[HARDWARE] UART Cable time

partcyborg

Recognized Developer
Jun 23, 2017
2,543
2,271
163
Good news everyone. I got my hands on an S103 Jig and worked out how to use it. I now have UART :D Time to do some reverse engineering and see how this box works.
Oh man that's great! Please keep us updated on what you learn

If only you had a snapdragon device and could help with a unlock ?
 
  • Like
Reactions: kclive

happytomato

Senior Member
Apr 27, 2006
71
29
38
Stockholm
www.spolglan.se
Oh man that's great! Please keep us updated on what you learn

If only you had a snapdragon device and could help with a unlock
I am currently working on re-doing my blog so that I have a nice place to share my findings.

As for the Snapdragon devices, there are probably some significant changes to the architecture, but I would be happy to give it a go if someone would send one my way. Alas, I don't see this happening any time soon, so you are out of luck for now, I'm afraid :(
 

partcyborg

Recognized Developer
Jun 23, 2017
2,543
2,271
163
I am currently working on re-doing my blog so that I have a nice place to share my findings.

As for the Snapdragon devices, there are probably some significant changes to the architecture, but I would be happy to give it a go if someone would send one my way. Alas, I don't see this happening any time soon, so you are out of luck for now, I'm afraid :(

A write-up is perfect. If you can lay out what you know and learn I can simply duplicate it :)
 

happytomato

Senior Member
Apr 27, 2006
71
29
38
Stockholm
www.spolglan.se
Oh man that's great! Please keep us updated on what you learn

If only you had a snapdragon device and could help with a unlock
A write-up is perfect. If you can lay out what you know and learn I can simply duplicate it :)
I'm not so sure. Perhaps you might get UART, but I imagine that there is a lot of reverse engineering required to exploit the bootloader in a way to unlock it?
 

billa

Senior Member
Mar 30, 2006
720
351
83
Looks like the resistor(s) are actually inside the AnyWay box, instead of the usb-c plug.
As you can see in the pinout diagram, line CC is connected to the DB25 header which in turn connected to the box.
So, if anyone has the AnyWay box, the usb-c test cable, and an ohm meter they can simply measure the resistance between ground and pin 23 of the DB25 header. This way we could replicate a test cable without the expensive test jig.

I have played around with the "standard" test resistor values (300k, 523k, 619k etc) between line CC and Gnd, but wasn't able to get any results, not even download mode using a 300k resistor which works on all micro-usb phones. Either usb-c is using different values or there's something else we're missing here.
However, an interesting observation I've made, is that when flashed with combination firmware, the phone accepts most of these low level uart/modem test commands through the usb-c modem port (not the usb-serial port!) via a standard terminal (sometimes they need to be sent a couple of time for it to take, and also dialed *#0*# for test mode):

AT+DEVROOTK=1,0
AT+GMM (Model number)
AT+HWINDICK (CPID S7 and newer)
AT+MSLSECUR=1,0
AT+PRECONFG=1,0
AT+SW=1,0
AT+VERSNAME=1,0
AT+AIRPLANEVALUE
AT+BATGETLEVEL?
AT+CIMI
AT+DEVCONINFO (Long info)
AT+FACTORST (Warning: Forces a factory reset!)
AT+FUS? (DL mode)
AT+GSN - IMEI
AT+IMEINUM
AT+SERIALNO
AT+SIZECHECK (Storage info)
AT+SIZECHECK=1,0 (Storage info)
AT+SVCIFPGM=1,1 (Short Info)
AT+SWDLMODE
AT+SWVER=1,0
AT+SWVERSION=1,0
AT+SYSSCOPE=1,0
AT+WPROTECT=1,0

Read commands:
AT+<command> - read
AT+<command>? - read
AT+<command>=1,0 - read
For example:
AT+PRECONFG=1,0 - reads CSC config

Write commands:
AT+<command>=2,<info> - write
For example:
AT+PRECONFG=2,XAS - writes CSC config

Hope someone steps up to the plate, and gives us the correct resistor value between CC and GND on usb-c :)
Thanks in advance.
 
Last edited:

partcyborg

Recognized Developer
Jun 23, 2017
2,543
2,271
163
Looks like the resistor(s) are actually inside the AnyWay box, instead of the usb-c plug.
As you can see in the pinout diagram, line CC is connected to the DB25 header which in turn connected to the box.
So, if anyone has the AnyWay box, the usb-c test cable, and an ohm meter they can simply measure the resistance between ground and pin 23 of the DB25 header. This way we could replicate a test cable without the expensive test jig.

I have played around with the "standard" test resistor values (300k, 523k, 619k etc) between line CC and Gnd, but wasn't able to get any results, not even download mode using a 300k resistor which works on all micro-usb phones. Either usb-c is using different values or there's something else we're missing here.
However, an interesting observation I've made, is that when flashed with combination firmware, the phone accepts most of these low level uart/modem test commands through the usb-c modem port (not the usb-serial port!) via a standard terminal (sometimes they need to be sent a couple of time for it to take, and also dialed *#0*# for test mode):

AT+DEVROOTK=1,0
AT+GMM (Model number)
AT+HWINDICK (CPID S7 and newer)
AT+MSLSECUR=1,0
AT+PRECONFG=1,0
AT+SW=1,0
AT+VERSNAME=1,0
AT+AIRPLANEVALUE
AT+BATGETLEVEL?
AT+CIMI
AT+DEVCONINFO (Long info)
AT+FACTORST (Warning: Forces a factory reset!)
AT+FUS? (DL mode)
AT+GSN - IMEI
AT+IMEINUM
AT+SERIALNO
AT+SIZECHECK (Storage info)
AT+SIZECHECK=1,0 (Storage info)
AT+SVCIFPGM=1,1 (Short Info)
AT+SWDLMODE
AT+SWVER=1,0
AT+SWVERSION=1,0
AT+SYSSCOPE=1,0
AT+WPROTECT=1,0

Read commands:
AT+<command> - read
AT+<command>? - read
AT+<command>=1,0 - read
For example:
AT+PRECONFG=1,0 - reads CSC config

Write commands:
AT+<command>=2,<info> - write
For example:
AT+PRECONFG=2,XAS - writes CSC config

Hope someone steps up to the plate, and gives us the correct resistor value between CC and GND on usb-c :)
Thanks in advance.

These look an awful lot like the commands that go to the modem via RIL from IOTHIDDENMENU when you look at the Decompiled source code. This is VERY interesting to me, as there are some things that the app seems to block that could potentially be very promising indeed.

Thank you for sharing! This is the best post on high tech investigation into the s8 I've seen on xda yet.
 

billa

Senior Member
Mar 30, 2006
720
351
83
These look an awful lot like the commands that go to the modem via RIL from IOTHIDDENMENU when you look at the Decompiled source code. This is VERY interesting to me, as there are some things that the app seems to block that could potentially be very promising indeed.

Thank you for sharing! This is the best post on high tech investigation into the s8 I've seen on xda yet.
No problem... I've noticed that some commands work on both uart and modem ports, while others only work on one of the other.
You're right, the ones blocked on RIL, do seem to work on uart.
Problem is that it's harder to activate uart especially on the newer generation phones like the S8 and above.
I've done all my testing on the S7 (real uart) and S8 (fake uart - on the modem port flashed with combination firmware seems to take uart AT commands ; ).
 
Last edited:
  • Like
Reactions: TheMadScientist