EDIT (Apr 4th 2007):
The following is OLD info, use pof's unlocker v3a for automatic SIM unlock, reported to work good with Post Dec2nd X01HT...
Read further ONLY if you want ot unlock your phone manually.
NOTE: Radio flashing doesn't seems to work with newest X01HT ("white" or "March batch") because radio-bootloader version had changed! This also means that you can't SIM-unlock this phone version just yet...
* * * MANUAL SIM UNLOCK * * *
Basically it is very safe to flash Hermes phones using Olipro's Hard-SSPL 1.40 bootloader, especially with new devices with 0108 radio-bootloaders, like our precious X01HT! Also, it's time to elaborate this in more details...
WARNING: You are doing this on your own risk!
The procedure for unlocking and flashing:
Prevent bricking. Flash Olipro's Hard-SSPL 1.40!
This is most important step. By doing this you prevent many bricking scenarios!
1a. On new X01HT (or any other working phone), download and run Des's SSPL 1.09. Copy SSPL.exe on the phone or SD card and just run it from phone's file explorer. When you enter bootloader, you'll see 'rainbow' screen and something like "SPL-1.09Des" is displayed.
1b. Download Olipro's Hard-SSPL-V6. Make sure you disabled USB connection in ActiveSync before you continue. Plug your phone in USB port and run RomUpgrade.exe and follow the steps. Also you can choose 'Force SSPL' option in wich case you can skip step 1a, but then you have to keep ActiveSyncce USB connection on. After you finish, phone will reset itself. It you enter bootloader you should see something like "SPL-1.40.Olipro".
SIM unlock. Flashing pof's 1.18 radio only & manual unlock!
2a. Download pof's unlocker v3, NBHTool and CustomRUU_V4. Use NBHTool to extract pof's modified radio (NBH to NB option) from HERM_unlocker_v3.nbh (you will find that file in v3 unlocker archive). After extracting, delete IPL and SPL files, leave only radio. Now use NBHTool again to create signed radio file (NB to NBH), and save it to same folder as RUUWrapper.exe.
2b. Now run RUUWrapper and flash pof's radio. Enter bootloader on the phone, disable USB connection on ActiveSync. Radio should flash in 5-6 minutes and phone will reset.
2c. Insert SIM card other than SoftBank and enter unlock code: 22051978. Now your phone should be unlocked! If you want to stay with SoftBank's ROM, you'll need welcome.exe tweak to prevent idiotic SoftBank's OS SIM lock.
(Optional) Flashing other ROMs and RADIOs.
Use nbhtool and CustomRUU_V4 to upgrade. First extract ROM, ExtROM and radio files you want to flash form Shipped RUUs. If you really want SuperCID (it is not needed anymore because ExtROM can be unlocked other way) you can run pof's v3 unlocker from the phone. I do not advise doing that because it might void your warranty!
It is also wise to flash new radios separately form OS flashing.
Good luck!
I am intrested in your post.
Is it safe to flash 1.01mfg to my 1.09 bootloader?and can i do it with SSPL?
You can flash bootloader 1.01 on CID locked phone ONLY by using SSPL.
Zgembo said:
You can flash bootloader 1.01 on CID locked phone ONLY by using SSPL.
Click to expand...
Click to collapse
Thank you for the reply.you said CID locked,is that mean a phone which did not have superCID?Sorry about the question,because the word:CID lockedis not usually used.Or what you mean is CID unlocked?
And I think your method mainly differ from the other is that you think we should flash the bootloader 1.01 first.And if something goes wrong,we can use the lnb command in bootloader mode to fix it,which bootloader 1.09 have not that command support.
And if you do not superCID your device,how could the OS rom HTC 2.05.255.1 you said ran in x01ht?it is not the right cid...
Am I right?thank you very much.
seems to work...
Zgembo said:
I tried with other SIM card, it works, but I can't determine if I have No-GSM problem, because here in Japan there is no GSM at all...
Click to expand...
Click to collapse
i tried using my brother's sim card from the philippines and it can read it, the Sim Menu appears. i'm still in japan so i can't be sure if i can get a gsm signal when i go to the philippines.
confirm please
can anyone confirm if Zgembo's procedure will work on GSM Networks? it will be a great help!
SSPL
qvik123 said:
And if you do not superCID your device,how could the OS rom HTC 2.05.255.1 you said ran in x01ht?it is not the right cid...
Am I right?thank you very much.
Click to expand...
Click to collapse
that's what SSPL.exe does for us, it allows us to flash any rom we want without worrying about the bootloader version. it makes the upgrader think that the hermes is SuperCID.
@jello_e:
I did not flash HTC 2.05 OS using SSPL, but I was using bootloader 1.01, lnb commands to be precise. I flashed extracted ExtROM and OS ROM from HTC 2.05 ROM, ExtROM first! Here is the log:
Code:
USB>
USB>task 32
Level = 0
USB>lnb 04_ExtROM.nb 57500000
:F=04_ExtROM.nb
:A=57500000
:O=00000000
:L=FFFFFFFF
start NB image downloadS
Load ADDR: 57500000 Length: AAA000
H***************************************
****************************************
*******LAST BLOCK, dwBytesCollected=0x16000
Code entry point at 0x57FA0000
USB>task 32
Level = 0
USB>task 28
Storage format start
Write Nand Success
dwBlockToWrite = 13
Storage start block: 491
Storage Total block: 445
Total Bad Block in CE: 0
NeedToEraseBlockStart: 504
Storage format success
USB>lnb 06_OS.nb
:F=06_OS.nb
:A=501A0000
:O=00000000
:L=FFFFFFFF
start NB image downloadSH
Load ADDR: 501A0000 Length: 39E4000
***************************************
****************************************
****************************************
****************************************
****************************************
****************************************
****************************************
****************************************
****************************************
****************************************
****************************************
*************************LAST BLOCK, dwBytesCollected=0x1C000
Code entry point at 0x53B80000
Write Nand Success
USB>task 28
Storage format start
Write Nand Success
dwBlockToWrite = 13
Storage start block: 473
Storage Total block: 463
Total Bad Block in CE: 0
NeedToEraseBlockStart: 486
Storage format success
USB>task 8
qvik123 said:
Thank you for the reply.you said CID locked,is that mean a phone which did not have superCID?Sorry about the question,because the word:CID lockedis not usually used.Or what you mean is CID unlocked?
And I think your method mainly differ from the other is that you think we should flash the bootloader 1.01 first.And if something goes wrong,we can use the lnb command in bootloader mode to fix it,which bootloader 1.09 have not that command support.
And if you do not superCID your device,how could the OS rom HTC 2.05.255.1 you said ran in x01ht?it is not the right cid...
Am I right?thank you very much.
Click to expand...
Click to collapse
Bootloader 1.01 allows us to flash any ROM, no previous SuperCID unlocking is necessary... But to get 1.01 bootloader you need "virtual" SuperCID status, and we can accomplish that using SSPL...
Zgembo said:
:
Bootloader 1.01 allows us to flash any ROM, no previous SuperCID unlocking is necessary... But to get 1.01 bootloader you need "virtual" SuperCID status, and we can accomplish that using SSPL...
Click to expand...
Click to collapse
Thank you for the reply.I just successfully flashed 1.01mfg with sspl.Then I pressed OK & PWR to activate it,it shows
HERM200
IPL-1.01
HERM200 MFG
SPL-1.01
on device,and when I use mtty to test,here is the result
USB>
USB>task 32
Level = FF
USB>info 2
HTCSVODAK801彌?HTCEUSB>
USB>lnb
Command error !!!
USB>
so I guess I still can not flash a os rom by using 1.01mfg,
But to get 1.01 bootloader you need "virtual" SuperCID status, and we can accomplish that using SSPL..., do you mean I still need to run sspl to flash ext rom and os rom?How do sspl create a virtual SuperCID for 1.01mfg?
And,I still had not flashed the customed radio,will that a reason for the command response above instead of level = 0 like you?
Thank you!
please elaborate
Zgembo said:
Ok, I made some minor risk and tried to flash my Post Dec2nd X01HT in a non-standard way. Here is the procedure or what I've done:
0. PREPARED by Hard-reseting Hermes, and not allowing Extended ROM to run. (Soft reset right after hard reset, when "Customizing device..." started)
1. Run SSPL-HERM from the phone http://forum.xda-developers.com/showthread.php?t=293651
2. Flashed Hermes bootloader 1.01 http://wiki.xda-developers.com/index.php?pagename=Hermes_BootloaderMFG
3. Restart Hermes and used SSPL-HERM again to flash pof's custom radio 1.18 manually (run RUU/ROMUpgradeUt.exe) http://pof.eslack.org/hermes-unlocker/
4. Restart Hermes and flash HTC 2.05.255.1 Shipped Extended ROM and OS ROM using bootloader 1.01 ONLY! (I flashed Extended ROM first, and then, without restarting, OS ROM) http://wiki.xda-developers.com/index.php?pagename=Hermes_BootloaderMFG
5. Inserted non-SoftBank SIM and restarted. Input manually SIM unlock code: 22051978
That's it. I only tried with 2.05 HTC test ROM but there is no reason for this procedure not to work with other ROMs...
I tried with other SIM card, it works, but I can't determine if I have No-GSM problem, because here in Japan there is no GSM at all...
Good luck!
Click to expand...
Click to collapse
Zgembo, thanks for this new technique! More will appreciate it if you elaborate on the steps a little bit more. This is the stuff most of us in Japan are waiting for. I hope Pof comments on this thread as most people trust his opinions, and if the Masters here, including Zgembo, could back these steps up and confirm then we'll have a happier Hermes world!
superCID
@Zgembo:hmmm i think this is a little off topic but i was trying to follow your procedure step by step but before going to step no 1, i tried info 2 using mtty and it says my device is SuperCID. maybe the SuperCID option in pof's unlocker v3 did stick.
note:
- i was on HTC 1.35 rom from S.Africa... (locked 1.09 X01HT)
- used pof's unlocker v3, successfully unlocked and SuperCID'ed.
- re-Flashed Softbank ROM bl 1.09 using SD Card.
jello_e said:
Zgembo, thanks for this new technique! More will appreciate it if you elaborate on the steps a little bit more. This is the stuff most of us in Japan are waiting for. I hope Pof comments on this thread as most people trust his opinions, and if the Masters here, including Zgembo, could back these steps up and confirm then we'll have a happier Hermes world!
Click to expand...
Click to collapse
I have the same idea,thank a lot for this.And waiting further comments from senior profs.This is really a SAFE way to flash X01HT,and even other phones.
Finally I successfully flashed WM6 XDA live os rom with this method.Here is the mtty log and hope it will be helpful for the others.
Note the 02_OS.nb is the file which extracted from the xda-live 0.10 rom.
Code:
USB>task 32
Level = 0
USB>task 28
Storage format start
Write Nand Success
dwBlockToWrite = 13
Storage start block: 491
Storage Total block: 445
Total Bad Block in CE: 0
NeedToEraseBlockStart: 504
Storage format success
USB>lnb 02_OS.nb
:F=02_OS.nb
:A=501A0000
:O=00000000
:L=FFFFFFFF
start NB image downloadS
Load ADDR: 501A0000 Length: 43CB000
H***************************************
****************************************
****************************************
****************************************
****************************************
****************************************
****************************************
****************************************
****************************************
****************************************
****************************************
****************************************
****************************************
************************LAST BLOCK, dwBytesCollected=0x15000
Code entry point at 0x54560000
Write Nand Success
USB>task 28
Storage format start
Write Nand Success
dwBlockToWrite = 13
Storage start block: 534
Storage Total block: 402
Total Bad Block in CE: 0
NeedToEraseBlockStart: 547
Storage format success
USB>task 8
qvik123 said:
Thank you for the reply.I just successfully flashed 1.01mfg with sspl.Then I pressed OK & PWR to activate it,it shows
HERM200
IPL-1.01
HERM200 MFG
SPL-1.01
on device,and when I use mtty to test,here is the result
USB>
USB>task 32
Level = FF
USB>info 2
HTCSVODAK801彌?HTCEUSB>
USB>lnb
Command error !!!
USB>
so I guess I still can not flash a os rom by using 1.01mfg,
But to get 1.01 bootloader you need "virtual" SuperCID status, and we can accomplish that using SSPL..., do you mean I still need to run sspl to flash ext rom and os rom?How do sspl create a virtual SuperCID for 1.01mfg?
And,I still had not flashed the customed radio,will that a reason for the command response above instead of level = 0 like you?
Thank you!
Click to expand...
Click to collapse
It seems you should had flashed pof's unlocker radio prior to flashing from bootloader 1.01... Anybody to confirm this?
jello_e said:
Zgembo, thanks for this new technique! More will appreciate it if you elaborate on the steps a little bit more. This is the stuff most of us in Japan are waiting for. I hope Pof comments on this thread as most people trust his opinions, and if the Masters here, including Zgembo, could back these steps up and confirm then we'll have a happier Hermes world!
Click to expand...
Click to collapse
I will elaborate in details later... I understand it could be language problem for japanese users too, unfortunately my Japanese is not good enough to provide detailed info... Someone could help?
Zgembo said:
It seems you should had flashed pof's unlocker radio prior to flashing from bootloader 1.01... Anybody to confirm this?
Click to expand...
Click to collapse
Yes that is right.Finally,I flashed the pof's radio and then the radio level becomes 0 and I can use lnb as well.
i think as long as you have the hermimg.nbh and an sd card, you can always recover from the "No GSM" or "stuck on bootloader/white screen" error.
i did a do or die thing with my hermes and i think the risk paid off...
i flashed the HTC 2.05.255.1 test rom after using pof's unlocker v3 and i never had the "no GSM" error.
popped in a Docomo sim and it works...
popped in a GSM sim and the STK Menu appeared, sim manager can read the sim card... although i have no way of testing the GSM signal. the phone doesn't reject the simcard it just simply says "No Service" which is an obvious fact. now all i have to do now is go back home to the philippines and test if GSM works... or if a good soul can do what i did and is in a GSM country now, a confirmation would be nice.
wooohoooo
qvik123 said:
I have the same idea,thank a lot for this.And waiting further comments from senior profs.This is really a SAFE way to flash X01HT,and even other phones.
Click to expand...
Click to collapse
not just a SAFE way to flash but a SAFE way to Unlock our darn S-ftbank phones.
how does the X01HT react to the XDA Live rom? any bugs so far?
jello_e said:
not just a SAFE way to flash but a SAFE way to Unlock our darn S-ftbank phones.
how does the X01HT react to the XDA Live rom? any bugs so far?
Click to expand...
Click to collapse
The only "bug" I have is when the screen is locked sometimes the soft buttons dont change to "unlock"
Also, no way to access flat-rate after April 1st.
same old prob...
jokinawa said:
Also, no way to access flat-rate after April 1st.
Click to expand...
Click to collapse
same old problem huh... i can't believe softbank... really... off topic, but hell, it is so frustrating!!!
Related
Are there any downsides to downgrading to bootloader v1.04?
Does v1.06 have anything extra that v1.04 doesn't?
I have an X01HT (v1.06)
Is it possible that future ROM upgrades could be tied to the bootloader version?
Thanks
tle said:
Are there any downsides to downgrading to bootloader v1.04?
Click to expand...
Click to collapse
Bootloader 1.06 enforces CID checking, bootloader 1.04 doesn't.
Bootloader 1.06 doesn't have 'rtask' command, bootloader 1.04 does.
rtask command allows you to do some "interesting" things, for example enter radio bootloader, and GSM AT command interface, where you can type AT commands to the phone from bootloader. Read the wiki Hermes bootloader page for more info.
tle said:
Does v1.06 have anything extra that v1.04 doesn't? I have an X01HT (v1.06)
Click to expand...
Click to collapse
No, it has less things... rtask command removed
The "extra" thing is that your CID is checked when flashing a ROM, so you can't flash ROMs that are made for other Hermes devices such as HTC TyTN or Cingular 8525 on your X01HT.
tle said:
Is it possible that future ROM upgrades could be tied to the bootloader version?
Click to expand...
Click to collapse
it is possible, but unlikely to happen, shouldn't worry you too much now.
Thanks for the quick reply, pof.
I guess that if a ROM were to be tied to bootloader v1.06 then someone would have to make a bootloader only upgrade... Do you foresee and potential issues there. (excluding copyright issues?
Thanks
tle said:
I guess that if a ROM were to be tied to bootloader v1.06 then someone would have to make a bootloader only upgrade... Do you foresee and potential issues there. (excluding copyright issues?
Click to expand...
Click to collapse
No issues at all, and no "bootloader only upgrade" needed... if you are on 1.04 you just have to flash any ROM containing bootloader 1.06 to have bootloader 1.06 on your device. Then you could do the 'tied-to-1.06' upgrade.
But at the moment 1.06 and 1.04 are very similar, the only difference I've noticed is 'rtask' command and CID checking. rtask command also allows you to go radio bootloader and flash the 'extracted radio rom upgrades' (using rwdata), so you can't do a radio-only upgrade in 1.06 at the moment.
Anyway... I am investigating the way to provide an alternative method to go from 1.06 to 1.04 without copyright issues (as with the previous method from imei-check). Now I can jump from WinCE to IPL at physical address 0x0000000 and then the IPL reads the SPL from flash and executes it correctly.
The next step is to load the nb file for SPL 1.04 and place it in RAM at 0x3000000, and instead of jumping to IPL jump to SPL when this is done it will be possible to downgrade the bootlodaer for those of you on 1.06
Sounds like you are close to a solution. I read in a another thread that you said you are not a WINCE programmer, but you seems like you have a good grasp of low level programming. Best of luck!
I'm getting a lot of help from some friends, i wouldn't have reached this without their help, and I like to learn new things
What we're doing is modifying gnuharet to remove the linux-loading part and add very few changes in the ARM9 assembly part, if you're interested see the file src/wince/asmstuff.S.
pof said:
rtask command allows you to do some "interesting" things, for example enter radio bootloader, and GSM AT command interface, where you can type AT commands to the phone from bootloader.
Click to expand...
Click to collapse
I guess it should be possible to do in wince by directly calling a rilgsm ioctl
(should work on universal, the equivalent code runs the phone in Linux).
devspecific code=54
http://wiki.xda-developers.com/index.php?pagename=rilgsm.dll
cr2, yes it is possible... this is what my unlocker does to do the [email protected] commands and uses almost the same code as buzz used on the universal.
EDIT: I read you too fast, I'm using RIL_DevSpecific commands to send the [email protected], but didn't read the code=54. Have to try this, thanks for pointing it out!
Help Needed!
Hi pof,
I (stupid guy!) upgraded from ME_DT_WWE_1182553_106_10303_Ship to Cingular 1.34.502.1 (1.06) and now I cannot downgrade (using for example Cingular_1.30.502.1 (1.04)...why?
I tried every unlocking process, every step you write here, but no way! Always ID ERROR (294)...whyyy????
I cannot understand...I think a downgrade to 1.04 could save me...
Please, help me...
Yes, downgrade will help you. Just downgrade to a full rom matching the CID on your device, or wait until a free solution to downgrade bootloader.
pof said:
Yes, downgrade will help you. Just downgrade to a full rom matching the CID on your device, or wait until a free solution to downgrade bootloader.
Click to expand...
Click to collapse
Just to be sure: I flashed my Dutch TyTn (QTEK_E11) to Cing 1.34 WWE (CWS_001).
Now my CID still is QTEK_E11 or is it changed to CWS_001?
If is still is QTEK_E11 then I can go back to the Dutch HTC 1.18.254.2, can I?
And from there I can SuperCID my device?
pof, whats the address i need to flash a radiorom from bootloader mode?
I collected those from the wiki, but its missing the info for the radiorom.
First Splash:
lnb finalsplash.nb 500e0000
Second splash screen (SubSplash):
lnb finalsplash.nb 50140000
Extrom:
lnb ExtROM.nb 57500000
OS:
lnb OS.nb
ok after enormous searching i've found this:
lnb radio_.nbf 0x80000000
the address is correct, but the file has to be GSM.nb extracted from NBH file, not a .nbf which includes also the NBF header.
And AFAIK no one tried to flash radio using this method yet, you'll be the first if you do it and if it doesn't work you can brick your phone.
If you do it, please report the results
Click to expand...
Click to collapse
okay i have tried it.. it does not brick the phone, but it also doesnt change anything.. radio version remains the same even though it flashes it properly.
USB>lnb gsm.nb 80000000
:F=gsm.nb
:A=80000000
:O=00000000
:L=FFFFFFFF
start NB image downloadS
Load ADDR: 80000000 Length: D80000
H***************************************
****************************************
*****************************Code entry point at 0x80D60000
Click to expand...
Click to collapse
i have updated the wiki with this
USB> task 32
USB> lnb gsm.nb 80000000
USB> task 8,
this seems to flash the radio but the radio version reported by the os remains the same. so this is not working properly
Click to expand...
Click to collapse
http://wiki.xda-developers.com/index.php?pagename=Hermes_BootloaderMFG
dutty said:
pof, whats the address i need to flash a radiorom from bootloader mode?
I collected those from the wiki, but its missing the info for the radiorom.
First Splash:
lnb finalsplash.nb 500e0000
Second splash screen (SubSplash):
lnb finalsplash.nb 50140000
Extrom:
lnb ExtROM.nb 57500000
OS:
lnb OS.nb
ok after enormous searching i've found this:
okay i have tried it.. it does not brick the phone, but it also doesnt change anything.. radio version remains the same even though it flashes it properly.
i have updated the wiki with this
http://wiki.xda-developers.com/index.php?pagename=Hermes_BootloaderMFG
Click to expand...
Click to collapse
are you sure it's actually writing a new radio? try flashing a Non-GPS one when you have a GPS (or vice versa) and testing [email protected]
Olipro said:
are you sure it's actually writing a new radio? try flashing a Non-GPS one when you have a GPS (or vice versa) and testing [email protected]
Click to expand...
Click to collapse
yep.. it is downloading and writing the blocks..at least thats what the mtty output tells me... i've tried flashing a non-gps radio and it still reports the gps radio and startgps works.. weird..
the thing for me is i've flashed the 108radio boot loader which prevents me from flashing only radioroms.. so i've tried doing this from the bl..
i think the only possibility that is left for the 108rbl is to create a full os image using typhoonnbf decode (including splashscreens, os and everything else) and then flash this image.
dutty said:
yep.. it is downloading and writing the blocks..at least thats what the mtty output tells me... i've tried flashing a non-gps radio and it still reports the gps radio and startgps works.. weird..
the thing for me is i've flashed the 108radio boot loader which prevents me from flashing only radioroms.. so i've tried doing this from the bl..
i think the only possibility that is left for the 108rbl is to create a full os image using typhoonnbf decode (including splashscreens, os and everything else) and then flash this image.
Click to expand...
Click to collapse
no, not weird... it's just not flashing; now here's a thought; is it possible to rtask, authenticate with the radio then exit out of rtask mode again... perhaps it protects the memory address till you do this
Olipro said:
no, not weird... it's just not flashing; now here's a thought; is it possible to rtask, authenticate with the radio then exit out of rtask mode again... perhaps it protects the memory address till you do this
Click to expand...
Click to collapse
yeah, not weird
btw.. i've also tried to do a radio rom upgrade from an official provider.. tmobile germany released a radiorom only upgrade.. but i couldnt use that to downgrade too..
how do you mean? authenticate? simply entering the radioloader and exiting?
i.e.
rtask a
retuoR
another thought.. what would happen if we just "rerase" the region of the radiorom and then try to reflash.. have to admit i lack the balls to try it
edit: tried the rtask a , rversion, retuoR and then flashing.. but it didn't work
okay.. the last and maybe the best idea is this:
since we can dump parts of the rom using the bootloader how about dumping a radiobootloader < 108 and then "lnb" it into a 109 device..
http://forum.xda-developers.com/showpost.php?p=1092471&postcount=1
i have tried this:
USB> task 32
USB> set 1e 1
USB> rbmc spl 50020000 40000
Click to expand...
Click to collapse
but it doesnt seem to work..
Code:
USB>rbmc spl 50020000 40000
GetExtRomData+(): *pszPathName=spl, dwStartAddress=50020000, dwLength=40000
:F=spl
:A=50020000
:L=00040000
:rbmc=
how can i recieve the file? i have enabled automatic downloads in mtty.. pof?
The radio code is actually flashed into the Qualcomm chipset under the control of the radio bootloader. that's why nbf radio flashing can only be done with bl1.04. In subsequent bootloaders, the required radio bl commands aren't available.
I believe the chipset itself may be mapped into the addresses you mention, but the flashing method is different thus the reason why nothing happens.
Sleuth255 said:
The radio code is actually flashed into the Qualcomm chipset under the control of the radio bootloader. that's why nbf radio flashing can only be done with bl1.04. In subsequent bootloaders, the required radio bl commands aren't available.
I believe the chipset itself may be mapped into the addresses you mention, but the flashing method is different thus the reason why nothing happens.
Click to expand...
Click to collapse
interesting..
but if we're using 1.01mfg and flashing into the mapped/virtual memory area we might be able to overwrite the 1.08 radio bootloader..
according to http://wiki.xda-developers.com/index.php?pagename=HermesMemoryMap
the radiobootloader sits right behind the radio at 0x80100000
i would give it a try but i dont know how i can dump files from the bootloader onto my pc.. rbmc seems to send the file, but mtty doesnt know how to recieve it. i guess i'll have to use usbmonitor?
Or is the bootloader itself in the Qualcomm chipset as well? All the normal bootloader does is transfer control (in bl1.04 with rtask 4 in subsequent bl's using a mechanism that is only revealed during the nbh flashing process) to the radio bootloader. Then data flows....
Sleuth255 said:
Or is the bootloader itself in the Qualcomm chipset as well? All the normal bootloader does is transfer control (in bl1.04 with rtask 4 in subsequent bl's using a mechanism that is only revealed during the nbh flashing process) to the radio bootloader. Then data flows....
Click to expand...
Click to collapse
i don't know. but i know that we need to find a way to deal with rb 108 as it will be packed into any radio rom thats released.
there must be a way to dump and flash it using the bootloader as it gets flashed when updating a radiorom using lnb or maupgrade.
unfortunately i really don't know how to deal with the remote dump command, even with usbmonitor the output is useless, as mtty only recieves a couple of bytes then stops. after terminating the connection and restarting mtty it recieves a couple more bytes and so on and so on..
I think the key here is to figure what goes on during nbh flashing since we know the radio bootloader can be changed then. This also holds the key to simple RUU flashing of cooked roms on the hermes btw. We have to get here too eventually if we ever want to package up a cool GPS enabled hermes rom that even Noobs can install Right now, hermes upgrading is a nightmare....
Sleuth255 said:
I think the key here is to figure what goes on during nbh flashing since we know the radio bootloader can be changed then. This also holds the key to simple RUU flashing of cooked roms on the hermes btw. We have to get here too eventually if we ever want to package up a cool GPS enabled hermes rom that even Noobs can install Right now, hermes upgrading is a nightmare....
Click to expand...
Click to collapse
i'll do a full ruu upgrade now and track the whole thing with usb monitor.. maybe something useful comes out of that
sorry i have been away for the last 2 days.
Radio can't be flashed with lnb, it must be flashed from radio bootloader using rwdata.
Now we can use Des SSPL to flash radios in NBH, so radio bootloader 0108 is not a problem anymore
I will provide a reimplemented flashing tool for hermes in a few days (need two more long nights to finish fixing minor bugs), it allows to dump the radio and do some "extra" stuff... at the moment it only works in linux, but I'm sure some of you will be able to port it to windoze
yep... the holy grail of nbh flashing is possible Des "got 'er done"!
This is a patched radio ROM that can be used to remove the Operator SIM lock and CID lock from HTC Hermes based telephones. This new version also includes HardSPL patched bootloader to show always as SuperCID and allow to flash unsigned code.
It can be used in all HTC Hermes devices, no matter which bootloader version the device is running.
NOTE: For x01ht post April devices, see this thread.
Disclaimer:
This is free to use but at your own risk, I take no responsibility for any conflict, fault, or damage caused to your phone by this unlocking procedure. No warranties of any kind are given. Any commercial usage prohibited.
Website:
http://pof.eslack.org/hermes-unlocker/
Install Instructions:
Easy auto-install Instructions:
Unzip unlocker and run AUTO_Unlock_v3a.bat
If you don't want to install automatically, or for some reason the process doesn't work for you, read the file Instructions.txt.
Thanks to:
buzz_lightyear, itsme, vijay555, arc, Asukal, machinagod, esteve - for the wise advice and support
Des and Olipro - for SSPL and HardSPL, everybody praise them!
everyone else in xda-developers.com
History:
v3a [03-04-2007] - New RUU will make sure HardSPL-1.40 is installed before flashing the radio
Now the unlocking process is faster & safer
Fixed bug where IPL was downgraded to 1.00
v3 [11-02-2007] - Herm_Unlock_v3.exe now allows you to select SIM / CID unlock separately
Thanks to SSPL it can be used in all bootloader versions
Patched radio is now provided in NBH format
It keeps the current bootloader on phone (does not downgrade SPL).
v2a [14-11-2006] - bugfix release, thanks to all who reported the problems!
(hopefully) fixed bug where unlock code has to be entered manually
(hopefully) fixed bug where SuperCID was not kept after rom upgrades in some cases
v2 [12-11-2006] - updated to patched radio 1.16
unlocking software provided (HERM_Unlock_v2.exe): thanks buzz for the source of UNI_Unlock_v1 ;-)
SuperCID is now kept after rom upgrades
v1 [05-11-2006] - patched radio 1.13
unlock manually
Donations:
I spent some time and money developing this free unlocker, there's no need to pay me for that, but donations are always appreciated.
Download:
HTC_Hermes_SIM_CID_Unlock_v3a.zip
Enjoy!
I closed the old version thread, it is still available here.
FREQUENTLY ASKED QUESTIONS
Q: Will this void my warranty?
A: If you select the option to "CID unlock" most probably yes. Don't select it if you just want to remove the SIM-Lock, it will be CID unlocked anyway by HardSPL but will keep your original CID if you flash any other SPL on it.
Q: After unlocking my phone my Radio and SPL versions are downgraded. Can I upgrade them?
A: Yes, you can upgrade to a newer radio and newer SPL/HardSPL version. The phone will not be locked again.
Q: Will this work on Post Dec-2nd SoftBank X01HT phones?
A: Hopefully yes, but your OS ROM includes software SIMLock protection (the annoying USIM screen), you can flash a non-softbank OS rom after unlocking it or read the thread for other options if you want to keep the SoftBank ROM.
Q: Will this work on Post April (white) SoftBank X01HT phones?
Yes if you have not let the SoftBank ExtROM install, otherwise your radio bootloader has been upgraded to 0182 and it is not possible to flash a radio or remove the SIMLock.
Q: Will this work if my bootloader version is SPL-1.09?
A: Yes.
Q: Will this downgrade my bootloader to 1.04?
A: No, it will upgrade it to Hard-SPL 1.40 which is better. You can use Custom RUU to flash any ROM on it.
Q: Will this work if my radio bootloader is HTC_BOOT 0108?
A: Yes.
Q: Will it downgrade HTC_BOOT 0108 to 0107?
A: No, if you have 0108 it will keep 0108.
Q: Do I need to run the new version if I already used the older version previously?
A: No, your phone is already unlocked, no need to run unlocker again.
Q: After finishing the process it still asks for unlock code, what should I do?
A: Make sure you have radio version 1.16 and run Herm_Unlock_v3.exe on your phone and select unlock option. If entering any unlock code fails, please repeat the unlocking process again (you did something wrong the first time).
I would like to thank you for all the owner of Hermes which is not unlocked.Good work,pof!
Hi Pof,
download link for the local ftp pointed to older 2a version. Typo, I guess.
pof You gave necessary unlock v3?
see "HTC_Hermes_SIM_CID_Unlock_v3.zip" ftp://xda:[email protected]/Hermes/Tools_and_Programs/HTC_Hermes_SIM_Unlock_v2a.zip
It just had been corrected.I guess pof had not finished uploading just now.
Please see ftp://ftp.xda-developers.com/Hermes/Tools_and_Programs/HTC_Hermes_SIM_CID_Unlock_v3.zip
Yes guys sorry for the wrong download link, it has now been fixed
Pof that was amazing.. i'm really impressed Thank You!
thanks pof for your great worked..superb..i have waiting for a long time ago for this new solution..
Hi
Thanks to POF. what a conincident. i have test the first unlocker on the same day as pof posted and today again just had one piece and tested it. every thing went ok.
Br
Incredible! Pof, would you mind sharing on how you succeeded? I was very interested in the approach directly jumping into bootloader and so on. So explaining the other developers what and how you did is appreciated
Ok, explaining should happen here. But I'm still very thirsty for information. :-D
.wysiwyg { background-attachment: scroll; background-repeat: repeat; background-position: 0% 0%; background-color: #ffffcc; background-image: none; color: #000000; font-family: Verdana, "Lucida Grande", Arial, Arial; font-style: normal; font-variant: normal; font-weight: 400; font-size: 10pt; line-height: normal } p { margin: 0px; }
@Chatty: I used SSPL by Des to flash self signed nbh containing patched radio and 1.04 spl. see here for details:
http://forum.xda-developers.com/showthread.php?t=293651
Fantastic work again pof, big thanks to everyone involved!
Help!!Please
I use v3 to unlock my phone,and super CIDed it too.Everything goes well until I used SSPL tools to get into bootloader and use MTTY to give command below.
USB>task 32
Level = 0
USB>lnbs spl-1.01.nbs 50020000
:F=spl-1.01.nbs
:A=50020000
:O=00000000
:L=FFFFFFFF
start NB image download
Of course in the same directery I have ...1.01.nbh . But it just stoped there.And never completed.I disconnectd the USB cable and plug it again,I can type some commands,too.And there is reply.
What should I do?
qvik123 said:
Help!!Please
I use v3 to unlock my phone,and super CIDed it too.Everything goes well until I used SSPL tools to get into bootloader and use MTTY to give command below.
USB>task 32
Level = 0
USB>lnbs spl-1.01.nbs 50020000
:F=spl-1.01.nbs
:A=50020000
:O=00000000
:L=FFFFFFFF
start NB image download
Of course in the same directery I have ...1.01.nbh . But it just stoped there.And never completed.I disconnectd the USB cable and plug it again,I can type some commands,too.And there is reply.
What should I do?
Click to expand...
Click to collapse
You must be in normal bootloader 1.04 to do this. Not in 1.09 from the SSPL-tool.
qvik123 said:
But it just stoped there.And never completed.I disconnectd the USB cable and plug it again,I can type some commands,too.And there is reply.
What should I do?
Click to expand...
Click to collapse
Have you tried recovery way clearly stated in documentation
In case if something goes wrong during flashing you should flash your device with ROM accepted by standard bootloader (and have another try if you wish).
Click to expand...
Click to collapse
?
Thank you.I did not recognize that.That means,since I have super CID,I can flash any shipped complete ROM with a 1.04 SPL and then flash to 1.01MFG in order to flash seperate OS roms,am I right?
Hi Pof it works also on my orange m3100 that is brick on boot mode 1.06 ? Or i have still wait the orang001 rom ? Thanks
Des said:
Have you tried recovery way clearly stated in documentation ?
Click to expand...
Click to collapse
I think that is the problem is as scorpio16v said I did not have the proper SPL version.But luckily I managed to reboot my device and WM5 started to load.Now I am going to downgrade to SPL 1.04.Thank you.
qvik123 said:
Thank you.I did not recognize that.That means,since I have super CID,I can flash any shipped complete ROM with a 1.04 SPL and then flash to 1.01MFG in order to flash seperate OS roms,am I right?
Click to expand...
Click to collapse
yes you can go this way if you want to, or you can load 1.01MFG with SSPL without flashing it, or you can create nbh rom signed with anything and flash it with SSPL. Read doc it rulez.
OK, well... I'd like to introduce Hard-SPL; available in 3 flavours:
SPL 2.10 based on 2.02 will be released shortly at £5 per person... only kidding... it's free, and out now, but do consider a donation
1) 2.10 - Hard-SPL-V7 - see Changelog for further details
(at the bottom)
2) 1.10 - Olipro SPL - based on 1.04 and unlocked - use for rtask commands.
View attachment Hard-SPL.zip
3) 1.01 - Olipro MFG - based on 1.01, and really for testing only.
View attachment Spl-Olipro-MFG.zip
TO FLASH THE NEW Hard-SPL, Select Force-SPL, you should only choose otherwise when recovering your device from an old Hard-SPL version!
RUU now forces SSPL every time... do not use this RUU for anything else.
For older CustomRUU users; pick the 1.40 option, autodetect will not work... or download and use the new CustomRUU
1.01 is provided as SSPL and SPL; SPL is intended for flashing, SSPL is intended to be loaded by SSPL, neither of these are packaged as an NBH since if you intend to play with it, you should know how to make your own package for it.
Bad Blocks SPL Available! - Hard-SPL-V6.zip - fixed RUU bug for those using 1.11/1.13/1.30
Code:
[b]CURRENT FEATURES[/b]
-SuperCID
-no file signing required
-no password required to authenticate with bootloader
-bad NAND can be recovered with "task 2a"
-bad NAND can be recovered by flashing an OS
-SPL protected from all HTC retail SPLs being flashed by accident (to bypass, use SSPL)
-IPL protected from all flashes; protection against bogus NBH's
-bad NAND can again be checked for with "info 8"
-version displays 2.10.Olipro
-no longer tries to read bad NAND - should fix whitescreen issue
[b]ChangeLog[/b]
[b]Hard-SPL-2.10[/b]
-based on a newer SPL base; bugfixes.
-IPL flashing disabled to prevent bogus NBHs bricking your device.
[b]Hard-SPL-1.40[/b]
-repairs a bug that affected SPL being replaced by retail ones.
[b]Hard-SPL-1.35[/b]
-addresses an issue for those with Real Bad Blocks to prevent whitescreens.
[b]Hard-SPL-1.30[/b]
- removed password for wdata commands and rbmc etc.
- activated "task 2a" to allow recovering bad blocks as well as flashing valid OS.
- Disabled SPL flashing; this SPL protects you from writing over it by accident.
- Bad Blocks "info 8" command works now allowing you to check for bad blocks.
[b]Hard-SPL-1.13[/b]
- Patched NAND check; bad NAND ignored, valid OS can be flashed to recover bad blocks.
[b]Hard-SPL-1.11[/b]
- Flashing Radio BL 0108 now supported
- Downgrading SPL no longer allowed.
- rtask command removed.
- new RUU interface required to flash ROM files.
[b]Hard-SPL-1.10[/b]
-Initial release; SuperCID and no signing required
-Compatible only with Radio BL 0107
-has rtask commands for accessing radio facilities.
Looking for other SPL Files? scroll back up! they're at the top underneath each version heading!
please remember that 1.35 and 1.40 are the same as 1.30, so when using CustomRUU, either select that, or download the NEW customRUU and overwrite.
Olipro said:
ROM's not available yet; I'm sending them to pof for testing before anybody is allowed to flash this... there's still a chance you could brick your phone
Click to expand...
Click to collapse
great stuff... i'll report in a while
Damn... a lot of people are sure gonna like this! How about doing 1.01MFG too so we can still flash os.nb in < 5 mins with lnb?
Sleuth255 said:
Damn... a lot of people are sure gonna like this! How about doing 1.01MFG too so we can still flash os.nb in < 5 mins with lnb?
Click to expand...
Click to collapse
if someone sent me it as a .nb then certainly... a proper nb... unsigned.
Current Status: Pof has successfully flashed his device, unsigned ROM seems to be flashing fine, if all is well, then I'll get a package ready within the next 10 minutes.
man it works!! That's the safest thing to put on an hermes
Thanks Olipro
Fantastic work! This will definitely be a big help to everyone.
not to sound stupid or anything, but what does this enable your phone to do exactly??
Its the holy grail of hermes flashing! As long as there's no bad blocks in NAND, bricking due to corrupted CID can now be now be avoided.
Olipro said:
if someone sent me it as a .nb then certainly... a proper nb... unsigned.
Click to expand...
Click to collapse
only 1.01MFG I've ever seen is .nbs
koolhand79 said:
not to sound stupid or anything, but what does this enable your phone to do exactly??
Click to expand...
Click to collapse
Same features as SSPL, but flashed on the phone and with bootloader version 1.04 (hex edited to be shown as 1.10.Oli), that is:
Ability to bypass signature in NBH files (friendly for cooked roms)
Ability to access radio bootloader (no more corrupted CID bricks)
Shows itself as SuperCID when doing a rom upgrade (but it internally isn't)
Can be uninstalled by just reflashing a shipped SPL, so no warranty is lost
Sleuth255 said:
only 1.01MFG I've ever seen is .nbs
Click to expand...
Click to collapse
yeah, but it's just the .nb with the NBH headers on... I'm a lazy sod and was hoping someone had already made it an nb to save me the time
also... in a few seconds, a flash package for my SPL will be available!
When? When? When? Waiting... Yahooo. Good news to us all as cooking and flashing going to be as safe as possible.
Okay it is my time to sound like a moron.
Alright I get the general idea of what this does, not could someone point, no need to show the link, just mention where in the documentation I can find more real info on this.
Probably Des or Olipro can answer that:
Can we also patch the SPL to always write 0xFF on the "disastrous 517th byte" of each physical NAND page? (or not overwrite the existing value, whichever is better), this way even when the flashed OS.nb contains a value != than 0xFF on that byte, will not produce a bad block and this would make flashing cooked images _really_ fool proof.
For those willing to go deeply, read Des comment here.
pof said:
Same features as SSPL, but flashed on the phone and with bootloader version 1.04 (hex edited to be shown as 1.10.Oli), that is:
Ability to bypass signature in NBH files (friendly for cooked roms)
Ability to access radio bootloader (no more corrupted CID bricks)
Shows itself as SuperCID when doing a rom upgrade (but it internally isn't)
Can be uninstalled by just reflashing a shipped SPL, so no warranty is lost
Click to expand...
Click to collapse
Not that there's a heck of a lot of reason for doing it any more but does that mean we can now downgrade radio bl versions? Also will it help recover from bad bootloader flashes? I am constantly in awe of the brilliant people in this forum!
chymmylt said:
does that mean we can now downgrade radio bl versions?
Click to expand...
Click to collapse
No, if you have 0108, will keep 0108.
chymmylt said:
Also will it help recover from bad bootloader flashes?
Click to expand...
Click to collapse
No... a bad flash in bootloader means a bricked device, but this is not common on hermes, the most common is bad flash in radio which can only be fixed if the bootloader is 1.04 or the rom has KITL enabled.
pof said:
No, if you have 0108, will keep 0108.
No... a bad flash in bootloader means a bricked device, but this is not common on hermes, the most common is bad flash in radio which can only be fixed if the bootloader is 1.04 or the rom has KITL enabled.
Click to expand...
Click to collapse
that means you've overwritten the bootloader I have made... so obviously not.
however, the bootloader does have built-in recovery functions (HTC's work) and generally you need to be doing something funky to bugger the SPL up.
pof said:
No, if you have 0108, will keep 0108.
No... a bad flash in bootloader means a bricked device, but this is not common on hermes, the most common is bad flash in radio which can only be fixed if the bootloader is 1.04 or the rom has KITL enabled.
Click to expand...
Click to collapse
Still very exciting! Y'all da man! (Men?)
Thanks again!
For those with 1.01MFG or 1.04 SuperCID, will this new BL give any new benefits? I understand those with 1.09 will benefit, but, is it worth flashing if I already have 1.01MFG on the device?
with this will i be able to upgrade and downgrade to any radio i want regardless of nbh or nbf, since no one is answering me in the thread i created about this. lol
I wanted to create my own splash screen so followed the instructions on the WIKI page. I had OLIs hard-SPL installed and thought that I didn't need to SuperCID first (clever huh?!). I flashed 1.01 MFG and everything was fine.
Tried to issue the "lnb" command and kept getting "command error". Finally realised that if I wasn't superCID (my CID is HTCST-MOB005¼ôàŠHTCE) I wasn't going to get far.
I decided to run Pof's CID unlocker to make me SuperCID thinking it would be okay as it used the 'soft' SPL. Oh Dear. The flash halted at step 0% flashed and now my Hermes won't get beyond the boot screen. I can't flash anything standard as I've got MFG installed and I can't flas a naked nb because I'm not SuperCID.
HELP! Please
So I can't
mmm... I guess you're stuck because you can't boot OS, right?... so, which radio bootloader version do u have? if it's 107 it's easy to fix
pof said:
mmm... I guess you're stuck because you can't boot OS, right?... so, which radio bootloader version do u have? if it's 107 it's easy to fix
Click to expand...
Click to collapse
Even, if he got bootloader 0108 it may be "easy" to fix with newer Oli's bootloader. no?
in mtty do:
set 14 0
task 8
does it boot wm again?
If so you can flash any sspl rom or somebody can point you to a sspl loader for bl1.01.oli & you can flash that to remove 1.01MFG. Sorry that I can't give you a link right here, but I'm mobile now & can't access cross-ref threads here easily.
Sleuth255 said:
in mtty do:
set 14 0
task 8
does it boot wm again?
If so you can flash any sspl rom or somebody can point you to a sspl loader for bl1.01.oli & you can flash that to remove 1.01MFG. Sorry that I can't give you a link right here, but I'm mobile now & can't access cross-ref threads here easily.
Click to expand...
Click to collapse
Star!!!!
Yup booted fine. Thanks a lot.