Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,770,988 Members 45,251 Now Online
XDA Developers Android and Mobile Development Forum

[S-OFF]Development

Tip us?
 
xmoo
Old
(Last edited by xmoo; 18th July 2012 at 07:35 PM.)
#1  
xmoo's Avatar
Retired Recognized Developer - OP
Thanks Meter 1792
Posts: 5,305
Join Date: Aug 2006
Location: Eindhoven

 
DONATE TO ME
Thumbs up [S-OFF]Development

Read post #2 before posting!!

So Football and me are busy with trying to get S-OFF for this Badboy, but it seems to be a hard job. Please be patient!
Code:
/*
 * Your warranty is now void.
 *
 * We are not responsible for bricked devices, dead SD cards,
 * thermonuclear war, or you getting fired because the alarm app failed. Please
 * do some research if you have any concerns about content included in this thread
 * read before doing anything! YOU are choosing to make these modifications, and if
 * you point the finger at me for messing up your device, We will laugh at you.
 *
 */

13-04-2012 XDA.CN releases pictures showing someone succesfully has S-OFF'd his device. Tool is for sale here: http://item.taobao.com/item.htm?id=10824156715
17-04-2012 Thread made.
17-04-2012 We have found someone with a S-OFF device, and a newer HBOOT than the one from XDA.CN. Trying to get access to the HBOOT.
18-04-2012 OTA 1.28 brings HBOOT 0.94.
18-04-2012 New member with a S-OFF device is willing to help.

19-04-2012 HBOOT 0.43 S-OFF rfs.img received and uploaded.
19-04-2012 RFS.img is not the correct file, searching continues...
19-04-2012 Radio located, click here
26-04-2012 HBOOT probably located here
15-05-2012 NVFlash app + APX Drivers added
12-06-2012 Tegra 3 Manual added, see here!
16-06-2012 HBOOT 1.11 from the test-keys uploaded here!
16-06-2012 Huge development, read more about it!
18-06-2012 Need to find a way to by-pass CID check.
19-06-2012 Football Partition list for One X with all addresses and lengths of partitions which can be found here.
27-06-2012 Huhge thread clean-up and update.
04-07-2012 Had the chance to play with a S-OFF device, read more about it here! ENG HBOOT which is used in test, is located here.
09-07-2012 Javacard with DIAG will work, but won't be a good solution cause no one got a legit Javacard and the DIAG files can't be leaked!
14-07-2012 Video added which shows the Javacard with DIAG method. Video can be found here.
14-07-2012 The ENG HBOOT 0.03 that Football uploaded lost it's sign. I re-uploaded it and re-checked the file and it should be good now. You can find the new .zip here.

HBOOT versions
Past: 0.03, 0.04, 0.32, 0.43, 0.94, 0.95, 0.96, 1.01
Current: 1.11

More to come, please stop PM'ing me!

Attached Files
File Type: zip NVFlash.zip - [Click for QR Code] (466.2 KB, 4994 views)
Follow me on Twitter
The Following 142 Users Say Thank You to xmoo For This Useful Post: [ Click to Expand ]
 
xmoo
Old
(Last edited by xmoo; 1st July 2012 at 04:58 PM.)
#2  
xmoo's Avatar
Retired Recognized Developer - OP
Thanks Meter 1792
Posts: 5,305
Join Date: Aug 2006
Location: Eindhoven

 
DONATE TO ME
FAQ.
What is S-OFF?
S-OFF stands for Security-OFF
S-OFF means that the NAND portion of the device is unlocked and can be written to. The default setting for HTC’s devices is S-ON, which means that neither can you access certain areas of the system nor can you guarantee a permanent root. Furthermore, signature check for firmware images is also ensured by the S-ON flag.

What has already been done?
-Tried flashing DIAG file, but with no success. File needs SuperCID.
-Tried flashing ENG HBOOT as zip file, but with no success. File needs SuperCID.
-Tried flashing modified DIAG file, but with no success. File needs SuperCID.
-Tried flashing modified HBOOT as zip file, but with no success. Signature check failed.
-Tried creating a Goldcard, but won't work. The Goldcare is for Qualcomm devices.
-Root while phone is LOCKED, won't work. Only will work on the Qualcomm One X and One XL.
-Ask the Chineese guy with the S-OFF tool. Won't share, cause he needs his money.
-Tried flashing files over recovery, but with no success.
-Tried flashing TETS and MFG ROMs, but with no success. Phone needs S-OFF because the ROMS are not sighned.
-Tried changing CID, but won't work. Only will work on the Qualcomm One X and One XL.
-Tried commands over ADB, but with no success.
-Tried XTC clip, won't work.

How Do I Know If My Device Is S-ON Or S-OFF?
That is easy to verify. Simply boot into HBOOT (bootloader) on your device, and the text on top will show the flag status as either S-OFF or S-ON. A full root generally means S-OFF.


S-OFF – What And Why?
HTC have installed a sort of security check whose level is determined by S-OFF/S-ON. Essentially, this security level is a flag stored on the device’s radio that checks signature images for any firmware before it is allowed to be written to system memory. This hinders using any custom ROMs, splash images, recovery etc., and also restricts access to the NAND flash memory. However, when security level is set to S-OFF, the signature check is bypassed, allowing a user to upload custom firmware images, unsigned boot, recovery, splash and HBOOT images, as well as official firmware that has been modified, this enabling maximum customization of your HTC Android device.

Furthermore, S-OFF also reduces restrictions on accessing the NAND flash memory on the device, allowing all partitions (including /system) to be mounted in write mode while the operating system is booted.

Where is it located?
Don't know yet, here are the partitions.

How can I flash through SD?
Tutorial added here!

What HBOOT status have we seen so far?
ENDEAVORU PVT SHIP S-ON RL
ENDEAVORU PVT SHIP S-OFF RL
ENDEAVORU PVT ENG S-OFF RL
ENDEAVORU XE ENG S-OFF RH
ENDEAVORU PVT MFG RH
ENDEAVORU XE SHIP S-OFF RH
ENDEAVORU UNKNOWN ENG S-OFF RH

Partition list for One X with all addresses and lengths of partitions
Football share the full list which can be found here.

How does HTC do it?
They do it with a smartcard/javacard/goldcard (What ever you want to call it) in combination with the DIAG file. Proof is in the attachment.
Attached Thumbnails
Click image for larger version

Name:	s1.JPG
Views:	11126
Size:	65.8 KB
ID:	1158969   Click image for larger version

Name:	s2.JPG
Views:	9101
Size:	31.1 KB
ID:	1158970  
Follow me on Twitter
The Following 60 Users Say Thank You to xmoo For This Useful Post: [ Click to Expand ]
 
mike1986.
Old
(Last edited by mike1986.; 19th April 2012 at 11:59 AM.)
#3  
mike1986.'s Avatar
Senior Member
Thanks Meter 69326
Posts: 36,959
Join Date: Mar 2009
Location: XDA-Developers

 
DONATE TO ME
Something more:

/system/etc/Flash_Loader.conf

boot_port_name=/dev/ttyACMX0
fw_download_port_name=/dev/ttyACMX0
baudrate=921600
BootTimeOut=3000
CommTimeOut=1000
eep_normal_mode=m
file_name=/data/modem_work/QUO_6260.fls
#file_name=QUO_6260.fls
#file_name=XMM6260_SIC.fls
#log_fname=/dev/null
log_fname=/data/modem_work/Flash_Loader.log
also

\system\bin\poweron_modem_fls.sh

Line 55: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
Line 55: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
and

\system\bin\poweron_modem_hboot.sh

Line 50: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
Line 50: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
And from flash_loader.log

Start downloading item 'CODE:../HW/XMM6260_V2_USB-HSIC_FLASHLESS_EDE_1.0/MODEM_DEBUG/QUO_6260.fls'' from file '/data/modem_work/QUO_6260.fls


Archived devices and my other threads:

Join Android Revolution HD community

Facebook | Twitter | IRC chat | Visit my blog | Google+

If you appreciate my work, you can buy me a beer
Every donation is greatly appreciated and it helps the development!


The Following 23 Users Say Thank You to mike1986. For This Useful Post: [ Click to Expand ]
 
N3m3515
Old
(Last edited by N3m3515; 17th April 2012 at 02:56 PM.)
#4  
N3m3515's Avatar
Senior Member
Thanks Meter 44
Posts: 345
Join Date: Sep 2008
ah finally someone is looking into this

good luck for you two
HTC Touch Diamond [Sold]
HTC Desire [Still here with Runnymede AIO Rom]
HTC One X [Garbadge]
HTC One (M8)

Sucessfully flashed these:
HTC Desire HD
HTC Desire S
HTC Wildfire
HTC Wildfire S
Samsung Galaxy S II
Samsung Galaxy Ace

 
Goku80
Old
#5  
Goku80's Avatar
Senior Member
Thanks Meter 6538
Posts: 9,321
Join Date: Mar 2012
Location: Within the Matrix
great news and finally...looking forward to this and do not mind holding off a while longer
 
xmoo
Old
#6  
xmoo's Avatar
Retired Recognized Developer - OP
Thanks Meter 1792
Posts: 5,305
Join Date: Aug 2006
Location: Eindhoven

 
DONATE TO ME
Hmz the radio version 1.1204.92 seems to be the missing link between the 1.26 and 1.28 (CN) ROM. So guess this HBOOT is from 1.27
Follow me on Twitter
The Following User Says Thank You to xmoo For This Useful Post: [ Click to Expand ]
 
lckuok
Old
#7  
Member
Thanks Meter 6
Posts: 34
Join Date: May 2008
Hmm would buying this tool be helpful to the development of this? Just not sure if this fake or not

Sent from my HTC One X using XDA
 
schriss
Old
#8  
Senior Member
Thanks Meter 101
Posts: 1,319
Join Date: Feb 2006
Location: Dublin
Quote:
Originally Posted by lckuok View Post
Hmm would buying this tool be helpful to the development of this? Just not sure if this fake or not

Sent from my HTC One X using XDA
Was thinking about the same... but that page is all unreadable to me. Whats the price?
HTC One
Previous: Asus Padfone 2, HTC One X, Samsung Galaxy Nexus, Samsung Galaxy S II, HTC Desire Z, HTC Touch Pro2, i-Mate Ultimate 9502, iPhone 3G
 
ancola66
Old
#9  
Senior Member
Thanks Meter 81
Posts: 733
Join Date: Oct 2007
Location: Hanoi
Quote:
Originally Posted by schriss View Post
Was thinking about the same... but that page is all unreadable to me. Whats the price?
Its price is 200 yuan equivalent to 30 usd
 
evilNathan
Old
#10  
Junior Member
Thanks Meter 25
Posts: 27
Join Date: Jan 2012
I think they just help you s-off your device and charge 200

Sent from my HTC One X using xda premium

Tags
exploits, s-off
THREAD CLOSED
Subscribe
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes