Please remember to add a category to the bottom of each page that you create.
See categories help for further details, but most will probably be [[Category:HTC ModelName]].

Hermes BootLoader

From XDA-Developers
Revision as of 10:30, 23 July 2017 by Mat1371 (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

HTC Hermes BootLoader

The bootloader is the place where you can change the low-level software parameters, some hardware parameters of the Hermes, change and read the ROM as well as providing information about it.

The bootloader is invoked by pressing down both the POWER button and SIDE OK together and using the stylus at the same time to press the RESET button at the bottom.

The Hermes bootloader is very similar to other HTC devices bootloaders, but it lacks some important things:

  1. There is no help available.
  2. Commands to dump the ROM to microSD card or restore a ROM from it have been removed


You can connect to the bootloader over USB using the program mtty| under Windows or
minicom
/
cu
/ pof's HTCflasher under Linux.

NOTE: If you use mtty you can't copy-paste, you MUST type the commands yourself.

Make sure you have disabled the USB connection in ActiveSync, before trying to connect to the bootloader:
File --> Connection settings --> uncheck "allow USB connections"

Please note that some commands are locked if you do not authenticate with the proper password: The
password
command takes a dynamic generated 16-byte long password as argument which has been reverse engineered. Once you are authenticated it removes protection on some commands like
wdatah
which would otherwise return
Command is Locked!
.

The information about the radio bootloader has been split off into the Hermes radio bootloader wiki page.




Bootloader commands:

Some of this info has been taken from the help available in older HTC Devices and may not be the same in the Hermes Bootloader; see the Hermes specific notes below each command.


set

 
Usage: 
 
set [Type [Value]] 
 
Set control flags. 
Type(hex) : Control function types. 
Value(hex) : Setting values for types. 
If value is not given, default is 0. 
 
Type 0(Echo on/off): 1(on) and 0(off). 
cEchoFlag: Wether to echo all input. 1 to show what you type, 0 to stay quiet 
Type 1(Operation mode): 1(auto) and 0(user). 
cOpModeFlag: Set to 0 for friendly return values, 1 for easy-to-parse return values (0 for users, 1 for programs) 
Type 2(Back color on/off): 1(on) and 0(off). 
cBackColorShowFlag: Wether to draw a background with text. 
Type 3(Inverse on/off): 1(on) and 0(off). 
cShowInverseFlag: Wether to inverse fore and background colors (1=yes, 0=no) 
Type 4(Front color value): 16 bits data 
g_wFColor: Foreground color, 16-bit number, 5-6-5 bit compression 
Type 5(Background color value): 16 bits data 
g_wBColor:  Background color, 16-bit number, 5-6-5 bit compression 
Type 6(Set color of screen): Fill color to whole screen one time. 
Type 8(COMM queue flag): 0(TX_RX disable),1(RX enable),2(TX enable) and 3(TX_RX enable). 
g_cCommQueueFlag: Unknown 
Type 14(action after reset): What to do after a reset. Set to 1 to go to bootloader after reset, set to 0 to start OS. 
Type 16(RUU Flag): setting it to 0 if your machine starts in bootloader mode may help to solve this problem. 
Type 1E(RUU command read/write flag): 1(unlock) and 0(lock). 
 
Current flag settings: 
Type 0(Echo flag): cEchoFlag=(0x1). 
Type 1(Operation mode flag): cOpModeFlag=(0x0). 
Type 2(Back color flag): cBackColorShowFlag=(0x1). 
Type 3(Inverse flag): cShowInverseFlag=(0x0). 
Type 4(Front color): g_wFColor=(0x0). 
Type 5(Background color): g_wBColor=(0xFFFF). 
Type 6(Set color of screen): None. 
Type 8(COMM queue flag): g_cCommQueueFlag=(0x0). 
Type 1E(RUU command read/write flag): g_cRUUCommandRWFlag=(0x0). 

Example commands issued by ROMUpgradeUt:

 
set 14 0    - start OS after a reset 
set 5 7777  - change bg color 
set 2 1     - change back color on 
set 6 FFFF  - screen color FFFF 
set 1 0     - operation mode user 

rbmc

 
Usage: 
 
rbmc [FileName [StartAddr [Len]]] 
 
Read back the memory content from the specified address to the host 
and save the data to specified file name. 
FileName : Full file path for save data of memory(default=c:\temp\Mem.nb). 
StartAddr : Start address of memory(default(hex)=A0000000). 
Len : How many bytes will be read. And if not given value, it will be 
Total ROM size on board - ((StartAddress & 0x0FFFFFFF) - (ROM base address(0) & 0x0FFFFFFF)). 

NOTE: To use rbmc you need to:

  • authenticate with proper password
  • type the command '=set 1e 1=' before every rbmc command
  • use the right syntax for rbmc command
  • be seclevel=0 (not sure, if you know please edit)

otherwise bootloader returns "=Command error !!!=" or "=Command is Locked!=". (if you're using Hard-SPL, this is unlocked, and any address can be read with 2.30.Olipro)



password

 
Usage: 
 
 password [string] 
 
Enter the password string to enable wdata, erase and rbmc functions 

See more info on the bootloader password here.

Newer SPL takes a static password of BsaD5SeoA (or ignored on Hard-SPL)


shmsg

 
Usage: 
 
 shmsg [Row [Col ["String"]]] 
 
Show texts on display. 
Row(hex) : 0 - 17(11). 
Col(hex) : 0 - 12(C). 
Text String : The string which will be show on display. 

Example commands issued by ROMUpgradeUt:

 
shmsg 3 d "50%" 
shmsg 9 8 "  Completed  " 

(this is used on older SPL)


prouter

 
Usage: 
 
 prouter [[PortID1[Baud1[PortID2[Baud2]]]]] 
 
Port Router: Construct data path between two ports. 
PortID1: PortID1 number(default=6). 
Baud1: Baud rate1 select(default=5). 
PortID2: PortID2 number(default=0). 
Baud2: Baud rate2 select(default=5). 
 
Port ID: 0(ACTIVE_PORT),1(PPSH_CABLE),2(PPSH_SERIAL2),3(PPSH_PAR1),4(USB_CABLE), 
       5(ON_BOARD_FFUART),6(ON_BOARD_BTUART),7(ON_BOARD_STUART) and 9(DPRAM_MEMORY). 
Baud Rate: 1(9600),2(19200),3(38400),4(57600),5(115200),6(230400),7(460800) and 8(921600). 

task

 
Usage: 
 
 task [Type [Value [Value1]]] 
 
Type,Value and Value1 are both DWORD(hex). 
Value and Value1 are ignore in some case. 
Type(hex) 0: Do hardware clear boot. 
Type(hex) 8: Resets the device 
Type(hex) 7: Do flash ROM lock/unlock and [[value]]: 1(lock) and 0(unlock). 
Type(hex) 1e: switches to eMapiMain+++ mode 
Type(hex) 28: Format NAND. (28 55aa will also reformat the "partition" ) 
Type(hex) 2a: fix bad blocks on MFG bootloader or Hard-SPL 1.30 (or after Task 32) 
Type(hex) 32: Checks your security level. Unpriviledged: "Level=0xFF", SuperCID: "Level=0" 
Type(hex) 37: Sends KITL info (requires you to do Task 32 first unless on Hard-SPL) 
Type(hex) 3c: Sends "+SA_USB_Init" - Used for eMapi, removed in newer SPLs. 

Warning: "task 2a" formats your bootloader partition and might break your device. Do not run this command unless you are advised to do so!

This is incomplete, if you know please edit!

Example commands issued by ROMUpgradeUt:

 
task 32    - Returns "Level= FF" if your device is CID locked, or "Level = 0" if your device is SuperCID 
task 8     - Reboots the device after ROMUpgradeUt finishes ROM upgrade. 

Output of=task 28=, formats NAND (Storage):

 
Storage format start 
Write Nand Success 
dwBlockToWrite<pre> 13 
Storage start block: 462 
Storage Total block: 474 
Total Bad Block in CE: 0 
NeedToEraseBlockStart: 475 
Storage format success 

erase

 
Usage: 
 
 erase [[StartAddr [Len]]] 
 
Erase the content of flash ROM. 
StartAddr : Start address of ROM(default(hex)=a0040000). 
Len : How many bytes will be erased(default(hex)=40000). 

It should either return "T " for succes, or "F " for failure (encapsulated in the HTCS-HTCE block).


checksum

 
Usage: 
 
 checksum [[StartAddr [Len]]] 
 
Return CRC checksum of memory. 
StartAddr : Start address of ROM(default(hex)=A0000000). 
Len : How many bytes will be calculated. 
default(hex)<pre> ROM total size - ((dwStartAddress & 0x0FFFFFFF) - (ROM_BASE & 0x0FFFFFFF)) 
In user mode: Show 4 bytes of CRC checksum value on display of terminal. 
In auto mode: Send 4 bytes of CRC checksum value to terminal with data format. 

checkimage

Returns CRC checksums from IPL, SPL, CE, Extrom and Radio Image.

Example:

 
USB>checkimage 
IPL CRC checksum = 0x19A4A13F 
SPL CRC checksum= 0x3BF03635 
CE CRC checksum = 0xC0E1751A 
ExtROM CRC checksum= 0x4F9844B0 
Radio Image CRC checksum = 0x724875C8 

info

 
Usage: 
 
 info [[Type [Value]]] 
 
Type(hex) 2: Get info for RUU software autentify for the PPC(16 bytes) and [[value]] (hex) is ignore. 
             Returns "HTCS"*  CID + (4-byte checksum) + "HTCE" 
Type(hex) 3: Get binary information for RUU sofware (2,10Kbytes)and [[value]](hex) is ignore. 
             Returns "HTCS"*  binary data used by RUU to calculate password + (4-byte checksum) + "HTCE" 
Type(hex) 4: Returns "HTCS"*  CID + (4-byte checksum) + "HTCE" 
Type(hex) 5: Returns "IsAllBytesTheSame-: dwLength=8, bResult=0" 
Type(hex) 6: Get the information, for password crypt. (16 bytes) and [[value]] (hex) is ignore. 
             Returns "HTCS"*  binary data (password crypt) + (4-byte checksum) + "HTCE" (redundant in newer SPLs) 
Type(hex) 7: Returns information about the bootloader 
Type(hex) 8: Returns information on blocks and partitions 

Examples:

 
USB>info 7 
HTC Integrated Re-Flash Utility, Common Base Version : 1.50a 
Device Name: H, Bootloader Version : 1.04 
Built at: May 26 2006 20:17:35 
Copyright (c) 1998-2006 High Tech Computer Corporation 
 
CPU ID=0x41129200 
Main CPLD version=0x5 
Upper CPLD version=0x4 
Main Board version=0x5 
 
USB>info 8 
Block 0x0(0) is Reversed block 
Block 0x1(1) is Reversed block 
Block 0x2(2) is Reversed block 
Block 0x3(3) is Reversed block 
Block 0x4(4) is Reversed block 
Block 0x5(5) is Reversed block 
Block 0x6(6) is Reversed block 
Block 0x7(7) is Reversed block 
Block 0x8(8) is Reversed block 
Block 0x9(9) is Reversed block 
Block 0xA(10) is Reversed block 
Block 0xB(11) is Reversed block 
Block 0xC(12) is Reversed block 
 
Partition[[0]], type=0x20, start=0x2, total=0x18FE 
Partition[[1]], type=0x23, start=0x1900, total=0x1700 
Partition[[2]], type=0x25, start=0x3000, total=0x19800 
Partition[[3]], type=0x4, start=0x1C800, total=0x1E000 
 
CE Total Length(with sector info)<pre> 0x39E4000 
CE CheckSum Length(without sector info) = 0x3900000 



rtask

 
Usage: 
 
 rtask [[Type [Value]]] 
 
Type(hex) 0: Reset radio and [[value]](hex) is ignore. 
Type(hex) 1: Turn on radio, lease use type 3 and 4 instead. 
Type(hex) 2: Turn off radio and [[value]](hex) is ignore. 
Type(hex) 3: Run radio image and [[value]](hex) is ignore. 
Type(hex) 4: Run radio bootloader and [[value]](hex) is ignore. 
Type(hex) 5: GSM pre Burn In (19200). 
Type(hex) 6: GSM pre Burn In (115200). 
Type(hex) 7: Radio AT Command Debug Without SD security Key Check (only for newer MFG BL) 
Type(hex) 8: GSM trace route. 
Type(hex) A: Talk to GSM bootloader. 
Type(hex) B: Radio AT Command Debug. With SD security Key Check (for newer BL, use this for Older) 

This command is only available in bootloader versions <= 1.04, it has been removed in bootloader 1.06 so you cannot enter the radio bootloader or the GSM AT cmd interface unless you happen to have an MFG version.

To learn more about the radio bootloader and AT command interpreter read the Hermes radio bootloader wiki page.


wdatah

Seems to replace / extend the old
wdata
command which writes data to memory (in newer SPLs, this is wdata again)
 
Usage: wdata [[Len [StartAddr]]] 
Write data to memory(if write to ROM, need erase first). 
StartAddr : Start address of memory. 
Len : How many bytes will be written. 
Length must not more than 0x80000 bytes(buffer limitation). 
 
Write to RAM: 4 bytes(CRC checksum limitation). 
         1 byte(in user mode). 
Write to ROM: 4 bytes(CRC checksum limitation). 
         2(16-bit)/4(32-bit) bytes(in user mode). 
Write to ROM(16-bit data bus): 32 bytes(writebuffer mode). 
Write to ROM(32-bit data bus): 64 bytes(writebuffer mode). 
Length must be 4 bytes boundary(CRC checksum) if not in user mode. 

After command execute, then send out the data to terminal. Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).

Password is needed to use this command (unless Hard-SPL):

 
USB>wdatah 
Command is Locked! 


Example commands issued by ROMUpgradeUt:

 
wdatah 80000 33d5115e 
wdatah 80000 723a520b 

waddr

Deprecated commmand, for older devices should write a specified address


lnbs

 
Usage: 
 
 lnbs [[pathname [StartAddr [Length [SkipOffset ["cp"]]]]]] 
 
Download NBS file (signed NB) via MTTY. 
 
pathname : path to file to download 
StartAddr : Start address for downloading(default=80000000). 
Length : Length for downloading(default=FFFFFFFF). 
SkipOffset : SkipOffset for downloading(default=00040000). 
cp : Compare image with file data only. 
Seems to replace the old
lnb
,
l
and
ls
commands which download NB0 (raw) or BIN file to ROM, but now the file must be signed. Prior to running
lnbs
you need to run '=task 32=' and it must return SecLevel=0 to use this command.#

Basically the signed version of LNB.


LRS

lrs [StartAddr [pathname]]]

LoadCertToRamAndGo

This will load a signed (NBS) (usually diag) image to Ram and jump to it.

non-signed version is LR - only exists for MFG compiled SPL though.


progress

Used to show a progress bar for percentage of rom update.
Seems to do nothing on the Hermes (except on new SPL)


ruustart

Seems to start a special RUU mode, but does nothing on the Hermes. (except on new SPL)


wdatas

Deprecated test command, intended for old NBFs, doesn't exist in newer SPL.


btrouter

used for programming bluetooth, although no idea how.


emapi

emapi ds is a secondary mode; both of these are intended for programming of the WLAN using the TI tool "RadioScope"




Preproduction BootLoader output

HTC Hermes preproduction devices have security level=0 (SuperCID).
This is the output from some bootloader commands (IPL=0.16 , SPL=0.94)

 
USB>task 32 
Level<pre> 0 
USB>info 2 
HTCSSuperCID....HTCEUSB> 
USB>info 3 
HTCSHERM100SuperCID ..a....Em5..."/K.c...$.........PPH0.94.m..HTCEUSB> 
USB>info 4 
HTCSSuperCID....HTCEUSB> 
USB>info 6 
HTCST   ....HTCEUSB> 
USB>info 7 
 
HTC Integrated Re-Flash Utility, Common Base Version : 0.05 
Device Name: H, Bootloader Version : 0.94 
Built at: Feb 21 2006 14:11:43 
Copyright (c) 1998-2005 High Tech Computer Corporation 
 
CPU ID = 0x41129200 
USB>info 8 
Block 0x0(0) is Reversed block 
Block 0x1(1) is Reversed block 
Block 0x2(2) is Reversed block 
Block 0x3(3) is Reversed block 
Block 0x4(4) is Reversed block 
Block 0x5(5) is Reversed block 
Block 0x6(6) is Reversed block 
Block 0x7(7) is Reversed block 
Block 0x8(8) is Reversed block 
Block 0x9(9) is Reversed block 
Block 0xA(10) is Reversed block 
Block 0xB(11) is Reversed block 
Block 0xC(12) is Reversed block 
 
Partition[[0]], type=0x20, start=0x2, total=0x18FE 
Partition[[1]], type=0x23, start=0x1900, total=0x1700 
Partition[[2]], type=0x25, start=0x3000, total=0x1B300 
 
CE Total Length(with sector info)<pre> 0x3D51800 
CE CheckSum Length(without sector info) = 0x3C60000 
USB>rbmc 
RBMCCommand+():*pArgs=.[..[..[..[..[..[.![.$[.'[.+[.rbmc, cArgs=1 
GetExtRomData+():*pszPathName=c:\temp\Mem.nb, dwStartAddress=57600000, dwLengt8 rbmc=55AB8Mem.nb 




Back to the Hermes Home Page