Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

Goal: S-off HOX (TEGRA3)

OP Lloir

28th December 2012, 10:15 PM   |  #21  
Member
Thanks Meter: 48
 
30 posts
Join Date:Joined: Jun 2009
QXDM
I poked a bit on my phone. It's the international version, HBOOT 1.30.0000 CID HTC__001.

Anyway, there's a fastboot command called "fastboot oem enableqxdm".

QXDM is a piece of software designed to talk directly with the modem. Has anyone looked at that avenue? If not, I intend to right now.

I'll post findings when I can.

---------- Post added at 04:15 PM ---------- Previous post was at 03:46 PM ----------

OK, turns out, (at least with my setup), the phone WILL allow you to enable QXDM mode. The command "fastboot oem enableqxdm 1" completes successfully.

Now I've just gotta get the phone into diagnostic mode. On CDMA phones, that's ##3424#, which obviously doesn't work on the One X+.

Any ideas?
The Following 3 Users Say Thank You to backXslash For This Useful Post: [ View ]
28th December 2012, 11:14 PM   |  #22  
Member
Flag Stockholm
Thanks Meter: 8
 
31 posts
Join Date:Joined: Jan 2011
More
Quote:
Originally Posted by backXslash

I poked a bit on my phone. It's the international version, HBOOT 1.30.0000 CID HTC__001.

Anyway, there's a fastboot command called "fastboot oem enableqxdm".

QXDM is a piece of software designed to talk directly with the modem. Has anyone looked at that avenue? If not, I intend to right now.

I'll post findings when I can.

---------- Post added at 04:15 PM ---------- Previous post was at 03:46 PM ----------

OK, turns out, (at least with my setup), the phone WILL allow you to enable QXDM mode. The command "fastboot oem enableqxdm 1" completes successfully.

Now I've just gotta get the phone into diagnostic mode. On CDMA phones, that's ##3424#, which obviously doesn't work on the One X+.

Any ideas?

If I understand your question correctly, and you mean the diagnostic menu, then I use: *#*#4636#*#*
Hopefulle thats what you meant. Good luck
29th December 2012, 12:09 AM   |  #23  
galaxys2Tav's Avatar
Senior Member
Flag Scarborough, UK
Thanks Meter: 252
 
1,312 posts
Join Date:Joined: Oct 2011
Donate to Me
More
Is it this what should be activated?

Smashed with my rock one x from the stone ages
Attached Thumbnails
Click image for larger version

Name:	uploadfromtaptalk1356736151509.jpg
Views:	1671
Size:	106.2 KB
ID:	1599137  
The Following User Says Thank You to galaxys2Tav For This Useful Post: [ View ]
29th December 2012, 01:05 AM   |  #24  
backfromthestorm's Avatar
Senior Member
Flag 47000 places at once.
Thanks Meter: 268
 
739 posts
Join Date:Joined: Jul 2011
More
*#*#4636#*#*
29th December 2012, 07:52 AM   |  #25  
Member
Thanks Meter: 48
 
30 posts
Join Date:Joined: Jun 2009
Close, but no. QXDM will issue commands directly to the modem / radio chipset / what have you, and they're pretty much blindly obeyed, (so far as I know). That should allow you to change the CID or just straight up set S-OFF with the right command.

I've personally messed with QXDM and QSPT to repair and change low-level settings on an HTC Evo, to allow the phone to use the data connection on MetroPCS in the US. It does work. However, you have to put the radio / phone / chipset into "diagnostic" mode, where it enumerates as a service programming port, and can be seen by QXDM.

On the Evo, it's ##3424#, but that's a CDMA phone, not a GSM one. I have YET to see a GSM device where that works. But I do know the chipset does have an equivalent "diagnostic" mode. We've just gotta find the dialer code to turn it on.

---------- Post added at 01:52 AM ---------- Previous post was at 01:39 AM ----------

This may help: http://forum.xda-developers.com/show...79&postcount=2

That, and the thread it's from are about getting the GSM SGSIII into a diag mode to work with it in QPST.

I'll try it in the morning.
The Following 5 Users Say Thank You to backXslash For This Useful Post: [ View ]
29th December 2012, 11:13 AM   |  #26  
galaxys2Tav's Avatar
Senior Member
Flag Scarborough, UK
Thanks Meter: 252
 
1,312 posts
Join Date:Joined: Oct 2011
Donate to Me
More
These are the code that people have found there is a lot more if you Google htc dialpad codes
http://forum.xda-developers.com/show....php?t=1683634


Smashed with my rock one x from the stone ages
The Following User Says Thank You to galaxys2Tav For This Useful Post: [ View ]
30th December 2012, 04:25 PM   |  #27  
nitrous²'s Avatar
Senior Member
Flag Baltimore
Thanks Meter: 529
 
966 posts
Join Date:Joined: Jun 2010
More
Quote:
Originally Posted by Fightspit

Is there anyone who did something special under the famous "red fastboot" mode ?

I recall you the command to go into this mode:
adb reboot oem-34

Checked that. If you use getvar all on both modes you see a differnce in bootmode. See the red marked lines;


If you use "adb reboot bootloader"
Code:
(bootloader) version: 0.5a
(bootloader) version-bootloader: 1.39.0000
(bootloader) version-baseband: 5.1204.162.29
(bootloader) version-cpld: None
(bootloader) version-microp: None
(bootloader) version-main: 3.14.401.31
(bootloader) serialno: SH26xxxxxxxx
(bootloader) imei: xxxxx60xx1xxxx0
(bootloader) product: endeavoru
(bootloader) platform: HBOOT-T30S
(bootloader) modelid: PJ4610000
(bootloader) cidnum: HTC__102
(bootloader) battery-status: good
(bootloader) battery-voltage: 4112mV
(bootloader) devpower: 100
(bootloader) partition-layout: None
(bootloader) security: on
(bootloader) build-mode: SHIP
(bootloader) boot-mode: FASTBOOT
(bootloader) commitno-bootloader: None
(bootloader) hbootpreupdate: 2
(bootloader) gencheckpt: 0
all: Done!
finished. total time: 0.855s
If you use "adb reboot oem-34"
Code:
(bootloader) version: 0.5a
(bootloader) version-bootloader: 1.39.0000
(bootloader) version-baseband: 5.1204.162.29
(bootloader) version-cpld: None
(bootloader) version-microp: None
(bootloader) version-main: 3.14.401.31
(bootloader) serialno: SH26xxxxxxxx
(bootloader) imei: xxxxx60xx1xxxx0
(bootloader) product: endeavoru
(bootloader) platform: HBOOT-T30S
(bootloader) modelid: PJ4610000
(bootloader) cidnum: HTC__102
(bootloader) battery-status: good
(bootloader) battery-voltage: 4004mV
(bootloader) devpower: 100
(bootloader) partition-layout: None
(bootloader) security: on
(bootloader) build-mode: SHIP
(bootloader) boot-mode: UNKNOWN
(bootloader) commitno-bootloader: None
(bootloader) hbootpreupdate: 2
(bootloader) gencheckpt: 0
all: Done!
finished. total time: 0.825s
Oh, and nice if you'd retweet this;

https://twitter.com/Xmoo/status/202386311577993216
Last edited by nitrous²; 30th December 2012 at 05:41 PM.
The Following 4 Users Say Thank You to nitrous² For This Useful Post: [ View ]
1st January 2013, 03:59 PM   |  #28  
Thunder07's Avatar
Recognized Contributor / Recognized Developer
Thanks Meter: 1,919
 
1,320 posts
Join Date:Joined: Sep 2007
Donate to Me
More
Quote:
Originally Posted by abyss1888

Strange looking at photo on this site under radio none ?

Sent from my HTC One X using xda premium

mine says Thunder07....
i've established a while back, unintentionally that the radio is flashed through the OS & not firmware anymore
one note though.... since the radioversion is probably stored on the same partition as mainver,CID & s-off/on status,
should we be able to hack in through radioversion we'd be able to change all of them...
dont ask me how, im just saying an exploit through radioversion, like crashing the bootloader somehow.... and trust me i tried (with no luck), will be able to either get APX or edit those values, at some stage before update mainver 2.17, i changed my mainver to 1.29000 which freshly screwed me out of updates until 2.17 came out :/
i've even tried to set my mainver as 2147483648 to crash it... still no luck


Quote:
Originally Posted by mike1986.

Yes and no Under Settings in System Information ---> Kernel, baseband ---> you can see correct radio version. But in bootloader you can see radio version from the latest flashed OTA/RUU. So for now we don't know how to change that radio version...

Quote:
Originally Posted by thunder07

i know
its more of a placebo though...

adb reboot oem-78
fastboot flash zip RadioHack.zip
fastboot reboot-bootloader
ya it doesnt really change the radio but version no.

Quote:
Originally Posted by hamdir

hahah that's cool!

you just proved to me that the Radio is indeed the file QUO_6260.fls.clean included

bootloader require a simple text file to change

ROM requires an 8MB file to change the radio version

my money on the QUO_6260.fls.clean

Edit:
oh i should stat, later on i tried to lower mainver which isn't really possible it can only go higher... and if you go higher than the latest RUU version... you'll not be able to flash it or any lower RUU,

You could risk it and try setting your mainver as 99999999 and hopefully it has a safefail that will allow you to flash a lower main ver which i doubt..
the reason i concentrated on mainver is that all OTA/RUU use mainver as a reference,
also so hboot update xmoo/football released which i believe xmoo has confirmed to allow us to s-off are bound by a very low main ver 0.03 or something like that,
should we be able to get pass mainver check, we'd be able to flash those hboot, s-off, supercid and flash a newer hboot keeping those status

Kholk come to the assumption that both mainver & radiover are stored as string/characters instead of integers which makes since,
since im able to set radiover to Thunder07... this also makes it impossible to use integer 32bit max limit of 2147483647 to crash the bootloader
Last edited by Thunder07; 1st January 2013 at 04:15 PM.
The Following 6 Users Say Thank You to Thunder07 For This Useful Post: [ View ]
1st January 2013, 05:13 PM   |  #29  
mariusdroid's Avatar
Senior Member
Flag roma
Thanks Meter: 69
 
455 posts
Join Date:Joined: May 2011
More
Phone i have the same exact as photo only s on
Quote:
Originally Posted by abyss1888

Strange looking at photo on this site under radio none ?

Sent from my HTC One X using xda premium

i have the same as foto if u like me to test something....execpt s off
1st January 2013, 06:43 PM   |  #30  
lenthele's Avatar
Senior Member
Thanks Meter: 36
 
305 posts
Join Date:Joined: Nov 2010
More
Quote:
Originally Posted by thunder07

mine says Thunder07....
i've established a while back, unintentionally that the radio is flashed through the OS & not firmware anymore
one note though.... since the radioversion is probably stored on the same partition as mainver,CID & s-off/on status,
should we be able to hack in through radioversion we'd be able to change all of them...
dont ask me how, im just saying an exploit through radioversion, like crashing the bootloader somehow.... and trust me i tried (with no luck), will be able to either get APX or edit those values, at some stage before update mainver 2.17, i changed my mainver to 1.29000 which freshly screwed me out of updates until 2.17 came out :/
i've even tried to set my mainver as 2147483648 to crash it... still no luck








Edit:
oh i should stat, later on i tried to lower mainver which isn't really possible it can only go higher... and if you go higher than the latest RUU version... you'll not be able to flash it or any lower RUU,

You could risk it and try setting your mainver as 99999999 and hopefully it has a safefail that will allow you to flash a lower main ver which i doubt..
the reason i concentrated on mainver is that all OTA/RUU use mainver as a reference,
also so hboot update xmoo/football released which i believe xmoo has confirmed to allow us to s-off are bound by a very low main ver 0.03 or something like that,
should we be able to get pass mainver check, we'd be able to flash those hboot, s-off, supercid and flash a newer hboot keeping those status

Kholk come to the assumption that both mainver & radiover are stored as string/characters instead of integers which makes since,
since im able to set radiover to Thunder07... this also makes it impossible to use integer 32bit max limit of 2147483647 to crash the bootloader

Well, some days ago I think I managed to crash the bootloader. My bootloader was still locked then and I tried the writesecurityflag 0 command. I got an error and the bootloader interface froze. Could do nothing else than reboot the device.


Gesendet von meinem iPad mit Tapatalk HD

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes