Qualcomm One X and One XL.
-Tried commands over ADB, but with no success.
-Tried XTC clip, won't work.

How Do I Know If My Device Is S-ON Or S-OFF?
That is easy to verify. Simply boot into HBOOT (bootloader) on your device, and the text on top will show the flag status as either S-OFF or S-ON. A full root generally means S-OFF.

S-OFF – What And Why?
HTC have installed a sort of security check whose level is determined by S-OFF/S-ON. Essentially, this security level is a flag stored on the device’s radio that checks signature images for any firmware before it is allowed to be written to system memory. This hinders using any custom ROMs, splash images, recovery etc., and also restricts access to the NAND flash memory. However, when security level is set to S-OFF, the signature check is bypassed, allowing a user to upload custom firmware images, unsigned boot, recovery, splash and HBOOT images, as well as official firmware that has been modified, this enabling maximum customization of your HTC Android device.

Furthermore, S-OFF also reduces restrictions on accessing the NAND flash memory on the device, allowing all partitions (including /system) to be mounted in write mode while the operating system is booted.

Where is it located?
Don't know yet, here are the partitions.

How can I flash through SD?
Tutorial added here!

What HBOOT status have we seen so far?
ENDEAVORU PVT SHIP S-ON RL
ENDEAVORU PVT SHIP S-OFF RL
ENDEAVORU PVT ENG S-OFF RL
ENDEAVORU XE ENG S-OFF RH
ENDEAVORU PVT MFG RH
ENDEAVORU XE SHIP S-OFF RH
ENDEAVORU UNKNOWN ENG S-OFF RH

Partition list for One X with all addresses and lengths of partitions
Football share the full list which can be found here.

How does HTC do it?
They do it with a smartcard/javacard/goldcard (What ever you want to call it) in combination with the DIAG file. Proof is in the attachment.

Click to expand...

Click to collapse