[WIP] Download mode, Radio Serial Shells, Eng Hboot and more! GETTING CLOSE TO DONE

TrevE · Jul 27, 2011

Now that S-Off is official, i will be working mostly on download mode and other low levels of the phone. Download mode is exciting for permanent brick fixes and future protection if this S-off method is patched

DOWNLOAD MODE
Mystery port is now identified. it is how to get the phone in download mode!!!!111
there is a two holed port next to the volume up button that new eMMC devices all seem to have. pictures of front and back of board lined up and overlayed here

evo3d schematics - posted here

Now to connect to it i hooked up to it with a serial -> TTL board from geeetech.com jumping VDD, TXD (later found out not needed) and hooking up RXD and GND. GND is going to the right hole, RXD the left hole. Also the device is plugged in with another cable to microusb port. Is a TTL board required or can you just hack up another cable? We dont know. Someone needs to figure out exactly how this triggers that mode, theory was its some kinda resistance or something that this board has because shorting the pins just makes me reboot, but i know nothing about electronics so PLEASE someone else jump in.

There is pictures of how i got the phone in download mode up here and the wires i used (You dont need to jump VDD/TXD) only RXD/GND was required - http://xdaforums.com/showpost.php?p=16095395&postcount=168

here is a more detailed explanation and pics if your still confused - http://xdaforums.com/showpost.php?p=16117652&postcount=242

Windows should ask to install drivers (pic here)

Drivers are linked to in a post here - http://xdaforums.com/showpost.php?p=16090025&postcount=115

QPST Showing download mode - http://xdaforums.com/showpost.php?p=16095167&postcount=164

In windows it finds it as a com port called Qualcomm HS-USB QDLoader 9008. Below is how the device is shown in linux:

Bus 001 Device 011: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)

Jul 29 03:46:05 unknown kernel: [ 3020.332185] usb 1-6: new high speed USB device using ehci_hcd and address 11
Jul 29 03:46:05 unknown kernel: [ 3020.466258] qcserial 1-6:1.0: Qualcomm USB modem converter detected
Jul 29 03:46:05 unknown kernel: [ 3020.466446] usb 1-6: Qualcomm USB modem converter now attached to ttyUSB1

Now that the phone is in download mode, we need a way to dump memory & find how to flash the good stuff. Some possibilities

Revskills v2.05.2 - Seems like the best possibility, but it doesnt have special ldr support (or i cant figure it out) . Read MEM in DWNMODE runs forevor but spits no file or anything out. Ive contacted these guys, hopefully its something stupid im doing seing i have no clue how to use this correctly.

*UPDATE* revskills guys actually contacted me and posted here! this looks _very_ goood for a perm brick fix and downgrade emethod

QPST will likely not work. see here http://xdaforums.com/showpost.php?p=16171089&postcount=292

QPST Memory Debug/Software download/gang flash - Build 355 of memory debug throws unknown NAK response so im kind of stuck here, kind of a chicken and the egg situation i cant just download something to phone without having the files. Once we get something to flash this should work

RADIO SERIAL SHELL
In recovery we can obtain a AT-Command Interpreter shell. In stock recovery this option is enabled by default. with eng hboot you can use MFG kernel. This is talking directly to the radio. This method was originally found over here

to connect you can build a usb->ttl if you have a adrino board laying around. If your on a *NIX box you can also use usbserial module with instructions below:

TrevE said:
adb reboot recovery
sudo apt-get install screen
sudo modprobe -r usbserial
lsusb | grep High

at this point youll see something similar to:
Bus 011 Device 011 ID 0bb4:0c03 High Tech Computer Corp

the first part before the : in ID is vendor, second part is product. put 0X before it and load usbserial
sudo modprobe usbserial vendor=0X0BB4 Product=0X0C03

now do
tail -n 100 -f /var/log/kern.log

look for the line usb 1-6: generic converter now attached to ttyUSB0

the ttyUSB is the device yuo want. press ctrl+c to kill the log outpupt

now do
sudo screen /dev/ttyUSB0

The commands we have gone through for AT Command interpreter shell are up here

OTHER HBOOT FUN:

SERIAL IN HBOOT/FASTBOOT

Currently impossible.

On our US release you cannot send commands to any other shell except our AT-Command shell. Every keypress will return FAILNot allowed. To do some fun stuff we really need to get this turned on. An example of typical hboot shell commands are over here http://tjworld.net/wiki/Android/HTC/Vision/HbootAnalysis

ENG HBOOT
this section is only available if you have S-OFF and have downgraded to ENG Hboot. xHausx has eng hboot up for flashing here - ?t=1192306

eng hboot enables a bunch more fastboot commands. here is the listing - http://pastebin.com/VEtcZgm3

--MFG KERNEL
the phone will seem to lock up if you do this, its cool just let it be and connect to a computer.

enables:
*USB Composit device/mass storage device
*Android Phone
*HTCDIAG ports (you will need drivers attached to post) - Connect QPST/QXDM to this
*HTC USB Modem. Same drivers as above. - connect to com port with putty, this is radio command interpreter shell. see above AT command listing
*Android USB device

QPST can connect to these ports and issue commands. it also seems to have morer areas of nvram unlocked.

SUPERCID
This should bypass CID checks on RUUs. this lets your phone accept any image. is this useful yet? havent found out

fastboot oem readcid
fastboot oem writecid 11111111
fastboot oem readcid

RTASK VALUES
This is how we can talk to different areas in fastboot. the command is:
fastboot oem rtask TASK

RTASK C - This loads up modem.mdt. It loads modem.b01 - b09 and then starts the modems.

Simunlock
There is a cdma section under simunlock. i cannot tell if this is related to security, but its looking for 3 files

1- config.dat from MCCMNC - you can use a patched version of hermes unlock to generate this with sprints MCCMNC (wiki it)

2- cid.txt - not exactly sure, it looks like its related to supercid, but it could be a sdcard cid (see below)

3-DMCID.dat - some keycard, but if you look on hboot page it looks like this was used to supercid. thats why unsure on #2

NB0 files

Typically nb0 files seem to be packed nbh looking at tools like android flasher it looks like it unpacks them first then fastboots.

also near the bottom you of hboot can see some things are called with zlib inflate.

inflate 1.2.3 Copyright 1995-2005 Mark Adler

i tried using something like offset file unzipper by luigi auriemma against hboot, it should scan and extract anything compressed, but it yielded nothing fun.

TrevE · Jul 27, 2011

OTHER INFO:

How to make raw eMMC backups

while device is booted you can read and extract partitions from the main /dev/block/mmcblk0. this will work regardless of S-ON/S-OFF

to backup entire device -
dd if=/dev/block/mmcblk0 of=/sdcard/mmcblk0.img

to backup just a partition-
here are the partitions we know about

mmcblk0p34: "misc"
mmcblk0p22: "recovery"
mmcblk0p21: "boot"
mmcblk0p23: "system"
mmcblk0p32: "local"
mmcblk0p25: "cache"
mmcblk0p24: "userdata"
mmcblk0p28: "devlog"
mmcblk0p30: "pdata"
mmcblk0p18: "radio"
mmcblk0p19: "radio_config"
mmcblk0p26: "modem_st1"
mmcblk0p27: "modem_st2"
mmcblk0p8: "wimax"
mmcblk0p33: "udata_wimax"

to backup a partition youll need the following information:

Code:

       Device Boot    Start       End   #sectors  Id  System
    mmcblk0.img1   *         1       256        256  4d  QNX4.x
    mmcblk0.img2           257       768        512  51  OnTrack DM6 Aux1
    mmcblk0.img3           769     65502      64734  5d  Unknown
    mmcblk0.img4         65503   4718590    4653088   5  Extended
    mmcblk0.img5         65504     65535         32  5a  Unknown
    mmcblk0.img6         65537     66048        512  73  Unknown
    mmcblk0.img7         66050     82356      16307   0  Empty
    mmcblk0.img8         82358    106934      24577  7e  Unknown
    mmcblk0.img9        106936    107447        512   0  Empty
    mmcblk0.img10       107449    109496       2048  45  Unknown
    mmcblk0.img11       109498    110009        512  47  Unknown
    mmcblk0.img12       110011    114106       4096  46  Unknown
    mmcblk0.img13       114108    116155       2048  4c  Unknown
    mmcblk0.img14       116157    116220         64   0  Empty
    mmcblk0.img15       116222    128509      12288  34  Unknown
    mmcblk0.img16       128511    130558       2048  36  Unknown
    mmcblk0.img17       130560    131071        512  76  Unknown
    mmcblk0.img18       131073    212992      81920  77  Unknown
    mmcblk0.img19       212994    229374      16381  74  Unknown
    mmcblk0.img20       229376    262143      32768   0  Empty
    mmcblk0.img21       262145    294912      32768  48  Unknown
    mmcblk0.img22       294914    327679      32766  71  Unknown
    mmcblk0.img23       327681   1966078    1638398  83  Linux
    mmcblk0.img24      1966080   4412897    2446818  83  Linux
    mmcblk0.img25      4412899   4639697     226799  83  Linux
    mmcblk0.img26      4639699   4647890       8192  4a  Unknown
    mmcblk0.img27      4647892   4656083       8192  4b  Unknown
    mmcblk0.img28      4656085   4697044      40960  19  Unknown
    mmcblk0.img29      4697046   4697053          8   0  Empty
    mmcblk0.img30      4697055   4697566        512  23  Unknown
    mmcblk0.img31      4697568   4697599         32   0  Empty
    mmcblk0.img32      4697601   4700161       2561  33  Unknown
    mmcblk0.img33      4700163   4716543      16381  7e  Unknown
    mmcblk0.img34      4716545   4718589       2045  76  Unknown

the command to extract a single partition outua mmcblk

dd if=/dev/block/mmcblk0 of=/sdcard/imagename.img skip=blockstart count=#sectors

say if you wanted mmcblk0p19 radio-config. you would use the following command

dd if=/dev/block/mmcblk0 of=/sdcard/radioconfig.img skip=212994 count=16381

you can also change the above command to use dd if=/sdcard/imagename.img and extract partitions from a full mmcblock dump.

Goldcarding
will this help with downgrading or anything? no.

1 - Download goldcard helper from market.
2 - notee the reverse CID for mmc1.
3 - go to http://psas.revskills.de/?q=goldcard and put in the reverse CID in exactly
4 - download a hex editor, windows can use HxD (http://mh-nexus.de/en/downloads.php?product=HxD) but anything hexeditor that can write to disk will be ok
5 - open hxd without your sdcard in. go to extra -> open disk note under removable devices what is there.
6 - attach sd card go to new physical disk NOT the logical disk. uncheck read only, when it asks sector size is 512.
7 - now go to file open and open the goldcard img you got in email from revskill
8 - your goldcard img will be from offsets 00000000 - 00000170. copy it all
9 - now go over to the physical disk of ur sdcard. select the same 00000000 - 00000170 sectors and paste write in the goldcard info (it should overwrite the existing sectors, if it inserts this before existing data you did it wrong)
10 - press save, now reboot phone. if you did it right your sdcard will still be accessable. if you did it wrong youll get a message you need to format.

now try downgrading with a pg86img.zip and let us know, hopefully you wont get a version mismatch and it will let you flash a lower ruu.

Bentenrai · Jul 27, 2011

TrevE said:
Whats next?

I need to figure out why eng wrote and EU didnt.

Possible brave method?

do we have a radio from eng build? I have found the other pieces but cant seem to obtain this. maybe we can swap down to eng with everything signed (hboot/radio/boot/recovery) all at once. this is very scary though seing just hboot left a brick. We know you cant flash eng with s-on, but maybe a matching radio would fix it?

Interesting notion. Also, good thread, thanks. Ill see what I can do. Just to clarify, youre talkin about keeping the eng radio and signing it in a pack with the other eu parts?

Sent from my PG86100 using XDA App

TrevE · Jul 27, 2011

Bentenrai said:
Interesting notion. Also, good thread, thanks. Ill see what I can do. Just to clarify, youre talkin about keeping the eng radio and signing it in a pack with the other eu parts?

Sent from my PG86100 using XDA App

heres what i think is going on

bootloader is first thing loaded. From the hboot analysis page i linked above it looks like it controls all the locking. when we loaded eng it flashed because it disabled security, but then radio came expecting s-on couldnt do it and gave the big middle finger. If we had the radio image, bootloader, boot, recovery all from eng it might line up and work. when we loaded europe hboot security was still enabled so nothing flashed.

also if eng actually flashes and DOES disable sig checking, could we just flash a zeroed out image of radio, boot, whatevers signed, get into just hboot unlock mmc s-off all that fun stuff then run a ruu up to a rom? i think theres still a few possibilities, im willing to play just want to get some input first.

Bentenrai · Jul 27, 2011

Okay well I'm at work at radio shack. Ill be here til about 9 my time. I'll be reading up on some stuff while it's slow, and I'll work on it tonight. Out of curiosity, think there's anything of use at radio shack? Our store is closing down so i probably can get a lot of old cables, connectors, boards etc for cheap to free.

Sent from my PG86100 using XDA App

Bentenrai · Jul 27, 2011

Also try pming that guy with a friend with s-off i seem to remember.. Get a dump of the eng radio

Sent from my PG86100 using XDA App

pinky059 · Jul 27, 2011

TrevE said:
heres what i think is going on

bootloader is first thing loaded. From the hboot analysis page i linked above it looks like it controls all the locking. when we loaded eng it flashed because it disabled security, but then radio came expecting s-on couldnt do it and gave the big middle finger. If we had the radio image, bootloader, boot, recovery all from eng it might line up and work. when we loaded europe hboot security was still enabled so nothing flashed.

also if eng actually flashes and DOES disable sig checking, could we just flash a zeroed out image of radio, boot, whatevers signed, get into just hboot unlock mmc s-off all that fun stuff then run a ruu up to a rom? i think theres still a few possibilities, im willing to play just want to get some input first.

From what I have read, the Kernel, the Radio and the HBOOT must all agree on the S-OFF or S-ON state. They basically all verify each other and check the security status. This may work based on the idea that they all verify each other.

Bentenrai · Jul 27, 2011

pinky059 said:
From what I have read, the Kernel, the Radio and the HBOOT must all agree on the S-OFF or S-ON state. They basically all verify each other and check the security status. This may work based on the idea that they all verify each other.

Does anybody know where the security flags are for each

Edit: did anyone ever get a dump of that s off phone? Also i know download times are slow with free uploaders, i have 10 gigs at my site (brpstudios.com) and can host files there. Pm me if i can help on that front as well

Sent from my PG86100 using XDA App

kthejoker20 · Jul 27, 2011

TrevE said:
RADIO SERIAL SHELL
In recovery we can obtain a AT-Command Interpreter shell. This is talking directly to the radio. This method was originally found over here

to connect you can build a usb->ttl if you have a adrino board laying around, just need ground, TXD, RXD. when i powered my board it just thought it was AC so i didnt hook up the red pair and all seemed well. If your on a *NIX box you can also use usbserial module with instructions below:

This is what I said the begining of June, but I was flamed off the board for being a "noob" and that this wouldn't work. sigh.... and then they wonder why I don't contribute.

BTW... nice to see you over here treve.

zonyl · Jul 27, 2011

TrevE said:
Right now the only way we have gotten anything to flash is by swapping sd cards in bootloader. Basically you let it verify a real PG86IMG.zip, plug it into AC, pull the battery and sd card and put a fake image in. I explained about making the images and everhting - here

Downgrading to ENG (not a good idea currently, we were able to write eng but it ended in a brick) - http://xdaforums.com/showpost.php?p=15919634&postcount=740

Upgrading to EU - Now this one has me stumped. It looks like the EU hboot has more modes enabled for USB (see below quote), and it looks like our board is supported along with several other phone models (from here). We tried the sdcard swap method, it flashed said OK but left with stock hboot still. The method we used I explained here

now why can we downgrade to eng, but not upgrade to a supported hboot at a higher version?

How did you verify the ENG HBoot actually flashed to the device using a card swap? This may have more likely been a case that the re-flash of stock Hboot that was likely occurring was interrupted and left the device in a corrupt state.

In other words I dont think flashing anything unsigned using an SD card swap has worked.

TrevE · Jul 27, 2011

zonyl said:
How did you verify the ENG HBoot actually flashed to the device using a card swap? This may have more likely been a case that the re-flash of stock Hboot that was likely occurring was interrupted and left the device in a corrupt state.

well we tried flashing eu in the same method and it said OK but didnt flash anything differernt. eng actually accepts, says ok, and bricks. it was confirmed s-off cannot have a eng downgrade, so this was the only real theory until now.

i also dont know if hboot could protect itself, hboot is actually what calls all the security functions

msm_mpu_emmc_protect_set("hboot", "mfg", 1);
msm_mpu_emmc_protect_set("hboot", "system", 1);

zonyl · Jul 27, 2011

TrevE said:
well we tried flashing eu in the same method and it said OK but didnt flash anything differernt. eng actually accepts, says ok, and bricks. it was confirmed s-off cannot have a eng downgrade, so this was the only real theory until now.

How about starting small and change the /system image by adding a simple file somewhere as a test? Because of the likely redundant checks, avoid messing with Hboot for now.

If we can change /system that would be a monumental step in the right direction as well.

zonyl · Jul 27, 2011

TrevE said:
i also dont know if hboot could protect itself, hboot is actually what calls all the security functions

From what I understood (may be incorrect on the Evo 3d), the Radio CPU (ARM9) starts first and does some checking of its own before letting the Main CPU (thus Hboot) proceed. If you tampered with Hboot, the Radio just may be stopping the show.

http://tjworld.net/wiki/Android/HTC/Vision/BootProcess

TrevE · Jul 27, 2011

zonyl said:
From what I understood (may be incorrect), the Radio CPU starts first and does some checking of its own before letting Hboot proceed. If you tampered with Hboot, the Radio just may be stopping the show.

its possible for sure, but that goes back to what if we zero out or downgrade radio/boot/recovery/hboot at once. also i mean everything upgrades officially together so checks must be disabled while flashing is running or all shooter images would have to use the same signatures which would mean we could flash different revisions around. and no crc checks would be possible if it checks everything individually as it flashes, it would have to use a generic signature check or nothing would ever beable to change

zonyl · Jul 27, 2011

TrevE said:
its possible for sure, but that goes back to what if we zero out or downgrade radio/boot/recovery/hboot at once. also i mean everything upgrades officially together so checks must be disabled while flashing is running or all shooter images would have to use the same signatures which would mean we could flash different revisions around

Unfortunately I dont have first hand evidence of what is going on (only what I read from scattered posts here), but in order for someone to do the swap trick and end up with the same Hboot would be either A) There is an additional check that occurs after the flash starts (another sig check) then ignores invalid images or B) the images are cached from the first read (unlikely).

TrevE · Jul 27, 2011

zonyl said:
Unfortunately I dont have first hand evidence of what is going on (only what I read from scattered posts here), but in order for someone to do the swap trick and end up with the same Hboot would be either A) There is an additional check that occurs after the flash starts (another sig check) then ignores invalid images or B) the images are cached from the first read (unlikely).

well a good test would be for someone on 1.11 to take the boot.img or something from 1.30 ruu and replace in 1.11 image and swap. If that does work, it means its a generic signature check just for a htc signed image.

If that leaves at stock, then there is some kind of sig checking tying everything together after flash. i would try to replace boot/hboot/recovery/radio from a higher ruu and see what happens. if they can be flashed together then we know next steps.

If none of that works i guess we swap completly a 1.11 image with a 1.13 ruu and see wtf is going on

we also know it buffers the files as its sending it, so B is not possible. and you would expect a fail not an OK if bootloader knew about it.

*edit* also maybe someone on 1.13 can try goldcarding and downgrading to official 1.11? see for ****s and giggles if it works. well need all this info for future ruu/rooting/playing

mbobino · Jul 27, 2011

If you can post a link to a goldcard guide that should work Ill give it a go. Another idea, if the EU /system is signed, shouldnt we be able to flash it? Same with /boot, etc...?

Tiffany84 · Jul 27, 2011

Hey TrevE, just wanted to let u know right now my software version is 1.11.651.3 which is right in the middle. So I can try upgrading or downgrading. Just let me know if there is anything U need me to do. U may have to break it down a little for me cause I'm not a noob but I have no where near the skill U have. I'm still a couple days away from thirty days so I'm willing to do anything you need. Just let me know. Keep fighting man. I think I can speak for most everyone and say we greatly appreciate it.

Sent from my PG86100 using XDA Premium App

-viperboy- · Jul 27, 2011

Tiffany84 said:
Hey TrevE, just wanted to let u know right now my software version is 1.11.651.3 which is right in the middle. So I can try upgrading or downgrading. Just let me know if there is anything U need me to do. U may have to break it down a little for me cause I'm not a noob but I have no where near the skill U have. I'm still a couple days away from thirty days so I'm willing to do anything you need. Just let me know. Keep fighting man. I think I can speak for most everyone and say we greatly appreciate it.

Sent from my PG86100 using XDA Premium App

Same here, TrevE. If you post what you want on each sdcard I will test it out for you tonight. I don't worry about bricks (not sure why anyone does) cause you just walk into the Sprint store and get another phone.

miniterror · Jul 27, 2011

I sure hope you guys crack this biatch
Sorry for my noob post but i cant follow it otherwhise from my phone

Sent from my HTC Sensation Z710e using XDA App

[WIP] Download mode, Radio Serial Shells, Eng Hboot and more! *GETTING CLOSE TO DONE*

Retired Recognized Developer

Attachments

Retired Recognized Developer

Retired News Writer

Retired Recognized Developer

Retired News Writer

Retired News Writer

Senior Member

Retired News Writer

Senior Member

Senior Member

Retired Recognized Developer

Senior Member

Senior Member

Retired Recognized Developer

Senior Member

Retired Recognized Developer

Senior Member

Inactive Recognized Themer

Inactive Recognized Developer

Senior Member

Similar threads

Top Liked Posts

[WIP] Download mode, Radio Serial Shells, Eng Hboot and more! GETTING CLOSE TO DONE