• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[HOWTO] Remove the Hero's security and CID locks

Search This thread

adq

Member
Jul 27, 2009
25
3
This should allow you to remove the security and CID locks from the HTC Hero.

Do *not* attempt this if you haven't done this sort of thing before or are at all unsure; I can't be held responsible if you break your phone.

You will need:
* An HTC debug *serial* cable. There are instructions on how to build one elsewhere on xda-developers.com.
* Serial terminal software - I use minicom under linux myself.
* A USB cable.
* The zip file downloaded from here.
* A PC with a copy of the "fastboot" program.
* A HERO handset with the 63.18.55.06_6.35.04.25 radio firmware version and the 1.76.0004 HBOOT version. Other versions can probably be supported, but I've no interest in doing this myself. However, source is included in the download for others to do so if they wish.


Overview:

The MSM7201A used on the Hero has two CPU cores, an ARM9 and an ARM11. The ARM9 runs the radio software, and the ARM11 runs android. The ARM9 boots its own bootloaders first, which sets up the radio, and security. It then boots the ARM11 CPU, which runs its own bootloader, providing the "fastboot" functionality amongst other things.

Both CPUs use the same DRAM, but there is a hardware paritioning system built into the MSM7201A which prevents each CPU from writing to each others memory spaces. Luckily this can be disabled.

The ARM9 bootloader can be entered by holding VOLUP when powering up. The phone will vibrate three times and the power LED will be green. However the screen will remain black. This supports many serial commands, only a few of which are available in security-locked mode.

The ARM11 bootloader can be entered by holding VOLDOWN or BACK when powering up. It shows the three-androids-on-skateboards logo. It supports USB control using the android-specific fastboot protocol, but also has a serial HBOOT mode which supports a few commands. There is a second hidden set of commands which are not accessible without software patching.

This patch will:
* Temporarily enable the additional ARM11 commands.
* Temporarily disable checks on a few ARM9 radio AT commands to allow the removal of locks.

The patches to the software are done in RAM, so the patches will "vanish" on a powercycle. However, executing the patched AT commands below will write to HTC config area in flash, so the security-off and super-CID modes /will/ persist.



Instructions:

Note: all commands obviously need <ENTER> pressed after them :)

1. Connect the serial cable and start your terminal software (115200 8N1)
2. Power up the phone holding down VOLDOWN (this boots into the ARM11 HBOOT mode). You should see various messages and get a command prompt.
3. Type "rtask b" and wait for a while until it says "AT-Command Interpreter ready" (this starts the radio software running on the ARM9 and accesses its AT interface).
4. Type "retuoR" (this returns to the ARM11 HBOOT software).
5. Enter fastboot mode by pressing the "BACK" button on the phone.
6. Unplug the serial cable and plug in the USB cable.
7. Boot the hackspl.img by running "fastboot boot hackspl.img" on your PC.
8. The screen will go black and show the normal boot logo. However if you press "VOLDOWN" the screen should clear and you'll re-enter HBOOT mode.
9. Unplug the USB cable and plug in the serial cable again.
10. Type "rtask b" - This will enter the radio AT interface.
11. Type "ATE1" - this will enable character echo mode, which helps with typing a lot!
12. Type "[email protected]=8,0" - this will disable security. It should print "0" when done, which may take a few seconds.
13. Type "[email protected]=11111111" - this will set the "Super-CID". It should print "0" when done, which may take a few seconds.
14. Type "retuoR" - returns to the ARM11 bootloader.
15. Type "erasebcid" - this will erase the "backup CID" from the ARM11.

After this lot, your phone should be security unlocked and be super-CID. On reboot, the ARM11 skateboard screen should say "S-OFF" instead of "S-ON"
on the top line. On a normal boot, you should see "Device is Super-CID" printed over the serial port at some point before it boots android.

You will be able to flash system/boot/recovery etc directly using the fastboot command from your PC.

If you type "h" after step 15, you'll see a much bigger list of commands than normal - these are the ARM11 hidden commands.

If you boot into the ARM9 bootloader (hold VOLUP on powerup) with security-off, and type "h" you'll see a list of some of the ARM9 commands. There are actually more; it just doesn't list them in the help screen.
 
Last edited by a moderator:
  • Like
Reactions: fxsheep and Blagus

Exion

Member
Sep 11, 2009
16
4
Thanks for this hack adq. Just tried this now and can confirm it worked fine.

For console I built a TTL console cable using "HTC Multifunction Audio Cable YC A300". This connector has 2xEXT USB (1 for headphone and 1 for data/charge) pluss 2xheadphone plugs. Inside there is two boards. 1 board connected for USB Data/Charge and one for the others. So removing the board for headset and connecting the pins to TTL adapter I got both console and USB connectivity at the same time. Hence, I did not have to replug during your process :)

My device was factory programmed with hboot 1.76.0007 and radio 63.18.55.06EU_6.35.06.18. I downgraded from both these to the ones you specified before attempting the hack.

I have now upgraded back to hboot 1.76.0007 and radio 63.18.55.06EU_6.35.06.18. The security and cid is still keept from the hack!

Great job adq,

Best regards,
Exion
 

Exion

Member
Sep 11, 2009
16
4
I have now upgraded back to hboot 1.76.0007 and radio 63.18.55.06EU_6.35.06.18. The security and cid is still keept from the hack!

Even if the bootloader says HERO CVT SHIP S-OFF, the fastboot boot command does still not work in 1.76.0007 bootloader. So I have reverted back to 1.76.0004 again for now. Maybe there is more we need to modify ?
 
Thanks for this hack adq. Just tried this now and can confirm it worked fine.

For console I built a TTL console cable using "HTC Multifunction Audio Cable YC A300". This connector has 2xEXT USB (1 for headphone and 1 for data/charge) pluss 2xheadphone plugs. Inside there is two boards. 1 board connected for USB Data/Charge and one for the others. So removing the board for headset and connecting the pins to TTL adapter I got both console and USB connectivity at the same time. Hence, I did not have to replug during your process :)

My device was factory programmed with hboot 1.76.0007 and radio 63.18.55.06EU_6.35.06.18. I downgraded from both these to the ones you specified before attempting the hack.

I have now upgraded back to hboot 1.76.0007 and radio 63.18.55.06EU_6.35.06.18. The security and cid is still keept from the hack!

Great job adq,

Best regards,
Exion


hello :). can u please take some photos on HTC Multifunction Audio Cable YC A300 and the inside of it so i cnow what i need to do
 

packetlss

Senior Member
Aug 10, 2009
236
8
Quick question to adq:

Is the unlocking with serial cable the only way to get this done? Or is there a way to flash a S-OFF SPL using normal methods?

If not, then I guess it's time to bring out the ol' good soldering iron :)
 

oblika

Senior Member
Jun 14, 2008
101
1
Could it be possible to make the cable using a USB2serial adapter and than use an extUSB breakout board and a rs232 connector and solder them together (correct pins) and then just connect the rs232 to the USB2rs232 adapter and the adapter in PC?

B
 

adq

Member
Jul 27, 2009
25
3
Quick question to adq:

Is the unlocking with serial cable the only way to get this done? Or is there a way to flash a S-OFF SPL using normal methods?

If not, then I guess it's time to bring out the ol' good soldering iron :)

Hi, not with the code as it is right now. However, there's no reason someone else couldn't take the code and remove the serial requirement; this was simply the fastest way to get the thing working. I'm not very interested in doing this myself though, as I want to get on with looking at other things.
 

adq

Member
Jul 27, 2009
25
3
Could it be possible to make the cable using a USB2serial adapter and than use an extUSB breakout board and a rs232 connector and solder them together (correct pins) and then just connect the rs232 to the USB2rs232 adapter and the adapter in PC?

B

Hi, I use a USB->(3.3v) serial adapter with the HTC serial breakout board soldered to the other side of it; my laptop doesn't have a serial interface otherwise.
 

oblika

Senior Member
Jun 14, 2008
101
1
Hi, I use a USB->(3.3v) serial adapter with the HTC serial breakout board soldered to the other side of it; my laptop doesn't have a serial interface otherwise.

I currently have a Digitus USB 2.0 -> rs232 (http://www.digitus.info/en/products/accessories/?c=1216&p=3530). Does this adapter seem ok to you?

I have done some googling and found out that it has FTDI chip (FT232BM)? I just want to make sure that it uses 3.3V.

http://www.ftdichip.com/Products/FT232BM.htm
http://www.ftdichip.com/Documents/DataSheets/DS_FT232BM.pdf

---

Where did you order the breakout board? I'm from Slovenia (Europe). Where would be the best place to order?

B
 

adq

Member
Jul 27, 2009
25
3
I currently have a Digitus USB 2.0 -> rs232 (http://www.digitus.info/en/products/accessories/?c=1216&p=3530). Does this adapter seem ok to you?

I have done some googling and found out that it has FTDI chip (FT232BM)? I just want to make sure that it uses 3.3V.

http://www.ftdichip.com/Products/FT232BM.htm
http://www.ftdichip.com/Documents/DataSheets/DS_FT232BM.pdf

---

Where did you order the breakout board? I'm from Slovenia (Europe). Where would be the best place to order?

B

Ah - if that's specifically a USB->RS232 adaptor, that will most likely run at 12v, so it'd fry the phone.

www.sparkfun.com have the HTC breakout boards; they also have USB->3.3v serial adaptors such as http://www.sparkfun.com/commerce/product_info.php?products_id=198, but you'll have to make certain its *definitely* 3.3v; even 5v might fry it. I paranoidly checked at the last minute with a voltmeter.

There's an instructables article about it here: http://www.instructables.com/id/Android_G1_Serial_Cable/

Looking about, I see www.coolcomponents.co.uk have such things in the UK.
 

Exion

Member
Sep 11, 2009
16
4
hello :). can u please take some photos on HTC Multifunction Audio Cable YC A300 and the inside of it so i cnow what i need to do

Hi KinkyGolab,

You can get the pinout details/pictures from my wiki http://www.suphammer.net/Hero/ExtUSB

Please note there is two PCB's in the dongle. I have only investigated the connections for the audio board (where the TTL serial signals are available).

Please use a TTL 3v level serial adapter when connecting to the serial pins. Connecting the serialport of your pc directly to the serial pins of the HTC will damage your HTC.

Best regards,
Exion
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    This should allow you to remove the security and CID locks from the HTC Hero.

    Do *not* attempt this if you haven't done this sort of thing before or are at all unsure; I can't be held responsible if you break your phone.

    You will need:
    * An HTC debug *serial* cable. There are instructions on how to build one elsewhere on xda-developers.com.
    * Serial terminal software - I use minicom under linux myself.
    * A USB cable.
    * The zip file downloaded from here.
    * A PC with a copy of the "fastboot" program.
    * A HERO handset with the 63.18.55.06_6.35.04.25 radio firmware version and the 1.76.0004 HBOOT version. Other versions can probably be supported, but I've no interest in doing this myself. However, source is included in the download for others to do so if they wish.


    Overview:

    The MSM7201A used on the Hero has two CPU cores, an ARM9 and an ARM11. The ARM9 runs the radio software, and the ARM11 runs android. The ARM9 boots its own bootloaders first, which sets up the radio, and security. It then boots the ARM11 CPU, which runs its own bootloader, providing the "fastboot" functionality amongst other things.

    Both CPUs use the same DRAM, but there is a hardware paritioning system built into the MSM7201A which prevents each CPU from writing to each others memory spaces. Luckily this can be disabled.

    The ARM9 bootloader can be entered by holding VOLUP when powering up. The phone will vibrate three times and the power LED will be green. However the screen will remain black. This supports many serial commands, only a few of which are available in security-locked mode.

    The ARM11 bootloader can be entered by holding VOLDOWN or BACK when powering up. It shows the three-androids-on-skateboards logo. It supports USB control using the android-specific fastboot protocol, but also has a serial HBOOT mode which supports a few commands. There is a second hidden set of commands which are not accessible without software patching.

    This patch will:
    * Temporarily enable the additional ARM11 commands.
    * Temporarily disable checks on a few ARM9 radio AT commands to allow the removal of locks.

    The patches to the software are done in RAM, so the patches will "vanish" on a powercycle. However, executing the patched AT commands below will write to HTC config area in flash, so the security-off and super-CID modes /will/ persist.



    Instructions:

    Note: all commands obviously need <ENTER> pressed after them :)

    1. Connect the serial cable and start your terminal software (115200 8N1)
    2. Power up the phone holding down VOLDOWN (this boots into the ARM11 HBOOT mode). You should see various messages and get a command prompt.
    3. Type "rtask b" and wait for a while until it says "AT-Command Interpreter ready" (this starts the radio software running on the ARM9 and accesses its AT interface).
    4. Type "retuoR" (this returns to the ARM11 HBOOT software).
    5. Enter fastboot mode by pressing the "BACK" button on the phone.
    6. Unplug the serial cable and plug in the USB cable.
    7. Boot the hackspl.img by running "fastboot boot hackspl.img" on your PC.
    8. The screen will go black and show the normal boot logo. However if you press "VOLDOWN" the screen should clear and you'll re-enter HBOOT mode.
    9. Unplug the USB cable and plug in the serial cable again.
    10. Type "rtask b" - This will enter the radio AT interface.
    11. Type "ATE1" - this will enable character echo mode, which helps with typing a lot!
    12. Type "[email protected]=8,0" - this will disable security. It should print "0" when done, which may take a few seconds.
    13. Type "[email protected]=11111111" - this will set the "Super-CID". It should print "0" when done, which may take a few seconds.
    14. Type "retuoR" - returns to the ARM11 bootloader.
    15. Type "erasebcid" - this will erase the "backup CID" from the ARM11.

    After this lot, your phone should be security unlocked and be super-CID. On reboot, the ARM11 skateboard screen should say "S-OFF" instead of "S-ON"
    on the top line. On a normal boot, you should see "Device is Super-CID" printed over the serial port at some point before it boots android.

    You will be able to flash system/boot/recovery etc directly using the fastboot command from your PC.

    If you type "h" after step 15, you'll see a much bigger list of commands than normal - these are the ARM11 hidden commands.

    If you boot into the ARM9 bootloader (hold VOLUP on powerup) with security-off, and type "h" you'll see a list of some of the ARM9 commands. There are actually more; it just doesn't list them in the help screen.