Now that S-Off is official, i will be working mostly on download mode and other low levels of the phone. Download mode is exciting for permanent brick fixes and future protection if this S-off method is patched
DOWNLOAD MODE
Mystery port is now identified. it is how to get the phone in download mode!!!!111
there is a two holed port next to the volume up button that new eMMC devices all seem to have. pictures of front and back of board lined up and overlayed here
evo3d schematics - posted here
Now to connect to it i hooked up to it with a serial -> TTL board from geeetech.com jumping VDD, TXD (later found out not needed) and hooking up RXD and GND. GND is going to the right hole, RXD the left hole. Also the device is plugged in with another cable to microusb port. Is a TTL board required or can you just hack up another cable? We dont know. Someone needs to figure out exactly how this triggers that mode, theory was its some kinda resistance or something that this board has because shorting the pins just makes me reboot, but i know nothing about electronics so PLEASE someone else jump in.
There is pictures of how i got the phone in download mode up here and the wires i used (You dont need to jump VDD/TXD) only RXD/GND was required - http://xdaforums.com/showpost.php?p=16095395&postcount=168
here is a more detailed explanation and pics if your still confused - http://xdaforums.com/showpost.php?p=16117652&postcount=242
Windows should ask to install drivers (pic here)
Drivers are linked to in a post here - http://xdaforums.com/showpost.php?p=16090025&postcount=115
QPST Showing download mode - http://xdaforums.com/showpost.php?p=16095167&postcount=164
In windows it finds it as a com port called Qualcomm HS-USB QDLoader 9008. Below is how the device is shown in linux:
Now that the phone is in download mode, we need a way to dump memory & find how to flash the good stuff. Some possibilities
Revskills v2.05.2 - Seems like the best possibility, but it doesnt have special ldr support (or i cant figure it out) . Read MEM in DWNMODE runs forevor but spits no file or anything out. Ive contacted these guys, hopefully its something stupid im doing seing i have no clue how to use this correctly.
*UPDATE* revskills guys actually contacted me and posted here! this looks _very_ goood for a perm brick fix and downgrade emethod
QPST will likely not work. see here http://xdaforums.com/showpost.php?p=16171089&postcount=292
QPST Memory Debug/Software download/gang flash - Build 355 of memory debug throws unknown NAK response so im kind of stuck here, kind of a chicken and the egg situation i cant just download something to phone without having the files. Once we get something to flash this should work
RADIO SERIAL SHELL
In recovery we can obtain a AT-Command Interpreter shell. In stock recovery this option is enabled by default. with eng hboot you can use MFG kernel. This is talking directly to the radio. This method was originally found over here
to connect you can build a usb->ttl if you have a adrino board laying around. If your on a *NIX box you can also use usbserial module with instructions below:
The commands we have gone through for AT Command interpreter shell are up here
OTHER HBOOT FUN:
SERIAL IN HBOOT/FASTBOOT
Currently impossible.
On our US release you cannot send commands to any other shell except our AT-Command shell. Every keypress will return FAILNot allowed. To do some fun stuff we really need to get this turned on. An example of typical hboot shell commands are over here http://tjworld.net/wiki/Android/HTC/Vision/HbootAnalysis
ENG HBOOT
this section is only available if you have S-OFF and have downgraded to ENG Hboot. xHausx has eng hboot up for flashing here - ?t=1192306
eng hboot enables a bunch more fastboot commands. here is the listing - http://pastebin.com/VEtcZgm3
--MFG KERNEL
the phone will seem to lock up if you do this, its cool just let it be and connect to a computer.
enables:
*USB Composit device/mass storage device
*Android Phone
*HTCDIAG ports (you will need drivers attached to post) - Connect QPST/QXDM to this
*HTC USB Modem. Same drivers as above. - connect to com port with putty, this is radio command interpreter shell. see above AT command listing
*Android USB device
QPST can connect to these ports and issue commands. it also seems to have morer areas of nvram unlocked.
SUPERCID
This should bypass CID checks on RUUs. this lets your phone accept any image. is this useful yet? havent found out
RTASK VALUES
This is how we can talk to different areas in fastboot. the command is:
fastboot oem rtask TASK
RTASK C - This loads up modem.mdt. It loads modem.b01 - b09 and then starts the modems.
Simunlock
There is a cdma section under simunlock. i cannot tell if this is related to security, but its looking for 3 files
1- config.dat from MCCMNC - you can use a patched version of hermes unlock to generate this with sprints MCCMNC (wiki it)
2- cid.txt - not exactly sure, it looks like its related to supercid, but it could be a sdcard cid (see below)
3-DMCID.dat - some keycard, but if you look on hboot page it looks like this was used to supercid. thats why unsure on #2
NB0 files
Typically nb0 files seem to be packed nbh looking at tools like android flasher it looks like it unpacks them first then fastboots.
also near the bottom you of hboot can see some things are called with zlib inflate.
i tried using something like offset file unzipper by luigi auriemma against hboot, it should scan and extract anything compressed, but it yielded nothing fun.
DOWNLOAD MODE
Mystery port is now identified. it is how to get the phone in download mode!!!!111
there is a two holed port next to the volume up button that new eMMC devices all seem to have. pictures of front and back of board lined up and overlayed here
evo3d schematics - posted here
Now to connect to it i hooked up to it with a serial -> TTL board from geeetech.com jumping VDD, TXD (later found out not needed) and hooking up RXD and GND. GND is going to the right hole, RXD the left hole. Also the device is plugged in with another cable to microusb port. Is a TTL board required or can you just hack up another cable? We dont know. Someone needs to figure out exactly how this triggers that mode, theory was its some kinda resistance or something that this board has because shorting the pins just makes me reboot, but i know nothing about electronics so PLEASE someone else jump in.
There is pictures of how i got the phone in download mode up here and the wires i used (You dont need to jump VDD/TXD) only RXD/GND was required - http://xdaforums.com/showpost.php?p=16095395&postcount=168
here is a more detailed explanation and pics if your still confused - http://xdaforums.com/showpost.php?p=16117652&postcount=242
Windows should ask to install drivers (pic here)
Drivers are linked to in a post here - http://xdaforums.com/showpost.php?p=16090025&postcount=115
QPST Showing download mode - http://xdaforums.com/showpost.php?p=16095167&postcount=164
In windows it finds it as a com port called Qualcomm HS-USB QDLoader 9008. Below is how the device is shown in linux:
Bus 001 Device 011: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
Jul 29 03:46:05 unknown kernel: [ 3020.332185] usb 1-6: new high speed USB device using ehci_hcd and address 11
Jul 29 03:46:05 unknown kernel: [ 3020.466258] qcserial 1-6:1.0: Qualcomm USB modem converter detected
Jul 29 03:46:05 unknown kernel: [ 3020.466446] usb 1-6: Qualcomm USB modem converter now attached to ttyUSB1
Now that the phone is in download mode, we need a way to dump memory & find how to flash the good stuff. Some possibilities
Revskills v2.05.2 - Seems like the best possibility, but it doesnt have special ldr support (or i cant figure it out) . Read MEM in DWNMODE runs forevor but spits no file or anything out. Ive contacted these guys, hopefully its something stupid im doing seing i have no clue how to use this correctly.
*UPDATE* revskills guys actually contacted me and posted here! this looks _very_ goood for a perm brick fix and downgrade emethod
QPST will likely not work. see here http://xdaforums.com/showpost.php?p=16171089&postcount=292
RADIO SERIAL SHELL
In recovery we can obtain a AT-Command Interpreter shell. In stock recovery this option is enabled by default. with eng hboot you can use MFG kernel. This is talking directly to the radio. This method was originally found over here
to connect you can build a usb->ttl if you have a adrino board laying around. If your on a *NIX box you can also use usbserial module with instructions below:
adb reboot recovery
sudo apt-get install screen
sudo modprobe -r usbserial
lsusb | grep High
at this point youll see something similar to:
Bus 011 Device 011 ID 0bb4:0c03 High Tech Computer Corp
the first part before the : in ID is vendor, second part is product. put 0X before it and load usbserial
sudo modprobe usbserial vendor=0X0BB4 Product=0X0C03
now do
tail -n 100 -f /var/log/kern.log
look for the line usb 1-6: generic converter now attached to ttyUSB0
the ttyUSB is the device yuo want. press ctrl+c to kill the log outpupt
now do
sudo screen /dev/ttyUSB0
The commands we have gone through for AT Command interpreter shell are up here
OTHER HBOOT FUN:
SERIAL IN HBOOT/FASTBOOT
Currently impossible.
On our US release you cannot send commands to any other shell except our AT-Command shell. Every keypress will return FAILNot allowed. To do some fun stuff we really need to get this turned on. An example of typical hboot shell commands are over here http://tjworld.net/wiki/Android/HTC/Vision/HbootAnalysis
ENG HBOOT
this section is only available if you have S-OFF and have downgraded to ENG Hboot. xHausx has eng hboot up for flashing here - ?t=1192306
eng hboot enables a bunch more fastboot commands. here is the listing - http://pastebin.com/VEtcZgm3
--MFG KERNEL
the phone will seem to lock up if you do this, its cool just let it be and connect to a computer.
enables:
*USB Composit device/mass storage device
*Android Phone
*HTCDIAG ports (you will need drivers attached to post) - Connect QPST/QXDM to this
*HTC USB Modem. Same drivers as above. - connect to com port with putty, this is radio command interpreter shell. see above AT command listing
*Android USB device
QPST can connect to these ports and issue commands. it also seems to have morer areas of nvram unlocked.
SUPERCID
This should bypass CID checks on RUUs. this lets your phone accept any image. is this useful yet? havent found out
fastboot oem readcid
fastboot oem writecid 11111111
fastboot oem readcid
RTASK VALUES
This is how we can talk to different areas in fastboot. the command is:
fastboot oem rtask TASK
RTASK C - This loads up modem.mdt. It loads modem.b01 - b09 and then starts the modems.
Simunlock
There is a cdma section under simunlock. i cannot tell if this is related to security, but its looking for 3 files
1- config.dat from MCCMNC - you can use a patched version of hermes unlock to generate this with sprints MCCMNC (wiki it)
2- cid.txt - not exactly sure, it looks like its related to supercid, but it could be a sdcard cid (see below)
3-DMCID.dat - some keycard, but if you look on hboot page it looks like this was used to supercid. thats why unsure on #2
NB0 files
Typically nb0 files seem to be packed nbh looking at tools like android flasher it looks like it unpacks them first then fastboots.
also near the bottom you of hboot can see some things are called with zlib inflate.
i tried using something like offset file unzipper by luigi auriemma against hboot, it should scan and extract anything compressed, but it yielded nothing fun.
Attachments
Last edited: