Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,731,300 Members 53,386 Now Online
XDA Developers Android and Mobile Development Forum

Goal: S-off HOX (TEGRA3)

Tip us?
 
backXslash
Old
#21  
Member
Thanks Meter 48
Posts: 30
Join Date: Jun 2009
Default QXDM

I poked a bit on my phone. It's the international version, HBOOT 1.30.0000 CID HTC__001.

Anyway, there's a fastboot command called "fastboot oem enableqxdm".

QXDM is a piece of software designed to talk directly with the modem. Has anyone looked at that avenue? If not, I intend to right now.

I'll post findings when I can.

---------- Post added at 04:15 PM ---------- Previous post was at 03:46 PM ----------

OK, turns out, (at least with my setup), the phone WILL allow you to enable QXDM mode. The command "fastboot oem enableqxdm 1" completes successfully.

Now I've just gotta get the phone into diagnostic mode. On CDMA phones, that's ##3424#, which obviously doesn't work on the One X+.

Any ideas?
The Following 3 Users Say Thank You to backXslash For This Useful Post: [ Click to Expand ]
 
casserly
Old
#22  
Member
Thanks Meter 8
Posts: 31
Join Date: Jan 2011
Location: Stockholm
Quote:
Originally Posted by backXslash View Post
I poked a bit on my phone. It's the international version, HBOOT 1.30.0000 CID HTC__001.

Anyway, there's a fastboot command called "fastboot oem enableqxdm".

QXDM is a piece of software designed to talk directly with the modem. Has anyone looked at that avenue? If not, I intend to right now.

I'll post findings when I can.

---------- Post added at 04:15 PM ---------- Previous post was at 03:46 PM ----------

OK, turns out, (at least with my setup), the phone WILL allow you to enable QXDM mode. The command "fastboot oem enableqxdm 1" completes successfully.

Now I've just gotta get the phone into diagnostic mode. On CDMA phones, that's ##3424#, which obviously doesn't work on the One X+.

Any ideas?
If I understand your question correctly, and you mean the diagnostic menu, then I use: *#*#4636#*#*
Hopefulle thats what you meant. Good luck
 
galaxys2Tav
Old
#23  
galaxys2Tav's Avatar
Senior Member
Thanks Meter 250
Posts: 1,307
Join Date: Oct 2011
Location: Scarborough, UK

 
DONATE TO ME
Is it this what should be activated?

Smashed with my rock one x from the stone ages
Attached Thumbnails
Click image for larger version

Name:	uploadfromtaptalk1356736151509.jpg
Views:	1647
Size:	106.2 KB
ID:	1599137  
The "THANKS" button is there for a reason if iv helped you feel free to show it please!

My Devices;
HTC One M8
HTC One M7
Galaxy tab 2 10.1 Stock Rooted
Galaxy S3 i9300
Galaxy S1 i9000 omniROM 4.3

The Following User Says Thank You to galaxys2Tav For This Useful Post: [ Click to Expand ]
 
backfromthestorm
Old
#24  
backfromthestorm's Avatar
Senior Member
Thanks Meter 262
Posts: 729
Join Date: Jul 2011
Location: 47000 places at once.
*#*#4636#*#*


Post of the century so far....
"but if it's really completely not understableable, it's annoying to reading such sentences...he should at least trying to use the right letters.. ! -.- ...but okay something like that has nothing to do with development so i wont write anything to that anymore"
 
backXslash
Old
#25  
Member
Thanks Meter 48
Posts: 30
Join Date: Jun 2009
Close, but no. QXDM will issue commands directly to the modem / radio chipset / what have you, and they're pretty much blindly obeyed, (so far as I know). That should allow you to change the CID or just straight up set S-OFF with the right command.

I've personally messed with QXDM and QSPT to repair and change low-level settings on an HTC Evo, to allow the phone to use the data connection on MetroPCS in the US. It does work. However, you have to put the radio / phone / chipset into "diagnostic" mode, where it enumerates as a service programming port, and can be seen by QXDM.

On the Evo, it's ##3424#, but that's a CDMA phone, not a GSM one. I have YET to see a GSM device where that works. But I do know the chipset does have an equivalent "diagnostic" mode. We've just gotta find the dialer code to turn it on.

---------- Post added at 01:52 AM ---------- Previous post was at 01:39 AM ----------

This may help: http://forum.xda-developers.com/show...79&postcount=2

That, and the thread it's from are about getting the GSM SGSIII into a diag mode to work with it in QPST.

I'll try it in the morning.
The Following 5 Users Say Thank You to backXslash For This Useful Post: [ Click to Expand ]
 
galaxys2Tav
Old
#26  
galaxys2Tav's Avatar
Senior Member
Thanks Meter 250
Posts: 1,307
Join Date: Oct 2011
Location: Scarborough, UK

 
DONATE TO ME
These are the code that people have found there is a lot more if you Google htc dialpad codes
http://forum.xda-developers.com/show....php?t=1683634


Smashed with my rock one x from the stone ages
The "THANKS" button is there for a reason if iv helped you feel free to show it please!

My Devices;
HTC One M8
HTC One M7
Galaxy tab 2 10.1 Stock Rooted
Galaxy S3 i9300
Galaxy S1 i9000 omniROM 4.3

The Following User Says Thank You to galaxys2Tav For This Useful Post: [ Click to Expand ]
 
nitrous²
Old
(Last edited by nitrous²; 30th December 2012 at 04:41 PM.)
#27  
nitrous²'s Avatar
Senior Member
Thanks Meter 482
Posts: 865
Join Date: Jun 2010
Location: Baltimore
Quote:
Originally Posted by Fightspit View Post
Is there anyone who did something special under the famous "red fastboot" mode ?

I recall you the command to go into this mode:
adb reboot oem-34
Checked that. If you use getvar all on both modes you see a differnce in bootmode. See the red marked lines;


If you use "adb reboot bootloader"
Code:
(bootloader) version: 0.5a
(bootloader) version-bootloader: 1.39.0000
(bootloader) version-baseband: 5.1204.162.29
(bootloader) version-cpld: None
(bootloader) version-microp: None
(bootloader) version-main: 3.14.401.31
(bootloader) serialno: SH26xxxxxxxx
(bootloader) imei: xxxxx60xx1xxxx0
(bootloader) product: endeavoru
(bootloader) platform: HBOOT-T30S
(bootloader) modelid: PJ4610000
(bootloader) cidnum: HTC__102
(bootloader) battery-status: good
(bootloader) battery-voltage: 4112mV
(bootloader) devpower: 100
(bootloader) partition-layout: None
(bootloader) security: on
(bootloader) build-mode: SHIP
(bootloader) boot-mode: FASTBOOT
(bootloader) commitno-bootloader: None
(bootloader) hbootpreupdate: 2
(bootloader) gencheckpt: 0
all: Done!
finished. total time: 0.855s
If you use "adb reboot oem-34"
Code:
(bootloader) version: 0.5a
(bootloader) version-bootloader: 1.39.0000
(bootloader) version-baseband: 5.1204.162.29
(bootloader) version-cpld: None
(bootloader) version-microp: None
(bootloader) version-main: 3.14.401.31
(bootloader) serialno: SH26xxxxxxxx
(bootloader) imei: xxxxx60xx1xxxx0
(bootloader) product: endeavoru
(bootloader) platform: HBOOT-T30S
(bootloader) modelid: PJ4610000
(bootloader) cidnum: HTC__102
(bootloader) battery-status: good
(bootloader) battery-voltage: 4004mV
(bootloader) devpower: 100
(bootloader) partition-layout: None
(bootloader) security: on
(bootloader) build-mode: SHIP
(bootloader) boot-mode: UNKNOWN
(bootloader) commitno-bootloader: None
(bootloader) hbootpreupdate: 2
(bootloader) gencheckpt: 0
all: Done!
finished. total time: 0.825s
Oh, and nice if you'd retweet this;

https://twitter.com/Xmoo/status/202386311577993216
The Following 4 Users Say Thank You to nitrous² For This Useful Post: [ Click to Expand ]
 
Thunder07
Old
(Last edited by Thunder07; 1st January 2013 at 03:15 PM.)
#28  
Thunder07's Avatar
Recognized Contributor / Recognized Developer
Thanks Meter 1845
Posts: 1,301
Join Date: Sep 2007

 
DONATE TO ME
Quote:
Originally Posted by abyss1888 View Post
Strange looking at photo on this site under radio none ?

Sent from my HTC One X using xda premium
mine says Thunder07....
i've established a while back, unintentionally that the radio is flashed through the OS & not firmware anymore
one note though.... since the radioversion is probably stored on the same partition as mainver,CID & s-off/on status,
should we be able to hack in through radioversion we'd be able to change all of them...
dont ask me how, im just saying an exploit through radioversion, like crashing the bootloader somehow.... and trust me i tried (with no luck), will be able to either get APX or edit those values, at some stage before update mainver 2.17, i changed my mainver to 1.29000 which freshly screwed me out of updates until 2.17 came out :/
i've even tried to set my mainver as 2147483648 to crash it... still no luck


Quote:
Originally Posted by mike1986. View Post
Yes and no Under Settings in System Information ---> Kernel, baseband ---> you can see correct radio version. But in bootloader you can see radio version from the latest flashed OTA/RUU. So for now we don't know how to change that radio version...
Quote:
Originally Posted by thunder07 View Post
i know
its more of a placebo though...
adb reboot oem-78
fastboot flash zip RadioHack.zip
fastboot reboot-bootloader
ya it doesnt really change the radio but version no.
Quote:
Originally Posted by hamdir View Post
hahah that's cool!

you just proved to me that the Radio is indeed the file QUO_6260.fls.clean included

bootloader require a simple text file to change

ROM requires an 8MB file to change the radio version

my money on the QUO_6260.fls.clean
Edit:
oh i should stat, later on i tried to lower mainver which isn't really possible it can only go higher... and if you go higher than the latest RUU version... you'll not be able to flash it or any lower RUU,

You could risk it and try setting your mainver as 99999999 and hopefully it has a safefail that will allow you to flash a lower main ver which i doubt..
the reason i concentrated on mainver is that all OTA/RUU use mainver as a reference,
also so hboot update xmoo/football released which i believe xmoo has confirmed to allow us to s-off are bound by a very low main ver 0.03 or something like that,
should we be able to get pass mainver check, we'd be able to flash those hboot, s-off, supercid and flash a newer hboot keeping those status

Kholk come to the assumption that both mainver & radiover are stored as string/characters instead of integers which makes since,
since im able to set radiover to Thunder07... this also makes it impossible to use integer 32bit max limit of 2147483647 to crash the bootloader

Device: HTC One X

My Work
[AIO]One X One Click | Thunder's Online Kernel Repacker | Zeus Kernel Lighter
OTA Creator V1.1 | ARHD 9.x (Base 2.17) & CD-Tool Battery Mods | Battery Mods Creator V1.1 |APK (Game) Modder v1.0 Beta


 

SkyDragonİ AIO Team Member



If I got a euro for each thanks I received... Well... Ill have ALOT of Euros
Click Thanks Or Hit That Donate Button.
The Following 6 Users Say Thank You to Thunder07 For This Useful Post: [ Click to Expand ]
 
mariusdroid
Old
#29  
mariusdroid's Avatar
Senior Member
Thanks Meter 51
Posts: 383
Join Date: May 2011
Location: roma
Phone i have the same exact as photo only s on

Quote:
Originally Posted by abyss1888 View Post
Strange looking at photo on this site under radio none ?

Sent from my HTC One X using xda premium
i have the same as foto if u like me to test something....execpt s off
 
lenthele
Old
#30  
lenthele's Avatar
Senior Member
Thanks Meter 34
Posts: 299
Join Date: Nov 2010
Quote:
Originally Posted by thunder07 View Post
mine says Thunder07....
i've established a while back, unintentionally that the radio is flashed through the OS & not firmware anymore
one note though.... since the radioversion is probably stored on the same partition as mainver,CID & s-off/on status,
should we be able to hack in through radioversion we'd be able to change all of them...
dont ask me how, im just saying an exploit through radioversion, like crashing the bootloader somehow.... and trust me i tried (with no luck), will be able to either get APX or edit those values, at some stage before update mainver 2.17, i changed my mainver to 1.29000 which freshly screwed me out of updates until 2.17 came out :/
i've even tried to set my mainver as 2147483648 to crash it... still no luck








Edit:
oh i should stat, later on i tried to lower mainver which isn't really possible it can only go higher... and if you go higher than the latest RUU version... you'll not be able to flash it or any lower RUU,

You could risk it and try setting your mainver as 99999999 and hopefully it has a safefail that will allow you to flash a lower main ver which i doubt..
the reason i concentrated on mainver is that all OTA/RUU use mainver as a reference,
also so hboot update xmoo/football released which i believe xmoo has confirmed to allow us to s-off are bound by a very low main ver 0.03 or something like that,
should we be able to get pass mainver check, we'd be able to flash those hboot, s-off, supercid and flash a newer hboot keeping those status

Kholk come to the assumption that both mainver & radiover are stored as string/characters instead of integers which makes since,
since im able to set radiover to Thunder07... this also makes it impossible to use integer 32bit max limit of 2147483647 to crash the bootloader
Well, some days ago I think I managed to crash the bootloader. My bootloader was still locked then and I tried the writesecurityflag 0 command. I got an error and the bootloader interface froze. Could do nothing else than reboot the device.


Gesendet von meinem iPad mit Tapatalk HD
Phone: HTC One X
ROM: Android Revolution HD 31.3 (Android 4.2.2)
Kernel: lONElyX #23 by lyapota
Mods: Camera Fix by HebeGuess

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes