[HOWTO] Remove the Hero's security and CID locks

Search This thread
By:
Advanced…
A

ash1980

New member
Oct 19, 2009
3
0
Thanks for that irishandrew.

To sumarise, this is the way i understand it.

- At the moment, there is no way to unlock simlock with the cable alone.
- you will still need an unlock code.
- However, the cable method allows you to use non-orange sourced unlock codes. These are generally cheaper.

- if you buy a non-orange code that does not work, get a refund, and use the cable method to allow it to work !!!

I havent tried this yet, but if anyone else who has got theirs to work, please confirm.

Thanks

Ash
 
C

cadetnudt

Senior Member
Sep 27, 2009
93
0
Hi irishandrew.

I wonder that does this hacking method work on HTC Magic (G2)?

After upgrade my G2,the SPL changed to 1.76.0007 with S-ON and cannot be flashed any more,I want to remove the CID lock inorder to downgrade to a lower version...

Thanks
 
I

irishandrew

Member
Jun 12, 2007
20
0
cadetnudt said:
Hi irishandrew.

I wonder that does this hacking method work on HTC Magic (G2)?

After upgrade my G2,the SPL changed to 1.76.0007 with S-ON and cannot be flashed any more,I want to remove the CID lock inorder to downgrade to a lower version...

Thanks
Click to expand...
Click to collapse

Hi cadetnudt,

I don't see why it shouldn't work? Although in order to use the cable method described in the first post you will need Hboot 1.76.0004, not the .0007 one you have. Jesterz very kindly supplied an update.zip of the SPL in post #43
 
C

cadetnudt

Senior Member
Sep 27, 2009
93
0
Thank you very much irishandrew,

As the 1.76.0007 is a perfect SPL and it is G2 that I have ,so there must be no way to

change the SPL for now,hoping an eng version will be published or leaked soon...
 
I

irishandrew

Member
Jun 12, 2007
20
0
@Cadetnudt

Sorry, tiredness got the best of me this morning;

the spl zip in the first post is written for the hero (or modified from the hero - using specifically the radio mentioned and of course spl 1.76.0004) - as such the magic would need a hacked spl derived from its own.

What I should have said is that with such an spl available, I imagine the process via the cable would otherwise be similar. Sorry if I was confusing :(
 
C

cadetnudt

Senior Member
Sep 27, 2009
93
0
Hi irishandrew,

It's OK ,you are welcome,I know already about the Magic's latest SPL 1.76.0007.

Now what I can do is waiting ... :)
 
A

agent-5

Member
Oct 9, 2009
22
0
Cable Building Service

If anyone would like me to build a fully working cable for them (I can also provide the correct software, files and guides on CD-ROM), PM me on this site or contact me through www.MoDaCo.com (user ID: agent-5). :)
 
W

wagjj

Member
Sep 7, 2009
21
0
hi,adq
can you try this on g2 32a? i think g2 32a have same hardware with hero.
after updata the offical sense rom on g2 32a, we can not downgrade to any rom, we wish this method can use on g2 32a.

thanks
 
K

kiall

Member
Nov 13, 2009
43
0
So - If you get S-OFF with a 004 HBOOT, and upgrade to a 007 HBOOT, does the S-OFF stay?

So - after a 007 upgrade - does fastboot etc continue to work?

Thanks!
 
K

kiall

Member
Nov 13, 2009
43
0
Ooops! I did read the whole thread, but it was late ;) sorry!

So - is there anything we can do (in theory anyway, i know there's nothing for it right now...) to keep fastboot etc working - besides getting our hands on an engineering SPL?
 
M

mmitar

Member
Aug 27, 2009
11
0
On my HTC Hero (T-Mobile branded) USB VCC gets shut down almost immediately after bootup. I get just:

Code: 
RTC works

boot reason: PM_KPD_PWR_KEY_ON_RT_ST

(PowerOn Status,Boot Reason)=(1,1)
NAND_FLASH_READ_ID : SAMSUNG_512MB_FLASH_256MB_SDRAM

ARM9_BOOT_MODE0, Boot Android
Read CFG0 = AA

I have measured the voltage on USB VCC pin during the bootup and there is simply no voltage very soon (second or even less) after (normal, without removed security and CID locks) bootup. I will now power my MAX3232 with battery but I was wondering why is this so and has anybody else noticed this? Should I turn something on?
 
Z!L0G80

Z!L0G80

Senior Member
Sep 22, 2007
114
40
CPU
hi, i have little bricked usb connector on my hero and i want send it to repair. i have s-off an changed CID to 11111111 ,i there way somthing like hackspl to change it back to locked state because of repair? (fastboot and adb work fine ,but htc sync and debug cable doesnt :/ )
 
Last edited:
You must log in or register to reply here.

Similar threads

elelinux
[ROM]Elelinux-7.2-Hero-v3.9 Android 2.3.7 (2012-07-03)
Replies
5K
Views
2M
danielsf
danielsf
Jesterz
[HOWTO] Create a GoldCard - Bypassing the RUU/SPL CID check to Root/Downgrade
Replies
272
Views
294K
nikz106
nikz106
nprussell
  • Locked
[ROM]04/05/10 - VillainROM 5.5: Release Version - for GSM HERO
Replies
5K
Views
875K
MacaronyMax
MacaronyMax
Amon_RA
[Recovery ROM] [15-August-2010] RA-hero-v1.7.0.1
Replies
1K
Views
688K
M
MMartins
nprussell
  • Locked
[ROM]-[13/03/10- 14:48 GMT] VillainROM 3.4! (HTC Sense - Android 2.1)
Replies
8K
Views
1M
MacaronyMax
MacaronyMax

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 2
    A
    adq
    This should allow you to remove the security and CID locks from the HTC Hero.

    Do *not* attempt this if you haven't done this sort of thing before or are at all unsure; I can't be held responsible if you break your phone.

    You will need:
    * An HTC debug *serial* cable. There are instructions on how to build one elsewhere on xda-developers.com.
    * Serial terminal software - I use minicom under linux myself.
    * A USB cable.
    * The zip file downloaded from here.
    * A PC with a copy of the "fastboot" program.
    * A HERO handset with the 63.18.55.06_6.35.04.25 radio firmware version and the 1.76.0004 HBOOT version. Other versions can probably be supported, but I've no interest in doing this myself. However, source is included in the download for others to do so if they wish.


    Overview:

    The MSM7201A used on the Hero has two CPU cores, an ARM9 and an ARM11. The ARM9 runs the radio software, and the ARM11 runs android. The ARM9 boots its own bootloaders first, which sets up the radio, and security. It then boots the ARM11 CPU, which runs its own bootloader, providing the "fastboot" functionality amongst other things.

    Both CPUs use the same DRAM, but there is a hardware paritioning system built into the MSM7201A which prevents each CPU from writing to each others memory spaces. Luckily this can be disabled.

    The ARM9 bootloader can be entered by holding VOLUP when powering up. The phone will vibrate three times and the power LED will be green. However the screen will remain black. This supports many serial commands, only a few of which are available in security-locked mode.

    The ARM11 bootloader can be entered by holding VOLDOWN or BACK when powering up. It shows the three-androids-on-skateboards logo. It supports USB control using the android-specific fastboot protocol, but also has a serial HBOOT mode which supports a few commands. There is a second hidden set of commands which are not accessible without software patching.

    This patch will:
    * Temporarily enable the additional ARM11 commands.
    * Temporarily disable checks on a few ARM9 radio AT commands to allow the removal of locks.

    The patches to the software are done in RAM, so the patches will "vanish" on a powercycle. However, executing the patched AT commands below will write to HTC config area in flash, so the security-off and super-CID modes /will/ persist.



    Instructions:

    Note: all commands obviously need <ENTER> pressed after them :)

    1. Connect the serial cable and start your terminal software (115200 8N1)
    2. Power up the phone holding down VOLDOWN (this boots into the ARM11 HBOOT mode). You should see various messages and get a command prompt.
    3. Type "rtask b" and wait for a while until it says "AT-Command Interpreter ready" (this starts the radio software running on the ARM9 and accesses its AT interface).
    4. Type "retuoR" (this returns to the ARM11 HBOOT software).
    5. Enter fastboot mode by pressing the "BACK" button on the phone.
    6. Unplug the serial cable and plug in the USB cable.
    7. Boot the hackspl.img by running "fastboot boot hackspl.img" on your PC.
    8. The screen will go black and show the normal boot logo. However if you press "VOLDOWN" the screen should clear and you'll re-enter HBOOT mode.
    9. Unplug the USB cable and plug in the serial cable again.
    10. Type "rtask b" - This will enter the radio AT interface.
    11. Type "ATE1" - this will enable character echo mode, which helps with typing a lot!
    12. Type "[email protected]=8,0" - this will disable security. It should print "0" when done, which may take a few seconds.
    13. Type "[email protected]=11111111" - this will set the "Super-CID". It should print "0" when done, which may take a few seconds.
    14. Type "retuoR" - returns to the ARM11 bootloader.
    15. Type "erasebcid" - this will erase the "backup CID" from the ARM11.

    After this lot, your phone should be security unlocked and be super-CID. On reboot, the ARM11 skateboard screen should say "S-OFF" instead of "S-ON"
    on the top line. On a normal boot, you should see "Device is Super-CID" printed over the serial port at some point before it boots android.

    You will be able to flash system/boot/recovery etc directly using the fastboot command from your PC.

    If you type "h" after step 15, you'll see a much bigger list of commands than normal - these are the ARM11 hidden commands.

    If you boot into the ARM9 bootloader (hold VOLUP on powerup) with security-off, and type "h" you'll see a list of some of the ARM9 commands. There are actually more; it just doesn't list them in the help screen.
    View

New posts