Please remember to add a category to the bottom of each page that you create.
See categories help for further details, but most will probably be [[Category:HTC ModelName]].

Hermes RadioBootLoader

From XDA-Developers
Jump to: navigation, search

HTC Hermes Radio BootLoader and GSM AT command interface

The radio bootloader can be accessed by issuing the command "=rtask a=" in the normal bootloader.

The GSM AT command interface can be accessed by issuing the command "=rtask b=" in the normal bootloader.

To exit radio bootloader or GSM AT command interface you have to issue the command "=retuoR=", this will give you again the "=USB>=" prompt in the normal bootloader.


Radio bootloader commands

Information on some radio bootloader commands is still unknown, if you can provide more information please edit :)

rinfo

Gives a lot of data encapsulated in a HTCS-HTCE block, this data is used to generate the radio bootloader password.


rpass

To use it, send "=rpass \r=" (mind the space betweenrpass and\r), then send "HTCS"* the password + the CRC of the password as bytes + "HTCE".

It should either return "T " for succes, or "F " for failure (encapsulated in the HTCS-HTCE block).


rerase

Usage:

rerase [[StartAddr [Len]]] 

Erase a part of flash memory. StartAddr : Start address Len : How many bytes will be erased

Will either return "T " for succes, or "F " for failure (encapsulated in the HTCS-HTCE block).


rchecksum

Usage:

rchecksum [[StartAddr [Len]]] 

Calculate checksum of memory.

Will return "HTCS"* memcrc + crc + "HTCE".


rversion

returns HTC radio bootloader version encapsulated in the HTCS-HTCE block.

Example: "HTCS"* "0116" + crc + "HTCE"


rwdata

Usage:

rwdata [[StartAddr [Len]]] "HTCS"*  data + crc + "HTCE" 

Write data to flash memory. StartAddr : Start address Len : How many bytes will be erased

Data should be sent encapuslated in HTCS-HTCE block, and have a valid 4-byte CRC at the end.
You can sniff the output of a radio-only-upgrade to see how it works.
It should either return "T " for succes, or "F " for failure (encapsulated in the HTCS-HTCE block).


rrbmc

This command is only valid for rversion <= 0106 For newer rversion look atrdpram command.

Usage:

rrbmc [[FileName [StartAddr [Len]]]] 

Read back the memory content from the specified address to the host and save the data to specified file name. FileName : Full file path for save data of memory. StartAddr : Start address of memory. Len : How many bytes will be read. And if not given value, it will be total ROM size on board


rdpram

This command is only valid for rversion >= 0107 For older rversion look atrrbmc command.

Usage:

rdpram [[FileName [StartAddr [Len]]]] 

Read back the memory content from the specified address to the host and save the data to specified file name. FileName : Full file path for save data of memory. StartAddr : Start address of memory. Len : How many bytes will be read. And if not given value, it will be total ROM size on board


rseed

Returns: HTCS* 32-byte random seed + 4-byte CRC + HTCE

Needs to be successfully authenticated to radio bootloader to work.


rqversion

Returns qualcomm bootloader version.
Checked on 1.16 radio returns "0035" for QC_BOOT V1.0035.


Still unknown, if you know please edit:

rbb

device returns "ok"

rrom

ruartmode

rwfactory



GSM AT command interface commands

To enter the radio GSM AT command bootloader you have to issue the command "=rtask b= in the normal bootloader. (The Hermes bootloader usesb instead of7 as it used to be in previous HTC devices).
To exit GSM AT interface you have to issue the command "=retuoR=".

It provides an AT Command Interpreter / debugger where you can type standard AT commands and get response values. It has also some propietary AT commands from HTC.


ate1

Enable local echo


atv1

Enable verbose output for return values


[email protected]

What this command does is still unknown:

[email protected]=<value1>,<value2> OK

[email protected]=1,1,3,3

Result: [email protected]=1,1,3,3 WCDMA GPS Cold-Start Test...

OK


Values should be a number between 0 and 3 to get an "OK" return value.


[email protected]

[email protected]?40 ---> check phone sim lock @SIMLOCK= 00 ---> means phone is unlocked @SIMLOCK= 01 ---> means phone is locked

Remove simlock facilities: [email protected]=0,<facility>,<code>

Facility is a number between 0 and 32, code is a 8 digit code.


[email protected]_usb

unknown


[email protected]

returns radio? checksum


ati

Shows this Manufacturer: HTC Model: HTC Revision: HTC IMEI: 3577xxxxxxxxxxxxx

  • GCAP:* CGSM,+FCLASS,+DS


Other AT commands

Enter them in the form AT+<at string>

For example:

AT+CGSN <--- returns phone IMEI AT+RADIOVER <--- returns protocol version

To make a call from gsm bootloader type this commands:

USB> rtask b <---- enter gsm bootloader ate1 <---- enable local echo atv1 <---- enable verbose output AT+CFUN=1 AT+CPIN=1234 <---- replace 1234 with your SIM PIN code AT+CREG=2 AT+COPS=0 ATD+XXXXXXXXXXX <---- replace XXX with phone number, including country code



Back to the Hermes Home Page