Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,729,619 Members 46,561 Now Online
XDA Developers Android and Mobile Development Forum

[WIP] Download mode, Radio Serial Shells, Eng Hboot and more! *GETTING CLOSE TO DONE*

Tip us?
 
TrevE
Old
(Last edited by TrevE; 31st July 2011 at 05:15 PM.) Reason: UPDATING FOR REVSKILL DOWNLOAD MODE INFO
#1  
Retired Recognized Developer - OP
Thanks Meter 3653
Posts: 2,031
Join Date: Apr 2007

 
DONATE TO ME
Cool [WIP] Download mode, Radio Serial Shells, Eng Hboot and more! *GETTING CLOSE TO DONE*

Now that S-Off is official, i will be working mostly on download mode and other low levels of the phone. Download mode is exciting for permanent brick fixes and future protection if this S-off method is patched

DOWNLOAD MODE
Mystery port is now identified. it is how to get the phone in download mode!!!!111
there is a two holed port next to the volume up button that new eMMC devices all seem to have. pictures of front and back of board lined up and overlayed here

evo3d schematics - posted here



Now to connect to it i hooked up to it with a serial -> TTL board from geeetech.com jumping VDD, TXD (later found out not needed) and hooking up RXD and GND. GND is going to the right hole, RXD the left hole. Also the device is plugged in with another cable to microusb port. Is a TTL board required or can you just hack up another cable? We dont know. Someone needs to figure out exactly how this triggers that mode, theory was its some kinda resistance or something that this board has because shorting the pins just makes me reboot, but i know nothing about electronics so PLEASE someone else jump in.


There is pictures of how i got the phone in download mode up here and the wires i used (You dont need to jump VDD/TXD) only RXD/GND was required - http://forum.xda-developers.com/show...&postcount=168

here is a more detailed explanation and pics if your still confused - http://forum.xda-developers.com/show...&postcount=242

Windows should ask to install drivers (pic here)

Drivers are linked to in a post here - http://forum.xda-developers.com/show...&postcount=115

QPST Showing download mode - http://forum.xda-developers.com/show...&postcount=164


In windows it finds it as a com port called Qualcomm HS-USB QDLoader 9008. Below is how the device is shown in linux:
Quote:
Bus 001 Device 011: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)

Jul 29 03:46:05 unknown kernel: [ 3020.332185] usb 1-6: new high speed USB device using ehci_hcd and address 11
Jul 29 03:46:05 unknown kernel: [ 3020.466258] qcserial 1-6:1.0: Qualcomm USB modem converter detected
Jul 29 03:46:05 unknown kernel: [ 3020.466446] usb 1-6: Qualcomm USB modem converter now attached to ttyUSB1

Now that the phone is in download mode, we need a way to dump memory & find how to flash the good stuff. Some possibilities

Revskills v2.05.2 - Seems like the best possibility, but it doesnt have special ldr support (or i cant figure it out) . Read MEM in DWNMODE runs forevor but spits no file or anything out. Ive contacted these guys, hopefully its something stupid im doing seing i have no clue how to use this correctly.

*UPDATE* revskills guys actually contacted me and posted here! this looks _very_ goood for a perm brick fix and downgrade emethod


QPST will likely not work. see here http://forum.xda-developers.com/show...&postcount=292

QPST Memory Debug/Software download/gang flash - Build 355 of memory debug throws unknown NAK response so im kind of stuck here, kind of a chicken and the egg situation i cant just download something to phone without having the files. Once we get something to flash this should work



RADIO SERIAL SHELL
In recovery we can obtain a AT-Command Interpreter shell. In stock recovery this option is enabled by default. with eng hboot you can use MFG kernel. This is talking directly to the radio. This method was originally found over here

to connect you can build a usb->ttl if you have a adrino board laying around. If your on a *NIX box you can also use usbserial module with instructions below:

Quote:
Originally Posted by TrevE View Post
adb reboot recovery
sudo apt-get install screen
sudo modprobe -r usbserial
lsusb | grep High

at this point youll see something similar to:
Bus 011 Device 011 ID 0bb4:0c03 High Tech Computer Corp

the first part before the : in ID is vendor, second part is product. put 0X before it and load usbserial
sudo modprobe usbserial vendor=0X0BB4 Product=0X0C03

now do
tail -n 100 -f /var/log/kern.log

look for the line usb 1-6: generic converter now attached to ttyUSB0

the ttyUSB is the device yuo want. press ctrl+c to kill the log outpupt

now do
sudo screen /dev/ttyUSB0
The commands we have gone through for AT Command interpreter shell are up here


OTHER HBOOT FUN:

SERIAL IN HBOOT/FASTBOOT

Currently impossible.

On our US release you cannot send commands to any other shell except our AT-Command shell. Every keypress will return FAILNot allowed. To do some fun stuff we really need to get this turned on. An example of typical hboot shell commands are over here http://tjworld.net/wiki/Android/HTC/.../HbootAnalysis

ENG HBOOT
this section is only available if you have S-OFF and have downgraded to ENG Hboot. xHausx has eng hboot up for flashing here - ?t=1192306

eng hboot enables a bunch more fastboot commands. here is the listing - http://pastebin.com/VEtcZgm3

--MFG KERNEL
the phone will seem to lock up if you do this, its cool just let it be and connect to a computer.

enables:
*USB Composit device/mass storage device
*Android Phone
*HTCDIAG ports (you will need drivers attached to post) - Connect QPST/QXDM to this
*HTC USB Modem. Same drivers as above. - connect to com port with putty, this is radio command interpreter shell. see above AT command listing
*Android USB device

QPST can connect to these ports and issue commands. it also seems to have morer areas of nvram unlocked.

SUPERCID
This should bypass CID checks on RUUs. this lets your phone accept any image. is this useful yet? havent found out

Quote:
fastboot oem readcid
fastboot oem writecid 11111111
fastboot oem readcid

RTASK VALUES
This is how we can talk to different areas in fastboot. the command is:
fastboot oem rtask TASK

RTASK C - This loads up modem.mdt. It loads modem.b01 - b09 and then starts the modems.







Simunlock
There is a cdma section under simunlock. i cannot tell if this is related to security, but its looking for 3 files

1- config.dat from MCCMNC - you can use a patched version of hermes unlock to generate this with sprints MCCMNC (wiki it)

2- cid.txt - not exactly sure, it looks like its related to supercid, but it could be a sdcard cid (see below)

3-DMCID.dat - some keycard, but if you look on hboot page it looks like this was used to supercid. thats why unsure on #2

NB0 files

Typically nb0 files seem to be packed nbh looking at tools like android flasher it looks like it unpacks them first then fastboots.

also near the bottom you of hboot can see some things are called with zlib inflate.
Quote:
inflate 1.2.3 Copyright 1995-2005 Mark Adler
i tried using something like offset file unzipper by luigi auriemma against hboot, it should scan and extract anything compressed, but it yielded nothing fun.
Attached Files
File Type: zip HTCDiagDrivers.zip - [Click for QR Code] (118.1 KB, 967 views)
DONATE TO THE EFF Let them know XDA-Developers sent you or you support the cause (https://www.eff.org/deeplinks/2011/1...s-legal-threat)
The Following 19 Users Say Thank You to TrevE For This Useful Post: [ Click to Expand ]
 
TrevE
Old
(Last edited by TrevE; 30th July 2011 at 04:02 AM.) Reason: GOT PHONE IN DOWNLOAD MODE
#2  
Retired Recognized Developer - OP
Thanks Meter 3653
Posts: 2,031
Join Date: Apr 2007

 
DONATE TO ME
OTHER INFO:

How to make raw eMMC backups

while device is booted you can read and extract partitions from the main /dev/block/mmcblk0. this will work regardless of S-ON/S-OFF

to backup entire device -
dd if=/dev/block/mmcblk0 of=/sdcard/mmcblk0.img

to backup just a partition-
here are the partitions we know about
Quote:
mmcblk0p34: "misc"
mmcblk0p22: "recovery"
mmcblk0p21: "boot"
mmcblk0p23: "system"
mmcblk0p32: "local"
mmcblk0p25: "cache"
mmcblk0p24: "userdata"
mmcblk0p28: "devlog"
mmcblk0p30: "pdata"
mmcblk0p18: "radio"
mmcblk0p19: "radio_config"
mmcblk0p26: "modem_st1"
mmcblk0p27: "modem_st2"
mmcblk0p8: "wimax"
mmcblk0p33: "udata_wimax"
to backup a partition youll need the following information:
Code:
       Device Boot    Start       End   #sectors  Id  System
    mmcblk0.img1   *         1       256        256  4d  QNX4.x
    mmcblk0.img2           257       768        512  51  OnTrack DM6 Aux1
    mmcblk0.img3           769     65502      64734  5d  Unknown
    mmcblk0.img4         65503   4718590    4653088   5  Extended
    mmcblk0.img5         65504     65535         32  5a  Unknown
    mmcblk0.img6         65537     66048        512  73  Unknown
    mmcblk0.img7         66050     82356      16307   0  Empty
    mmcblk0.img8         82358    106934      24577  7e  Unknown
    mmcblk0.img9        106936    107447        512   0  Empty
    mmcblk0.img10       107449    109496       2048  45  Unknown
    mmcblk0.img11       109498    110009        512  47  Unknown
    mmcblk0.img12       110011    114106       4096  46  Unknown
    mmcblk0.img13       114108    116155       2048  4c  Unknown
    mmcblk0.img14       116157    116220         64   0  Empty
    mmcblk0.img15       116222    128509      12288  34  Unknown
    mmcblk0.img16       128511    130558       2048  36  Unknown
    mmcblk0.img17       130560    131071        512  76  Unknown
    mmcblk0.img18       131073    212992      81920  77  Unknown
    mmcblk0.img19       212994    229374      16381  74  Unknown
    mmcblk0.img20       229376    262143      32768   0  Empty
    mmcblk0.img21       262145    294912      32768  48  Unknown
    mmcblk0.img22       294914    327679      32766  71  Unknown
    mmcblk0.img23       327681   1966078    1638398  83  Linux
    mmcblk0.img24      1966080   4412897    2446818  83  Linux
    mmcblk0.img25      4412899   4639697     226799  83  Linux
    mmcblk0.img26      4639699   4647890       8192  4a  Unknown
    mmcblk0.img27      4647892   4656083       8192  4b  Unknown
    mmcblk0.img28      4656085   4697044      40960  19  Unknown
    mmcblk0.img29      4697046   4697053          8   0  Empty
    mmcblk0.img30      4697055   4697566        512  23  Unknown
    mmcblk0.img31      4697568   4697599         32   0  Empty
    mmcblk0.img32      4697601   4700161       2561  33  Unknown
    mmcblk0.img33      4700163   4716543      16381  7e  Unknown
    mmcblk0.img34      4716545   4718589       2045  76  Unknown
the command to extract a single partition outua mmcblk
Quote:
dd if=/dev/block/mmcblk0 of=/sdcard/imagename.img skip=blockstart count=#sectors
say if you wanted mmcblk0p19 radio-config. you would use the following command
Quote:
dd if=/dev/block/mmcblk0 of=/sdcard/radioconfig.img skip=212994 count=16381
you can also change the above command to use dd if=/sdcard/imagename.img and extract partitions from a full mmcblock dump.





Goldcarding
will this help with downgrading or anything? no.

1 - Download goldcard helper from market.
2 - notee the reverse CID for mmc1.
3 - go to http://psas.revskills.de/?q=goldcard and put in the reverse CID in exactly
4 - download a hex editor, windows can use HxD (http://mh-nexus.de/en/downloads.php?product=HxD) but anything hexeditor that can write to disk will be ok
5 - open hxd without your sdcard in. go to extra -> open disk note under removable devices what is there.
6 - attach sd card go to new physical disk NOT the logical disk. uncheck read only, when it asks sector size is 512.
7 - now go to file open and open the goldcard img you got in email from revskill
8 - your goldcard img will be from offsets 00000000 - 00000170. copy it all
9 - now go over to the physical disk of ur sdcard. select the same 00000000 - 00000170 sectors and paste write in the goldcard info (it should overwrite the existing sectors, if it inserts this before existing data you did it wrong)
10 - press save, now reboot phone. if you did it right your sdcard will still be accessable. if you did it wrong youll get a message you need to format.

now try downgrading with a pg86img.zip and let us know, hopefully you wont get a version mismatch and it will let you flash a lower ruu.
DONATE TO THE EFF Let them know XDA-Developers sent you or you support the cause (https://www.eff.org/deeplinks/2011/1...s-legal-threat)
The Following 7 Users Say Thank You to TrevE For This Useful Post: [ Click to Expand ]
 
Bentenrai
Old
#3  
Bentenrai's Avatar
Retired News Writer
Thanks Meter 193
Posts: 521
Join Date: Jan 2010
Location: East Coast Pimpin'

 
DONATE TO ME
Quote:
Originally Posted by TrevE View Post
Whats next?

I need to figure out why eng wrote and EU didnt.

Possible brave method?

do we have a radio from eng build? I have found the other pieces but cant seem to obtain this. maybe we can swap down to eng with everything signed (hboot/radio/boot/recovery) all at once. this is very scary though seing just hboot left a brick. We know you cant flash eng with s-on, but maybe a matching radio would fix it?
Interesting notion. Also, good thread, thanks. Ill see what I can do. Just to clarify, youre talkin about keeping the eng radio and signing it in a pack with the other eu parts?

Sent from my PG86100 using XDA App
Got a news tip? Want to chat? Contact me at:
Google+ || GMail || Twitter || XDA-Developers
Phone: Sprint HTC EVO 3D (CM9 Alpha)
Tablet: Barnes and Noble Nook Color (CM9 Nightly)
Retired Devices: Huawei Ideos u8150 (T-Mobile Comet) || HTC Espresso (T-Mobile MyTouch 3g Slide) || HTC Dream (T-Mobile G1)
The Following User Says Thank You to Bentenrai For This Useful Post: [ Click to Expand ]
 
TrevE
Old
(Last edited by TrevE; 27th July 2011 at 06:02 PM.)
#4  
Retired Recognized Developer - OP
Thanks Meter 3653
Posts: 2,031
Join Date: Apr 2007

 
DONATE TO ME
Quote:
Originally Posted by Bentenrai View Post
Interesting notion. Also, good thread, thanks. Ill see what I can do. Just to clarify, youre talkin about keeping the eng radio and signing it in a pack with the other eu parts?

Sent from my PG86100 using XDA App
heres what i think is going on

bootloader is first thing loaded. From the hboot analysis page i linked above it looks like it controls all the locking. when we loaded eng it flashed because it disabled security, but then radio came expecting s-on couldnt do it and gave the big middle finger. If we had the radio image, bootloader, boot, recovery all from eng it might line up and work. when we loaded europe hboot security was still enabled so nothing flashed.

also if eng actually flashes and DOES disable sig checking, could we just flash a zeroed out image of radio, boot, whatevers signed, get into just hboot unlock mmc s-off all that fun stuff then run a ruu up to a rom? i think theres still a few possibilities, im willing to play just want to get some input first.
DONATE TO THE EFF Let them know XDA-Developers sent you or you support the cause (https://www.eff.org/deeplinks/2011/1...s-legal-threat)
The Following 2 Users Say Thank You to TrevE For This Useful Post: [ Click to Expand ]
 
Bentenrai
Old
#5  
Bentenrai's Avatar
Retired News Writer
Thanks Meter 193
Posts: 521
Join Date: Jan 2010
Location: East Coast Pimpin'

 
DONATE TO ME
Okay well I'm at work at radio shack. Ill be here til about 9 my time. I'll be reading up on some stuff while it's slow, and I'll work on it tonight. Out of curiosity, think there's anything of use at radio shack? Our store is closing down so i probably can get a lot of old cables, connectors, boards etc for cheap to free.

Sent from my PG86100 using XDA App
Got a news tip? Want to chat? Contact me at:
Google+ || GMail || Twitter || XDA-Developers
Phone: Sprint HTC EVO 3D (CM9 Alpha)
Tablet: Barnes and Noble Nook Color (CM9 Nightly)
Retired Devices: Huawei Ideos u8150 (T-Mobile Comet) || HTC Espresso (T-Mobile MyTouch 3g Slide) || HTC Dream (T-Mobile G1)
 
Bentenrai
Old
#6  
Bentenrai's Avatar
Retired News Writer
Thanks Meter 193
Posts: 521
Join Date: Jan 2010
Location: East Coast Pimpin'

 
DONATE TO ME
Also try pming that guy with a friend with s-off i seem to remember.. Get a dump of the eng radio

Sent from my PG86100 using XDA App
Got a news tip? Want to chat? Contact me at:
Google+ || GMail || Twitter || XDA-Developers
Phone: Sprint HTC EVO 3D (CM9 Alpha)
Tablet: Barnes and Noble Nook Color (CM9 Nightly)
Retired Devices: Huawei Ideos u8150 (T-Mobile Comet) || HTC Espresso (T-Mobile MyTouch 3g Slide) || HTC Dream (T-Mobile G1)
 
pinky059
Old
#7  
Senior Member
Thanks Meter 151
Posts: 499
Join Date: Oct 2010
Location: Baltimore
Quote:
Originally Posted by TrevE View Post
heres what i think is going on

bootloader is first thing loaded. From the hboot analysis page i linked above it looks like it controls all the locking. when we loaded eng it flashed because it disabled security, but then radio came expecting s-on couldnt do it and gave the big middle finger. If we had the radio image, bootloader, boot, recovery all from eng it might line up and work. when we loaded europe hboot security was still enabled so nothing flashed.

also if eng actually flashes and DOES disable sig checking, could we just flash a zeroed out image of radio, boot, whatevers signed, get into just hboot unlock mmc s-off all that fun stuff then run a ruu up to a rom? i think theres still a few possibilities, im willing to play just want to get some input first.
From what I have read, the Kernel, the Radio and the HBOOT must all agree on the S-OFF or S-ON state. They basically all verify each other and check the security status. This may work based on the idea that they all verify each other.
 
Bentenrai
Old
(Last edited by Bentenrai; 27th July 2011 at 07:36 PM.)
#8  
Bentenrai's Avatar
Retired News Writer
Thanks Meter 193
Posts: 521
Join Date: Jan 2010
Location: East Coast Pimpin'

 
DONATE TO ME
Quote:
Originally Posted by pinky059 View Post
From what I have read, the Kernel, the Radio and the HBOOT must all agree on the S-OFF or S-ON state. They basically all verify each other and check the security status. This may work based on the idea that they all verify each other.
Does anybody know where the security flags are for each

Edit: did anyone ever get a dump of that s off phone? Also i know download times are slow with free uploaders, i have 10 gigs at my site (brpstudios.com) and can host files there. Pm me if i can help on that front as well

Sent from my PG86100 using XDA App
Got a news tip? Want to chat? Contact me at:
Google+ || GMail || Twitter || XDA-Developers
Phone: Sprint HTC EVO 3D (CM9 Alpha)
Tablet: Barnes and Noble Nook Color (CM9 Nightly)
Retired Devices: Huawei Ideos u8150 (T-Mobile Comet) || HTC Espresso (T-Mobile MyTouch 3g Slide) || HTC Dream (T-Mobile G1)
 
kthejoker20
Old
#9  
Senior Member
Thanks Meter 143
Posts: 636
Join Date: Jun 2008
Location: Kenosha
Quote:
Originally Posted by TrevE View Post
RADIO SERIAL SHELL
In recovery we can obtain a AT-Command Interpreter shell. This is talking directly to the radio. This method was originally found over here

to connect you can build a usb->ttl if you have a adrino board laying around, just need ground, TXD, RXD. when i powered my board it just thought it was AC so i didnt hook up the red pair and all seemed well. If your on a *NIX box you can also use usbserial module with instructions below:


This is what I said the begining of June, but I was flamed off the board for being a "noob" and that this wouldn't work. sigh.... and then they wonder why I don't contribute.

BTW... nice to see you over here treve.
Check out my Nexus 4 tool, Image Extractor and Image backup/restore to PC CLICK HERE


The Following User Says Thank You to kthejoker20 For This Useful Post: [ Click to Expand ]
 
zonyl
Old
(Last edited by zonyl; 27th July 2011 at 08:14 PM.)
#10  
Senior Member
Thanks Meter 37
Posts: 320
Join Date: Jul 2007
Quote:
Originally Posted by TrevE View Post
Right now the only way we have gotten anything to flash is by swapping sd cards in bootloader. Basically you let it verify a real PG86IMG.zip, plug it into AC, pull the battery and sd card and put a fake image in. I explained about making the images and everhting - here


Downgrading to ENG (not a good idea currently, we were able to write eng but it ended in a brick) - http://forum.xda-developers.com/show...&postcount=740

Upgrading to EU - Now this one has me stumped. It looks like the EU hboot has more modes enabled for USB (see below quote), and it looks like our board is supported along with several other phone models (from here). We tried the sdcard swap method, it flashed said OK but left with stock hboot still. The method we used I explained here

now why can we downgrade to eng, but not upgrade to a supported hboot at a higher version?
How did you verify the ENG HBoot actually flashed to the device using a card swap? This may have more likely been a case that the re-flash of stock Hboot that was likely occurring was interrupted and left the device in a corrupt state.

In other words I dont think flashing anything unsigned using an SD card swap has worked.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes