- 1 HTC Hermes BootLoader
- 2 Bootloader commands:
HTC Hermes BootLoader
The bootloader is the place where you can change the low-level software parameters, some hardware parameters of the Hermes, change and read the ROM as well as providing information about it.
The bootloader is invoked by pressing down both the POWER button and SIDE OK together and using the stylus at the same time to press the RESET button at the bottom.
The Hermes bootloader is very similar to other HTC devices bootloaders, but it lacks some important things:
- There is no help available.
- Commands to dump the ROM to microSD card or restore a ROM from it have been removed
You can connect to the bootloader over USB using the program mtty| under Windows or
cu/ pof's HTCflasher under Linux.
NOTE: If you use mtty you can't copy-paste, you MUST type the commands yourself.
Make sure you have disabled the USB connection in ActiveSync, before trying to connect to the bootloader:
File --> Connection settings --> uncheck "allow USB connections"
passwordcommand takes a dynamic generated 16-byte long password as argument which has been reverse engineered. Once you are authenticated it removes protection on some commands like
wdatahwhich would otherwise return
Command is Locked!.
The information about the radio bootloader has been split off into the Hermes radio bootloader wiki page.
Some of this info has been taken from the help available in older HTC Devices and may not be the same in the Hermes Bootloader; see the Hermes specific notes below each command.
Usage: set [Type [Value]] Set control flags. Type(hex) : Control function types. Value(hex) : Setting values for types. If value is not given, default is 0. Type 0(Echo on/off): 1(on) and 0(off). cEchoFlag: Wether to echo all input. 1 to show what you type, 0 to stay quiet Type 1(Operation mode): 1(auto) and 0(user). cOpModeFlag: Set to 0 for friendly return values, 1 for easy-to-parse return values (0 for users, 1 for programs) Type 2(Back color on/off): 1(on) and 0(off). cBackColorShowFlag: Wether to draw a background with text. Type 3(Inverse on/off): 1(on) and 0(off). cShowInverseFlag: Wether to inverse fore and background colors (1=yes, 0=no) Type 4(Front color value): 16 bits data g_wFColor: Foreground color, 16-bit number, 5-6-5 bit compression Type 5(Background color value): 16 bits data g_wBColor: Background color, 16-bit number, 5-6-5 bit compression Type 6(Set color of screen): Fill color to whole screen one time. Type 8(COMM queue flag): 0(TX_RX disable),1(RX enable),2(TX enable) and 3(TX_RX enable). g_cCommQueueFlag: Unknown Type 14(action after reset): What to do after a reset. Set to 1 to go to bootloader after reset, set to 0 to start OS. Type 16(RUU Flag): setting it to 0 if your machine starts in bootloader mode may help to solve this problem. Type 1E(RUU command read/write flag): 1(unlock) and 0(lock). Current flag settings: Type 0(Echo flag): cEchoFlag=(0x1). Type 1(Operation mode flag): cOpModeFlag=(0x0). Type 2(Back color flag): cBackColorShowFlag=(0x1). Type 3(Inverse flag): cShowInverseFlag=(0x0). Type 4(Front color): g_wFColor=(0x0). Type 5(Background color): g_wBColor=(0xFFFF). Type 6(Set color of screen): None. Type 8(COMM queue flag): g_cCommQueueFlag=(0x0). Type 1E(RUU command read/write flag): g_cRUUCommandRWFlag=(0x0).
Example commands issued by ROMUpgradeUt:
set 14 0 - start OS after a reset set 5 7777 - change bg color set 2 1 - change back color on set 6 FFFF - screen color FFFF set 1 0 - operation mode user
Usage: rbmc [FileName [StartAddr [Len]]] Read back the memory content from the specified address to the host and save the data to specified file name. FileName : Full file path for save data of memory(default=c:\temp\Mem.nb). StartAddr : Start address of memory(default(hex)=A0000000). Len : How many bytes will be read. And if not given value, it will be Total ROM size on board - ((StartAddress & 0x0FFFFFFF) - (ROM base address(0) & 0x0FFFFFFF)).
NOTE: To use rbmc you need to:
- authenticate with proper password
- type the command '=set 1e 1=' before every rbmc command
- use the right syntax for rbmc command
- be seclevel=0 (not sure, if you know please edit)
otherwise bootloader returns "=Command error !!!=" or "=Command is Locked!=". (if you're using Hard-SPL, this is unlocked, and any address can be read with 2.30.Olipro)
Usage: password [string] Enter the password string to enable wdata, erase and rbmc functions
See more info on the bootloader password here.
Newer SPL takes a static password of BsaD5SeoA (or ignored on Hard-SPL)
Usage: shmsg [Row [Col ["String"]]] Show texts on display. Row(hex) : 0 - 17(11). Col(hex) : 0 - 12(C). Text String : The string which will be show on display.
Example commands issued by ROMUpgradeUt:
shmsg 3 d "50%" shmsg 9 8 " Completed "
(this is used on older SPL)
Usage: prouter [[PortID1[Baud1[PortID2[Baud2]]]]] Port Router: Construct data path between two ports. PortID1: PortID1 number(default=6). Baud1: Baud rate1 select(default=5). PortID2: PortID2 number(default=0). Baud2: Baud rate2 select(default=5). Port ID: 0(ACTIVE_PORT),1(PPSH_CABLE),2(PPSH_SERIAL2),3(PPSH_PAR1),4(USB_CABLE), 5(ON_BOARD_FFUART),6(ON_BOARD_BTUART),7(ON_BOARD_STUART) and 9(DPRAM_MEMORY). Baud Rate: 1(9600),2(19200),3(38400),4(57600),5(115200),6(230400),7(460800) and 8(921600).
Usage: task [Type [Value [Value1]]] Type,Value and Value1 are both DWORD(hex). Value and Value1 are ignore in some case. Type(hex) 0: Do hardware clear boot. Type(hex) 8: Resets the device Type(hex) 7: Do flash ROM lock/unlock and [[value]]: 1(lock) and 0(unlock). Type(hex) 1e: switches to eMapiMain+++ mode Type(hex) 28: Format NAND. (28 55aa will also reformat the "partition" ) Type(hex) 2a: fix bad blocks on MFG bootloader or Hard-SPL 1.30 (or after Task 32) Type(hex) 32: Checks your security level. Unpriviledged: "Level=0xFF", SuperCID: "Level=0" Type(hex) 37: Sends KITL info (requires you to do Task 32 first unless on Hard-SPL) Type(hex) 3c: Sends "+SA_USB_Init" - Used for eMapi, removed in newer SPLs.
Warning: "task 2a" formats your bootloader partition and might break your device. Do not run this command unless you are advised to do so!
This is incomplete, if you know please edit!
Example commands issued by ROMUpgradeUt:
task 32 - Returns "Level= FF" if your device is CID locked, or "Level = 0" if your device is SuperCID task 8 - Reboots the device after ROMUpgradeUt finishes ROM upgrade.
Output of=task 28=, formats NAND (Storage):
Storage format start Write Nand Success dwBlockToWrite<pre> 13 Storage start block: 462 Storage Total block: 474 Total Bad Block in CE: 0 NeedToEraseBlockStart: 475 Storage format success
Usage: erase [[StartAddr [Len]]] Erase the content of flash ROM. StartAddr : Start address of ROM(default(hex)=a0040000). Len : How many bytes will be erased(default(hex)=40000).
It should either return "T " for succes, or "F " for failure (encapsulated in the HTCS-HTCE block).
Usage: checksum [[StartAddr [Len]]] Return CRC checksum of memory. StartAddr : Start address of ROM(default(hex)=A0000000). Len : How many bytes will be calculated. default(hex)<pre> ROM total size - ((dwStartAddress & 0x0FFFFFFF) - (ROM_BASE & 0x0FFFFFFF)) In user mode: Show 4 bytes of CRC checksum value on display of terminal. In auto mode: Send 4 bytes of CRC checksum value to terminal with data format.
Returns CRC checksums from IPL, SPL, CE, Extrom and Radio Image.
USB>checkimage IPL CRC checksum = 0x19A4A13F SPL CRC checksum= 0x3BF03635 CE CRC checksum = 0xC0E1751A ExtROM CRC checksum= 0x4F9844B0 Radio Image CRC checksum = 0x724875C8
Usage: info [[Type [Value]]] Type(hex) 2: Get info for RUU software autentify for the PPC(16 bytes) and [[value]] (hex) is ignore. Returns "HTCS"* CID + (4-byte checksum) + "HTCE" Type(hex) 3: Get binary information for RUU sofware (2,10Kbytes)and [[value]](hex) is ignore. Returns "HTCS"* binary data used by RUU to calculate password + (4-byte checksum) + "HTCE" Type(hex) 4: Returns "HTCS"* CID + (4-byte checksum) + "HTCE" Type(hex) 5: Returns "IsAllBytesTheSame-: dwLength=8, bResult=0" Type(hex) 6: Get the information, for password crypt. (16 bytes) and [[value]] (hex) is ignore. Returns "HTCS"* binary data (password crypt) + (4-byte checksum) + "HTCE" (redundant in newer SPLs) Type(hex) 7: Returns information about the bootloader Type(hex) 8: Returns information on blocks and partitions
USB>info 7 HTC Integrated Re-Flash Utility, Common Base Version : 1.50a Device Name: H, Bootloader Version : 1.04 Built at: May 26 2006 20:17:35 Copyright (c) 1998-2006 High Tech Computer Corporation CPU ID=0x41129200 Main CPLD version=0x5 Upper CPLD version=0x4 Main Board version=0x5 USB>info 8 Block 0x0(0) is Reversed block Block 0x1(1) is Reversed block Block 0x2(2) is Reversed block Block 0x3(3) is Reversed block Block 0x4(4) is Reversed block Block 0x5(5) is Reversed block Block 0x6(6) is Reversed block Block 0x7(7) is Reversed block Block 0x8(8) is Reversed block Block 0x9(9) is Reversed block Block 0xA(10) is Reversed block Block 0xB(11) is Reversed block Block 0xC(12) is Reversed block Partition[], type=0x20, start=0x2, total=0x18FE Partition[], type=0x23, start=0x1900, total=0x1700 Partition[], type=0x25, start=0x3000, total=0x19800 Partition[], type=0x4, start=0x1C800, total=0x1E000 CE Total Length(with sector info)<pre> 0x39E4000 CE CheckSum Length(without sector info) = 0x3900000
Usage: rtask [[Type [Value]]] Type(hex) 0: Reset radio and [[value]](hex) is ignore. Type(hex) 1: Turn on radio, lease use type 3 and 4 instead. Type(hex) 2: Turn off radio and [[value]](hex) is ignore. Type(hex) 3: Run radio image and [[value]](hex) is ignore. Type(hex) 4: Run radio bootloader and [[value]](hex) is ignore. Type(hex) 5: GSM pre Burn In (19200). Type(hex) 6: GSM pre Burn In (115200). Type(hex) 7: Radio AT Command Debug Without SD security Key Check (only for newer MFG BL) Type(hex) 8: GSM trace route. Type(hex) A: Talk to GSM bootloader. Type(hex) B: Radio AT Command Debug. With SD security Key Check (for newer BL, use this for Older)
This command is only available in bootloader versions <= 1.04, it has been removed in bootloader 1.06 so you cannot enter the radio bootloader or the GSM AT cmd interface unless you happen to have an MFG version.
To learn more about the radio bootloader and AT command interpreter read the Hermes radio bootloader wiki page.
wdatahSeems to replace / extend the old
wdatacommand which writes data to memory (in newer SPLs, this is wdata again)
Usage: wdata [[Len [StartAddr]]] Write data to memory(if write to ROM, need erase first). StartAddr : Start address of memory. Len : How many bytes will be written. Length must not more than 0x80000 bytes(buffer limitation). Write to RAM: 4 bytes(CRC checksum limitation). 1 byte(in user mode). Write to ROM: 4 bytes(CRC checksum limitation). 2(16-bit)/4(32-bit) bytes(in user mode). Write to ROM(16-bit data bus): 32 bytes(writebuffer mode). Write to ROM(32-bit data bus): 64 bytes(writebuffer mode). Length must be 4 bytes boundary(CRC checksum) if not in user mode.
After command execute, then send out the data to terminal. Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).
Password is needed to use this command (unless Hard-SPL):
USB>wdatah Command is Locked!
Example commands issued by ROMUpgradeUt:
wdatah 80000 33d5115e wdatah 80000 723a520b
Deprecated commmand, for older devices should write a specified address
Usage: lnbs [[pathname [StartAddr [Length [SkipOffset ["cp"]]]]]] Download NBS file (signed NB) via MTTY. pathname : path to file to download StartAddr : Start address for downloading(default=80000000). Length : Length for downloading(default=FFFFFFFF). SkipOffset : SkipOffset for downloading(default=00040000). cp : Compare image with file data only.Seems to replace the old
lscommands which download NB0 (raw) or BIN file to ROM, but now the file must be signed. Prior to running
lnbsyou need to run '=task 32=' and it must return SecLevel=0 to use this command.#
Basically the signed version of LNB.
lrs [StartAddr [pathname]]]
This will load a signed (NBS) (usually diag) image to Ram and jump to it.
non-signed version is LR - only exists for MFG compiled SPL though.
Used to show a progress bar for percentage of rom update.
Seems to do nothing on the Hermes (except on new SPL)
Seems to start a special RUU mode, but does nothing on the Hermes. (except on new SPL)
Deprecated test command, intended for old NBFs, doesn't exist in newer SPL.
used for programming bluetooth, although no idea how.
emapi ds is a secondary mode; both of these are intended for programming of the WLAN using the TI tool "RadioScope"
Preproduction BootLoader output
HTC Hermes preproduction devices have security level=0 (SuperCID).
This is the output from some bootloader commands (IPL=0.16 , SPL=0.94)
USB>task 32 Level<pre> 0 USB>info 2 HTCSSuperCID....HTCEUSB> USB>info 3 HTCSHERM100SuperCID ..a....Em5..."/K.c...$.........PPH0.94.m..HTCEUSB> USB>info 4 HTCSSuperCID....HTCEUSB> USB>info 6 HTCST ....HTCEUSB> USB>info 7 HTC Integrated Re-Flash Utility, Common Base Version : 0.05 Device Name: H, Bootloader Version : 0.94 Built at: Feb 21 2006 14:11:43 Copyright (c) 1998-2005 High Tech Computer Corporation CPU ID = 0x41129200 USB>info 8 Block 0x0(0) is Reversed block Block 0x1(1) is Reversed block Block 0x2(2) is Reversed block Block 0x3(3) is Reversed block Block 0x4(4) is Reversed block Block 0x5(5) is Reversed block Block 0x6(6) is Reversed block Block 0x7(7) is Reversed block Block 0x8(8) is Reversed block Block 0x9(9) is Reversed block Block 0xA(10) is Reversed block Block 0xB(11) is Reversed block Block 0xC(12) is Reversed block Partition[], type=0x20, start=0x2, total=0x18FE Partition[], type=0x23, start=0x1900, total=0x1700 Partition[], type=0x25, start=0x3000, total=0x1B300 CE Total Length(with sector info)<pre> 0x3D51800 CE CheckSum Length(without sector info) = 0x3C60000 USB>rbmc RBMCCommand+():*pArgs=.[..[..[..[..[..[.![.$[.'[.+[.rbmc, cArgs=1 GetExtRomData+():*pszPathName=c:\temp\Mem.nb, dwStartAddress=57600000, dwLengt8 rbmc=55AB8Mem.nb