Good news everyone. I got my hands on an S103 Jig and worked out how to use it. I now have UART 
Time to do some reverse engineering and see how this box works.
Time to do some reverse engineering and see how this box works.[HARDWARE] UART Cable time
- Thread starter happytomato
- Start date
Oh man that's great! Please keep us updated on what you learnGood news everyone. I got my hands on an S103 Jig and worked out how to use it. I now have UART
If only you had a snapdragon device and could help with a unlock ?
I am currently working on re-doing my blog so that I have a nice place to share my findings.
As for the Snapdragon devices, there are probably some significant changes to the architecture, but I would be happy to give it a go if someone would send one my way. Alas, I don't see this happening any time soon, so you are out of luck for now, I'm afraid
I am currently working on re-doing my blog so that I have a nice place to share my findings.
As for the Snapdragon devices, there are probably some significant changes to the architecture, but I would be happy to give it a go if someone would send one my way. Alas, I don't see this happening any time soon, so you are out of luck for now, I'm afraid
A write-up is perfect. If you can lay out what you know and learn I can simply duplicate it
I'm not so sure. Perhaps you might get UART, but I imagine that there is a lot of reverse engineering required to exploit the bootloader in a way to unlock it?A write-up is perfect. If you can lay out what you know and learn I can simply duplicate it
I'm comfortable taking a look at that part provided I don't have to figure out the rest.
Hi,Good news everyone. I got my hands on an S103 Jig and worked out how to use it. I now have UART
How did you get that S103 Jig? Where can I get mine too?
Thanks!
I have sourced a supplier for S103 jigs, as well as USB-C service cables. $250/jig, $75/cable. Think there would be some interest here?
Are you sure the s103 works on the g950u? If yes I'm 100% down.
S103
I have some nice surprise for you
Contact me on Skype : [email protected]Good news everyone. I got my hands on an S103 Jig and worked out how to use it. I now have UART
I have some nice surprise for you
Looks like the resistor(s) are actually inside the AnyWay box, instead of the usb-c plug.
As you can see in the pinout diagram, line CC is connected to the DB25 header which in turn connected to the box.
So, if anyone has the AnyWay box, the usb-c test cable, and an ohm meter they can simply measure the resistance between ground and pin 23 of the DB25 header. This way we could replicate a test cable without the expensive test jig.
I have played around with the "standard" test resistor values (300k, 523k, 619k etc) between line CC and Gnd, but wasn't able to get any results, not even download mode using a 300k resistor which works on all micro-usb phones. Either usb-c is using different values or there's something else we're missing here.
However, an interesting observation I've made, is that when flashed with combination firmware, the phone accepts most of these low level uart/modem test commands through the usb-c modem port (not the usb-serial port!) via a standard terminal (sometimes they need to be sent a couple of time for it to take, and also dialed *#0*# for test mode):
AT+DEVROOTK=1,0
AT+GMM (Model number)
AT+HWINDICK (CPID S7 and newer)
AT+MSLSECUR=1,0
AT+PRECONFG=1,0
AT+SW=1,0
AT+VERSNAME=1,0
AT+AIRPLANEVALUE
AT+BATGETLEVEL?
AT+CIMI
AT+DEVCONINFO (Long info)
AT+FACTORST (Warning: Forces a factory reset!)
AT+FUS? (DL mode)
AT+GSN - IMEI
AT+IMEINUM
AT+SERIALNO
AT+SIZECHECK (Storage info)
AT+SIZECHECK=1,0 (Storage info)
AT+SVCIFPGM=1,1 (Short Info)
AT+SWDLMODE
AT+SWVER=1,0
AT+SWVERSION=1,0
AT+SYSSCOPE=1,0
AT+WPROTECT=1,0
Read commands:
AT+<command> - read
AT+<command>? - read
AT+<command>=1,0 - read
For example:
AT+PRECONFG=1,0 - reads CSC config
Write commands:
AT+<command>=2,<info> - write
For example:
AT+PRECONFG=2,XAS - writes CSC config
Hope someone steps up to the plate, and gives us the correct resistor value between CC and GND on usb-c
Thanks in advance.
As you can see in the pinout diagram, line CC is connected to the DB25 header which in turn connected to the box.
So, if anyone has the AnyWay box, the usb-c test cable, and an ohm meter they can simply measure the resistance between ground and pin 23 of the DB25 header. This way we could replicate a test cable without the expensive test jig.
I have played around with the "standard" test resistor values (300k, 523k, 619k etc) between line CC and Gnd, but wasn't able to get any results, not even download mode using a 300k resistor which works on all micro-usb phones. Either usb-c is using different values or there's something else we're missing here.
However, an interesting observation I've made, is that when flashed with combination firmware, the phone accepts most of these low level uart/modem test commands through the usb-c modem port (not the usb-serial port!) via a standard terminal (sometimes they need to be sent a couple of time for it to take, and also dialed *#0*# for test mode):
AT+DEVROOTK=1,0
AT+GMM (Model number)
AT+HWINDICK (CPID S7 and newer)
AT+MSLSECUR=1,0
AT+PRECONFG=1,0
AT+SW=1,0
AT+VERSNAME=1,0
AT+AIRPLANEVALUE
AT+BATGETLEVEL?
AT+CIMI
AT+DEVCONINFO (Long info)
AT+FACTORST (Warning: Forces a factory reset!)
AT+FUS? (DL mode)
AT+GSN - IMEI
AT+IMEINUM
AT+SERIALNO
AT+SIZECHECK (Storage info)
AT+SIZECHECK=1,0 (Storage info)
AT+SVCIFPGM=1,1 (Short Info)
AT+SWDLMODE
AT+SWVER=1,0
AT+SWVERSION=1,0
AT+SYSSCOPE=1,0
AT+WPROTECT=1,0
Read commands:
AT+<command> - read
AT+<command>? - read
AT+<command>=1,0 - read
For example:
AT+PRECONFG=1,0 - reads CSC config
Write commands:
AT+<command>=2,<info> - write
For example:
AT+PRECONFG=2,XAS - writes CSC config
Hope someone steps up to the plate, and gives us the correct resistor value between CC and GND on usb-c
Thanks in advance.
Last edited:
Ordered the EFT dongle UART cable today, I already have thier dongle. We'll see what happens when it arrives.
Sent from my SM-G955U using XDA-Developers Legacy app
Sent from my SM-G955U using XDA-Developers Legacy app
Looks like the resistor(s) are actually inside the AnyWay box, instead of the usb-c plug.
As you can see in the pinout diagram, line CC is connected to the DB25 header which in turn connected to the box.
So, if anyone has the AnyWay box, the usb-c test cable, and an ohm meter they can simply measure the resistance between ground and pin 23 of the DB25 header. This way we could replicate a test cable without the expensive test jig.
I have played around with the "standard" test resistor values (300k, 523k, 619k etc) between line CC and Gnd, but wasn't able to get any results, not even download mode using a 300k resistor which works on all micro-usb phones. Either usb-c is using different values or there's something else we're missing here.
However, an interesting observation I've made, is that when flashed with combination firmware, the phone accepts most of these low level uart/modem test commands through the usb-c modem port (not the usb-serial port!) via a standard terminal (sometimes they need to be sent a couple of time for it to take, and also dialed *#0*# for test mode):
AT+DEVROOTK=1,0
AT+GMM (Model number)
AT+HWINDICK (CPID S7 and newer)
AT+MSLSECUR=1,0
AT+PRECONFG=1,0
AT+SW=1,0
AT+VERSNAME=1,0
AT+AIRPLANEVALUE
AT+BATGETLEVEL?
AT+CIMI
AT+DEVCONINFO (Long info)
AT+FACTORST (Warning: Forces a factory reset!)
AT+FUS? (DL mode)
AT+GSN - IMEI
AT+IMEINUM
AT+SERIALNO
AT+SIZECHECK (Storage info)
AT+SIZECHECK=1,0 (Storage info)
AT+SVCIFPGM=1,1 (Short Info)
AT+SWDLMODE
AT+SWVER=1,0
AT+SWVERSION=1,0
AT+SYSSCOPE=1,0
AT+WPROTECT=1,0
Read commands:
AT+<command> - read
AT+<command>? - read
AT+<command>=1,0 - read
For example:
AT+PRECONFG=1,0 - reads CSC config
Write commands:
AT+<command>=2,<info> - write
For example:
AT+PRECONFG=2,XAS - writes CSC config
Hope someone steps up to the plate, and gives us the correct resistor value between CC and GND on usb-c
Thanks in advance.
These look an awful lot like the commands that go to the modem via RIL from IOTHIDDENMENU when you look at the Decompiled source code. This is VERY interesting to me, as there are some things that the app seems to block that could potentially be very promising indeed.
Thank you for sharing! This is the best post on high tech investigation into the s8 I've seen on xda yet.
No problem... I've noticed that some commands work on both uart and modem ports, while others only work on one of the other.
You're right, the ones blocked on RIL, do seem to work on uart.
Problem is that it's harder to activate uart especially on the newer generation phones like the S8 and above.
I've done all my testing on the S7 (real uart) and S8 (fake uart - on the modem port flashed with combination firmware seems to take uart AT commands ; ).
Last edited:
Hmmmmmmm..
Same thing related uses to bypass frp. Ap+creg1234 or something like that. Does that mean related program could help here to
Same thing related uses to bypass frp. Ap+creg1234 or something like that. Does that mean related program could help here to
New posts
-
[REVIEW] Xiaomi Mi 10T Lite 5G Xiaomi.eu ROM
- Latest: SUMMERBREEZE
-
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone