This should allow you to remove the security and CID locks from the HTC Hero.
Do *not* attempt this if you haven't done this sort of thing before or are at all unsure; I can't be held responsible if you break your phone.
You will need:
* An HTC debug *serial* cable. There are instructions on how to build one elsewhere on xda-developers.com.
* Serial terminal software - I use minicom under linux myself.
* A USB cable.
* The zip file downloaded from here.
* A PC with a copy of the "fastboot" program.
* A HERO handset with the 63.18.55.06_6.35.04.25 radio firmware version and the 1.76.0004 HBOOT version. Other versions can probably be supported, but I've no interest in doing this myself. However, source is included in the download for others to do so if they wish.
Overview:
The MSM7201A used on the Hero has two CPU cores, an ARM9 and an ARM11. The ARM9 runs the radio software, and the ARM11 runs android. The ARM9 boots its own bootloaders first, which sets up the radio, and security. It then boots the ARM11 CPU, which runs its own bootloader, providing the "fastboot" functionality amongst other things.
Both CPUs use the same DRAM, but there is a hardware paritioning system built into the MSM7201A which prevents each CPU from writing to each others memory spaces. Luckily this can be disabled.
The ARM9 bootloader can be entered by holding VOLUP when powering up. The phone will vibrate three times and the power LED will be green. However the screen will remain black. This supports many serial commands, only a few of which are available in security-locked mode.
The ARM11 bootloader can be entered by holding VOLDOWN or BACK when powering up. It shows the three-androids-on-skateboards logo. It supports USB control using the android-specific fastboot protocol, but also has a serial HBOOT mode which supports a few commands. There is a second hidden set of commands which are not accessible without software patching.
This patch will:
* Temporarily enable the additional ARM11 commands.
* Temporarily disable checks on a few ARM9 radio AT commands to allow the removal of locks.
The patches to the software are done in RAM, so the patches will "vanish" on a powercycle. However, executing the patched AT commands below will write to HTC config area in flash, so the security-off and super-CID modes /will/ persist.
Instructions:
Note: all commands obviously need <ENTER> pressed after them
1. Connect the serial cable and start your terminal software (115200 8N1)
2. Power up the phone holding down VOLDOWN (this boots into the ARM11 HBOOT mode). You should see various messages and get a command prompt.
3. Type "rtask b" and wait for a while until it says "AT-Command Interpreter ready" (this starts the radio software running on the ARM9 and accesses its AT interface).
4. Type "retuoR" (this returns to the ARM11 HBOOT software).
5. Enter fastboot mode by pressing the "BACK" button on the phone.
6. Unplug the serial cable and plug in the USB cable.
7. Boot the hackspl.img by running "fastboot boot hackspl.img" on your PC.
8. The screen will go black and show the normal boot logo. However if you press "VOLDOWN" the screen should clear and you'll re-enter HBOOT mode.
9. Unplug the USB cable and plug in the serial cable again.
10. Type "rtask b" - This will enter the radio AT interface.
11. Type "ATE1" - this will enable character echo mode, which helps with typing a lot!
12. Type "[email protected]=8,0" - this will disable security. It should print "0" when done, which may take a few seconds.
13. Type "[email protected]=11111111" - this will set the "Super-CID". It should print "0" when done, which may take a few seconds.
14. Type "retuoR" - returns to the ARM11 bootloader.
15. Type "erasebcid" - this will erase the "backup CID" from the ARM11.
After this lot, your phone should be security unlocked and be super-CID. On reboot, the ARM11 skateboard screen should say "S-OFF" instead of "S-ON"
on the top line. On a normal boot, you should see "Device is Super-CID" printed over the serial port at some point before it boots android.
You will be able to flash system/boot/recovery etc directly using the fastboot command from your PC.
If you type "h" after step 15, you'll see a much bigger list of commands than normal - these are the ARM11 hidden commands.
If you boot into the ARM9 bootloader (hold VOLUP on powerup) with security-off, and type "h" you'll see a list of some of the ARM9 commands. There are actually more; it just doesn't list them in the help screen.
Do *not* attempt this if you haven't done this sort of thing before or are at all unsure; I can't be held responsible if you break your phone.
You will need:
* An HTC debug *serial* cable. There are instructions on how to build one elsewhere on xda-developers.com.
* Serial terminal software - I use minicom under linux myself.
* A USB cable.
* The zip file downloaded from here.
* A PC with a copy of the "fastboot" program.
* A HERO handset with the 63.18.55.06_6.35.04.25 radio firmware version and the 1.76.0004 HBOOT version. Other versions can probably be supported, but I've no interest in doing this myself. However, source is included in the download for others to do so if they wish.
Overview:
The MSM7201A used on the Hero has two CPU cores, an ARM9 and an ARM11. The ARM9 runs the radio software, and the ARM11 runs android. The ARM9 boots its own bootloaders first, which sets up the radio, and security. It then boots the ARM11 CPU, which runs its own bootloader, providing the "fastboot" functionality amongst other things.
Both CPUs use the same DRAM, but there is a hardware paritioning system built into the MSM7201A which prevents each CPU from writing to each others memory spaces. Luckily this can be disabled.
The ARM9 bootloader can be entered by holding VOLUP when powering up. The phone will vibrate three times and the power LED will be green. However the screen will remain black. This supports many serial commands, only a few of which are available in security-locked mode.
The ARM11 bootloader can be entered by holding VOLDOWN or BACK when powering up. It shows the three-androids-on-skateboards logo. It supports USB control using the android-specific fastboot protocol, but also has a serial HBOOT mode which supports a few commands. There is a second hidden set of commands which are not accessible without software patching.
This patch will:
* Temporarily enable the additional ARM11 commands.
* Temporarily disable checks on a few ARM9 radio AT commands to allow the removal of locks.
The patches to the software are done in RAM, so the patches will "vanish" on a powercycle. However, executing the patched AT commands below will write to HTC config area in flash, so the security-off and super-CID modes /will/ persist.
Instructions:
Note: all commands obviously need <ENTER> pressed after them
1. Connect the serial cable and start your terminal software (115200 8N1)
2. Power up the phone holding down VOLDOWN (this boots into the ARM11 HBOOT mode). You should see various messages and get a command prompt.
3. Type "rtask b" and wait for a while until it says "AT-Command Interpreter ready" (this starts the radio software running on the ARM9 and accesses its AT interface).
4. Type "retuoR" (this returns to the ARM11 HBOOT software).
5. Enter fastboot mode by pressing the "BACK" button on the phone.
6. Unplug the serial cable and plug in the USB cable.
7. Boot the hackspl.img by running "fastboot boot hackspl.img" on your PC.
8. The screen will go black and show the normal boot logo. However if you press "VOLDOWN" the screen should clear and you'll re-enter HBOOT mode.
9. Unplug the USB cable and plug in the serial cable again.
10. Type "rtask b" - This will enter the radio AT interface.
11. Type "ATE1" - this will enable character echo mode, which helps with typing a lot!
12. Type "[email protected]=8,0" - this will disable security. It should print "0" when done, which may take a few seconds.
13. Type "[email protected]=11111111" - this will set the "Super-CID". It should print "0" when done, which may take a few seconds.
14. Type "retuoR" - returns to the ARM11 bootloader.
15. Type "erasebcid" - this will erase the "backup CID" from the ARM11.
After this lot, your phone should be security unlocked and be super-CID. On reboot, the ARM11 skateboard screen should say "S-OFF" instead of "S-ON"
on the top line. On a normal boot, you should see "Device is Super-CID" printed over the serial port at some point before it boots android.
You will be able to flash system/boot/recovery etc directly using the fastboot command from your PC.
If you type "h" after step 15, you'll see a much bigger list of commands than normal - these are the ARM11 hidden commands.
If you boot into the ARM9 bootloader (hold VOLUP on powerup) with security-off, and type "h" you'll see a list of some of the ARM9 commands. There are actually more; it just doesn't list them in the help screen.
Last edited by a moderator:
