Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Thread Closed

[S-OFF]Development

OP xmoo

17th April 2012, 03:51 PM   |  #1  
xmoo's Avatar
OP Retired Recognized Developer
Flag Eindhoven
Thanks Meter: 1,796
 
5,314 posts
Join Date:Joined: Aug 2006
Donate to Me
More
Read post #2 before posting!!

So Football and me are busy with trying to get S-OFF for this Badboy, but it seems to be a hard job. Please be patient!
Code:
/*
 * Your warranty is now void.
 *
 * We are not responsible for bricked devices, dead SD cards,
 * thermonuclear war, or you getting fired because the alarm app failed. Please
 * do some research if you have any concerns about content included in this thread
 * read before doing anything! YOU are choosing to make these modifications, and if
 * you point the finger at me for messing up your device, We will laugh at you.
 *
 */

13-04-2012 XDA.CN releases pictures showing someone succesfully has S-OFF'd his device. Tool is for sale here: http://item.taobao.com/item.htm?id=10824156715
17-04-2012 Thread made.
17-04-2012 We have found someone with a S-OFF device, and a newer HBOOT than the one from XDA.CN. Trying to get access to the HBOOT.
18-04-2012 OTA 1.28 brings HBOOT 0.94.
18-04-2012 New member with a S-OFF device is willing to help.

19-04-2012 HBOOT 0.43 S-OFF rfs.img received and uploaded.
19-04-2012 RFS.img is not the correct file, searching continues...
19-04-2012 Radio located, click here
26-04-2012 HBOOT probably located here
15-05-2012 NVFlash app + APX Drivers added
12-06-2012 Tegra 3 Manual added, see here!
16-06-2012 HBOOT 1.11 from the test-keys uploaded here!
16-06-2012 Huge development, read more about it!
18-06-2012 Need to find a way to by-pass CID check.
19-06-2012 Football Partition list for One X with all addresses and lengths of partitions which can be found here.
27-06-2012 Huhge thread clean-up and update.
04-07-2012 Had the chance to play with a S-OFF device, read more about it here! ENG HBOOT which is used in test, is located here.
09-07-2012 Javacard with DIAG will work, but won't be a good solution cause no one got a legit Javacard and the DIAG files can't be leaked!
14-07-2012 Video added which shows the Javacard with DIAG method. Video can be found here.
14-07-2012 The ENG HBOOT 0.03 that Football uploaded lost it's sign. I re-uploaded it and re-checked the file and it should be good now. You can find the new .zip here.

HBOOT versions
Past: 0.03, 0.04, 0.32, 0.43, 0.94, 0.95, 0.96, 1.01
Current: 1.11

More to come, please stop PM'ing me!

Attached Files
File Type: zip NVFlash.zip - [Click for QR Code] (466.2 KB, 5352 views)
Last edited by xmoo; 18th July 2012 at 08:35 PM.
The Following 142 Users Say Thank You to xmoo For This Useful Post: [ View ]
17th April 2012, 03:52 PM   |  #2  
xmoo's Avatar
OP Retired Recognized Developer
Flag Eindhoven
Thanks Meter: 1,796
 
5,314 posts
Join Date:Joined: Aug 2006
Donate to Me
More
FAQ.
What is S-OFF?
S-OFF stands for Security-OFF
S-OFF means that the NAND portion of the device is unlocked and can be written to. The default setting for HTC’s devices is S-ON, which means that neither can you access certain areas of the system nor can you guarantee a permanent root. Furthermore, signature check for firmware images is also ensured by the S-ON flag.

What has already been done?
-Tried flashing DIAG file, but with no success. File needs SuperCID.
-Tried flashing ENG HBOOT as zip file, but with no success. File needs SuperCID.
-Tried flashing modified DIAG file, but with no success. File needs SuperCID.
-Tried flashing modified HBOOT as zip file, but with no success. Signature check failed.
-Tried creating a Goldcard, but won't work. The Goldcare is for Qualcomm devices.
-Root while phone is LOCKED, won't work. Only will work on the Qualcomm One X and One XL.
-Ask the Chineese guy with the S-OFF tool. Won't share, cause he needs his money.
-Tried flashing files over recovery, but with no success.
-Tried flashing TETS and MFG ROMs, but with no success. Phone needs S-OFF because the ROMS are not sighned.
-Tried changing CID, but won't work. Only will work on the Qualcomm One X and One XL.
-Tried commands over ADB, but with no success.
-Tried XTC clip, won't work.

How Do I Know If My Device Is S-ON Or S-OFF?
That is easy to verify. Simply boot into HBOOT (bootloader) on your device, and the text on top will show the flag status as either S-OFF or S-ON. A full root generally means S-OFF.


S-OFF – What And Why?
HTC have installed a sort of security check whose level is determined by S-OFF/S-ON. Essentially, this security level is a flag stored on the device’s radio that checks signature images for any firmware before it is allowed to be written to system memory. This hinders using any custom ROMs, splash images, recovery etc., and also restricts access to the NAND flash memory. However, when security level is set to S-OFF, the signature check is bypassed, allowing a user to upload custom firmware images, unsigned boot, recovery, splash and HBOOT images, as well as official firmware that has been modified, this enabling maximum customization of your HTC Android device.

Furthermore, S-OFF also reduces restrictions on accessing the NAND flash memory on the device, allowing all partitions (including /system) to be mounted in write mode while the operating system is booted.

Where is it located?
Don't know yet, here are the partitions.

How can I flash through SD?
Tutorial added here!

What HBOOT status have we seen so far?
ENDEAVORU PVT SHIP S-ON RL
ENDEAVORU PVT SHIP S-OFF RL
ENDEAVORU PVT ENG S-OFF RL
ENDEAVORU XE ENG S-OFF RH
ENDEAVORU PVT MFG RH
ENDEAVORU XE SHIP S-OFF RH
ENDEAVORU UNKNOWN ENG S-OFF RH

Partition list for One X with all addresses and lengths of partitions
Football share the full list which can be found here.

How does HTC do it?
They do it with a smartcard/javacard/goldcard (What ever you want to call it) in combination with the DIAG file. Proof is in the attachment.
Attached Thumbnails
Click image for larger version

Name:	s1.JPG
Views:	11259
Size:	65.8 KB
ID:	1158969   Click image for larger version

Name:	s2.JPG
Views:	9190
Size:	31.1 KB
ID:	1158970  
Last edited by xmoo; 1st July 2012 at 05:58 PM.
The Following 60 Users Say Thank You to xmoo For This Useful Post: [ View ]
17th April 2012, 03:52 PM   |  #3  
mike1986.'s Avatar
Senior Member
XDA-Developers
Thanks Meter: 71,811
 
37,313 posts
Join Date:Joined: Mar 2009
Donate to Me
More
Something more:

/system/etc/Flash_Loader.conf

boot_port_name=/dev/ttyACMX0
fw_download_port_name=/dev/ttyACMX0
baudrate=921600
BootTimeOut=3000
CommTimeOut=1000
eep_normal_mode=m
file_name=/data/modem_work/QUO_6260.fls
#file_name=QUO_6260.fls
#file_name=XMM6260_SIC.fls
#log_fname=/dev/null
log_fname=/data/modem_work/Flash_Loader.log
also

\system\bin\poweron_modem_fls.sh

Line 55: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
Line 55: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
and

\system\bin\poweron_modem_hboot.sh

Line 50: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
Line 50: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
And from flash_loader.log

Start downloading item 'CODE:../HW/XMM6260_V2_USB-HSIC_FLASHLESS_EDE_1.0/MODEM_DEBUG/QUO_6260.fls'' from file '/data/modem_work/QUO_6260.fls
Last edited by mike1986.; 19th April 2012 at 12:59 PM.
The Following 23 Users Say Thank You to mike1986. For This Useful Post: [ View ]
17th April 2012, 03:53 PM   |  #4  
N3m3515's Avatar
Senior Member
Thanks Meter: 44
 
346 posts
Join Date:Joined: Sep 2008
More
ah finally someone is looking into this

good luck for you two
Last edited by N3m3515; 17th April 2012 at 03:56 PM.
17th April 2012, 04:18 PM   |  #5  
Goku80's Avatar
Senior Member
Flag Within the Matrix
Thanks Meter: 6,589
 
9,411 posts
Join Date:Joined: Mar 2012
More
great news and finally...looking forward to this and do not mind holding off a while longer
17th April 2012, 04:20 PM   |  #6  
xmoo's Avatar
OP Retired Recognized Developer
Flag Eindhoven
Thanks Meter: 1,796
 
5,314 posts
Join Date:Joined: Aug 2006
Donate to Me
More
Hmz the radio version 1.1204.92 seems to be the missing link between the 1.26 and 1.28 (CN) ROM. So guess this HBOOT is from 1.27
The Following User Says Thank You to xmoo For This Useful Post: [ View ]
17th April 2012, 06:08 PM   |  #7  
Member
Thanks Meter: 6
 
34 posts
Join Date:Joined: May 2008
Hmm would buying this tool be helpful to the development of this? Just not sure if this fake or not

Sent from my HTC One X using XDA
17th April 2012, 06:17 PM   |  #8  
Senior Member
Flag Dublin
Thanks Meter: 101
 
1,319 posts
Join Date:Joined: Feb 2006
More
Quote:
Originally Posted by lckuok

Hmm would buying this tool be helpful to the development of this? Just not sure if this fake or not

Sent from my HTC One X using XDA

Was thinking about the same... but that page is all unreadable to me. Whats the price?
17th April 2012, 06:27 PM   |  #9  
Senior Member
Flag Hanoi
Thanks Meter: 87
 
764 posts
Join Date:Joined: Oct 2007
Quote:
Originally Posted by schriss

Was thinking about the same... but that page is all unreadable to me. Whats the price?

Its price is 200 yuan equivalent to 30 usd
17th April 2012, 06:34 PM   |  #10  
Junior Member
Thanks Meter: 25
 
27 posts
Join Date:Joined: Jan 2012
I think they just help you s-off your device and charge 200

Sent from my HTC One X using xda premium

Thread Closed Subscribe to Thread

Tags
exploits, s-off
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes