Hi,
Does anyone know at what address the radio image should be loaded for disassembly, and what is its entrypoint ?
For reference the hboot image has to be loaded at 0x8e000000, and its entrypoint is at 0x8e001000.
For info, the available oem task commands are:
- 28: format userdata
- 29: format system, cache, userdata (will only format system if security is off)
and the available oem rtask commands are:
- 0: ???
- 7: switch to radio bootloader OR at command prompt *
- 8: switch to radio bootloader OR at command prompt *
- 9: ???
* I'm not sure which of 7 or 8 is the radio bootloader and which is the AT command prompt, as from the SPL point of view, they behave the same (read line, push to radio, print response, and exit when "retuoR" is typed).
Also, the Nexus One and Desire hboot images are nearly exactly identical and those commands exist identically in both hboots
Also, the hboot itself issues AT commands to talk to the radio chip, among others, these are present in the hboot binary:
[email protected]=1,%x,%s
[email protected]=2,1,%s
[email protected]?%x
[email protected]=3,%x
[email protected]=7,%d <- this is a good candidate for the mighty security=off quest
[email protected]?AA <- most likely "get security status"
[email protected]=9,%x
[email protected]?40
According to what people have found on other devices, all the other [email protected] commands are related to actual simlock/unlock
Hi, I am very interested in your findings, also myself and Paul from modaco have been playing around with some commands. Did you continue to look into this yourself or not?
Regards
found this myself hexing both the holiday hboot image and the one in the passimg.zip file..
they do have different lines
All we need is an engineers ID over at HTC apparently and input it right after fastboot oem task (id here) and it will request a reason for the security removal...
EVO3D GSM ICS 1.53 DOWNGRADE BL – UNLOCK bez HTCDev!!!!!!
THX XDA user Unknownforce - this is his work, I have tested and it works!
http://forum.xda-developers.com/showthread.php?t=2124142
VŠE PROVÁDÍTE NA VLASTNÍ RIZIKO, ZA ŠKODY NENESU ŽÁDNOU ZODPOVĚDNOST. POSTUP VYZKOUŠEN NA MÉM EVO 3D BEZ PROBLÉMU.
UJISTĚTE SE ŽE JE VÁŠ PŘÍSTROJ OPRAVDU S-ON!!! POKUD PROVEDETE TENTO POSTUP NA ZAŘÍZENÍ S-OFF, DOJDE K JEHO TOTÁLNÍMU UMRTVENÍ BEZ MOŽNOSTI NÁVRATU!!!
POSTUP JE PRO ZAŘÍZENÍ KTERÉ JSOU PO ZÁRUČNÍ VÝMĚNĚ DESKY S PŮVODNÍM S.N. A NOVÝM IMEI A NELZE PROVÉST UNLOCK PŘES HTCDev.
PŘÍSTROJ MUSÍ BÝT VE STAVU *LOCKED* , *S-ON* , BOOTLOADER 1.53 !!!!
VYŽADUJE MINIMÁLNÍ ZNALOST LINUX (PRÁCE V TERMINÁLU) A JEHO LIVE NEBO INSTALOVANOU VERZI (UBUNTU)
!!!!!POZOR!!!!!! Příkaz pro zjištění aktuální misc partition:
" adb shell cat /proc/partitions "
V telefonu zapnuto USB ladění. ADB příkaz použít třeba ze složky kterou máte připravenou z pokusů o unlock HTCDev.
Příkaz zobrazí mmcblk0pxx partitions, pokud vidíte mmcblk0p32 pak je vaše misc partition 32, pokud ne, pak je 31. Pokud vidíte obě, je to ta s vyšším číslem (u mě 1022)
KROK 1
--------------------------------------------------------------------
1.) PG86IMG.ZIP vaší aktuální ROM RUU (ICS 3.28.401.1 )nakopírujte do kořenového adresáře SDCard.
2 .) S telefonem napájeným POUZE z baterie restartujte do bootloaderu, nechte detekovat zip a dostat se do bodu, kdy to chce, abyste stiskli Vol-Up - aktualizovat. NESPOUŠTĚJTE aktualizaci!!!
3.) nechte přístroj v tomto stavu a počkejte alespoň jednu nebo dvě minuty.
4.) Sejměte kryt baterie a připojte přístroj do elektrické sítě.
(POUŽIJTE ORIGINÁL HTC - DOPORUČENO, neoriginální mohou mít nižší napětí a telefon se může vypnut. K vypnutí dochází také s novějšímy typy karet SD, zkoušejte 4 -8 GB, mě to šlo z A-Data 16GB class10)
5.) Vyjměte baterii. (Zařízení by mělo zůstat zapnuté, pokud se tak nestane, začněte znovu). Baterii nevracejte dovnitř.
6.) Zde je choulostivá část.
Přečtěte si Několikrát: buďte připraveni vytáhnout síťový kabel ven v ten správný čas ...
Stiskněte tlačítko Vol-Up
Po 5 sekundách od chvíle kdy se rozbliká vedle položky BOOTLOADER hláška Aktualizace (Updating) vyrvěte nabíječku z telefonu (ne z elektriky-může ještě chvíli dávat napětí a překročíte časový limit!!)
Chvíli vyčkejte a připojte nabíječku zpět. Pokud se vše povedlo, měla by červená dioda u přední kamery velice slabě trvale svítit.
POZOR!!!!! Na mém telefonu byl UPDATE BOOTLOADER velice rychlý - cca 3sec a najel na BOOT a dále, a BRICK se povedl po hodině. Buďte trpěliví a zkoušejte to několikrát. V případě že přejedete a nestihnete vytáhnout kabel, nechte update už dojet do konce a celý postup opakujte znovu a znovu a znovu…….
Přístroj je nyní BRICK a připraven na další krok.
KROK 2 - LINUX část
--------------------------------------------------------------------
NEPŘIPOJUJTE ZATÍM TELEFON - POČKEJTE NA VYZVÁNÍ!!!
TELEFON STÁLE BEZ BATERIE!!!!
1.) Spusťte Linux
2.) Extrahujte ultimate.zip do linux PC Home složky - nejjednoduší a nejlepší umístění pro další práci
(záměrně odstraněny soubory pro CDMA,ponechány GSM)
3.) Spusťte Terminal, s právy root, (su, or sudo -s)(zadejte vaše heslo do linux) – za vlnovkou bude místo dolaru $ mřížka #
4.) přejít do složky ultimate: cd ultimate
zadejte příkaz chmod 755 ultimate
5.) zadejte ./ultimate -g -d a dejte Enter.
Uvidíte výstup:
___________________________________________________________________
==== EVO 3D Ultimate Recovery Tool v 2.5, developed by Unknownforce ====
IMPORTANT: Do not plug in device until TOLD to do so.
Is your misc partition 31 or 32?
____________________________________________________________________
Zadejte číslo partition zjištěnou v ADB.
____________________________________________________________________
Downgrade Selected, Ready to begin? (Y/N)
_____________________________________________________________________
Zadejte Y a Enter
_____________________________________________________________________
Plug in your device now...
Waiting for device...
_____________________________________________________________________
NYNÍ PŘIPOJTE TELEFON. Měli byste vidět něco podobného:
_____________________________________________________________________
Found the Correct Device!
Writing image file!
SUCCESS!
Found the Correct Device!
Writing image file!
SUCCESS!
_____________________________________________________________________
Celé to vypadalo takhle:
[email protected]:~$ sudo -s
[sudo] password for major:
[email protected]:~# cd ultimate
[email protected]:~/ultimate# chmod 755 ultimate
[email protected]:~/ultimate# ./ultimate -g -d
==== EVO 3D Ultimate Recovery Tool v 2.5.1, developed by Unknownforce ====
GSM Device selected.
!!!WARNING!!! Be sure your device is a GSM Device!!!
You will permanently damage your phone if it's NOT a GSM device!!!
IMPORTANT: Do not plug in device until TOLD to do so.
Is your misc partition 31 or 32?
32
Downgrade Selected, Ready to begin? (Y/N)
y
Plug in your device now.
Waiting for device...
Device Found!
Writing image file!
SUCCESS!
Unbricking...
Writing image file!
SUCCESS!
Cleaning up...
All requested tasks completed.
You may now put your battery back in and boot up!
[email protected]:~/ultimate#
__________________________________________________________________________
Nyní vyjměte SD kartu, vložte zpět baterii a spusťte telefon bo bootloaderu. Ověřte verzi bootloader 1.49.0007, telefon jde zapnout ale loopback na HTC splash screenu.
KROK 3.
--------------------------------------------------
Oživení telefonu
1. Do root SD karty nakopírovat GB 1.20.401.8 opět jako PG86IMG.ZIP a nechat proběhnout flash – tím je downgrade na GB proveden.
2. Zařízení je ve stavu *LOCKED*, S-ON a s GB 2.3.4
DOWNGRADE PACK .... WAIT PLEASE, UPLOADING.......
Re: DOWNGRADE-UNLOCK HB 1.53 MB REPLACED no HTCDev!!! - Tested
An english translation would be useful, indeed
Sent from my HTC EVO 3D X515m using XDA Premium HD app
ENGLISH
EVO3D GSM ICS 1.53 downgrade BL - UNLOCK without HTCDev!!!
THX XDA user Unknownforce - this is his work, I have tested and it works!
http://forum.xda-developers.com/showthread.php?t=2124142 Here you can also read, because my English is bad.
ALL MAKE AT YOUR OWN RISK, AND I DO NOT TAKE ANY GUARANTEE. PROCEDURE TESTED ON MY EVO 3D WITHOUT PROBLEM.
MAKE SURE THAT IS REALLY YOUR UNIT S-ON!! IF THIS PROCEDURE FOR S-OFF DEVICE,will be irreversibly damaged!! Maybe no way back.
PROCEDURE IS FOR DEVICES THAT ARE THE WARRANTY CHANGE MB WITH ORIGINAL SN A NEW IMEI AND CAN NOT UNLOCK VIA HTCDev.
PHONE MUST BE IN STATE * LOCKED *, * S-ON *, bootloader 1.53!!
REQUIRED MINIMUM KNOWLEDGE OF LINUX (WORK IN TERMINAL) AND ITS LIVE OR INSTALLED VERSION (UBUNTU)
!!! WARNING!!! Command to determine the current misc partition: (in Windows)
"Adb shell cat / proc / partitions"
The phone turned on USB debugging. ADB command used to be in the folder you have made with attempts to unlock HTCDev.
This command displays mmcblk0pxx partitions if you see mmcblk0p32 then your misc partition 32, if not, then is 31 If you see both, it's the one with the higher number (for me 1022)
STEP 1
-------------------------------------------------- ------------------
1) PG86IMG.ZIP your current ROM RUU (3.28.401.1 ICS), copy it to the root of SDCard.
2nd) With the phone powered on battery, reboot into the bootloader, let detect .zip and get to the point where it wants to press Vol-Up - update. DO NOT update!!
3) let the phone in this condition and wait at least one or two minutes.
4) Remove the battery cover and connect the device to the mains.
(USE ORIGINAL HTC - RECOMMENDED, unoriginal may have lower voltage and the phone can be turned off. To turn off also occurs with newer types of SD cards, try 4 -8 GB me it went from A-Data 16 gigabytes CLASS10)
5) Remove the battery. (The device should remain on, if not, start again). Do not return the battery inside.
6) Here is the tricky part.
Read a few times: be ready to pull the power cord out at the right time ...
Press Vol-Up
After 5 seconds from the moment the flash next to message Bootloader Update (Updating) snatches the charger from the phone (not the electrician may still while giving voltage and exceed the time limit!)
Wait a while back and connect the charger. If everything went well, should the red LED on the front of the camera very weakly steady.
CAUTION!! On my phone was bootloader UPDATE very fast - about 3 seconds and hit a BOOT and forth, and BRICK was good after an hour. Be patient and try it a few times. If miss dont uplug cable, let the update to finish and repeat the process again and again and again .......
The device is now BRICK and ready for the next step.
STEP 2 - LINUX part
-------------------------------------------------- ------------------
DO NOT CONNECT PHONE - WAIT FOR PROGRAM
STILL NO PHONE BATTERY!!
1) Run Linux
2) Extract the ultimate.zip to Home folder - the easiest and the best location for further work
(I deleted files for CDMA, GSM only)
3) Launch Terminal, the rights of root (su or sudo-s) (enter your password in linux) - change $ to #
4) go to your ultimate folder - cd ultimate
enter the command chmod 755 ultimate
5) type . / Ultimate-g-d and press Enter.
You will see output:
___________________________________________________________________
==== EVO 3D Ultimate Recovery Tool in 2.5, developed by Unknownforce ====
IMPORTANT: Do not plug in device until TOLD to do so.
Is your misc partition 31 or 32?
____________________________________________________________________
Enter the partition number found in the ADB.
____________________________________________________________________
Downgrade Selected, Ready to begin? (Y / N)
_____________________________________________________________________
Enter Y and Enter
_____________________________________________________________________
Plug in your device now ...
Waiting for device ...
_____________________________________________________________________
CONNECT NOW PHONE. You should see something like this:
_____________________________________________________________________
Found the Correct Device!
Writing image file!
SUCCESS!
Found the Correct Device!
Writing image file!
SUCCESS!
_____________________________________________________________________
all this is:
[email protected]:~$ sudo -s
[sudo] password for major:
[email protected]:~# cd ultimate
[email protected]:~/ultimate# chmod 755 ultimate
[email protected]:~/ultimate# ./ultimate -g -d
==== EVO 3D Ultimate Recovery Tool v 2.5.1, developed by Unknownforce ====
GSM Device selected.
!!!WARNING!!! Be sure your device is a GSM Device!!!
You will permanently damage your phone if it's NOT a GSM device!!!
IMPORTANT: Do not plug in device until TOLD to do so.
Is your misc partition 31 or 32?
32
Downgrade Selected, Ready to begin? (Y/N)
y
Plug in your device now.
Waiting for device...
Device Found!
Writing image file!
SUCCESS!
Unbricking...
Writing image file!
SUCCESS!
Cleaning up...
All requested tasks completed.
You may now put your battery back in and boot up!
[email protected]:~/ultimate#
__________________________________________________________________________
Now remove the SD card, insert the battery and start the phone bo bootloader. Verify the version 1.49.0007 bootloader, the phone is switched on but loopback on HTC splash screen.
STEP 3
--------------------------------------------------
Make phone to condition.
First To root SD card copy GB 1.20.401.8 again as PG86IMG.ZIP and execute flash Vol-UP+PWR - that is to downgrade to GB executed.
Now device is in * LOCKED * S-ON and GB 2.3.4
DOWNGRADE PACK http://www.ulozto.cz/x1i3NkS/downgrade2-rar
This is all in English in my thread in my signature below.
But the translation is helpful for some I'm sure.
Big THX to Unknownforce
I refer to your thread and I thank you again. Good work! :good: Without you this would not.Guys can read your post when something does not understand me.
I have 3.28.720.1 ICS on my MB Replaced EVO 3D instead of your 3.28.401.1 ICS.
I don't know will it work
720?
*** LOCKED ***
SHOOTER_U PVT SHIP S-ON RL
HBOOT :1.53.0007
If yes, than must function. GSM version !!!!!
3.28.720.1 - it is Chinese (Asia) version? I do not know....
It's Indian version I am going to try it today
------------
I tried your ICS 3.28.401.1 - PG86IMG.zip it says CID incorrect.
& Yes my devices is locked & not S-OFF
*** LOCKED ***
SHOOTER_U PVT SHIP S-ON RL
HBOOT :1.53.0007
eMMC-boot
May 22 2012, 01:06:07
ICS 3.28.720.1 Its Indian version of EVO 3D.
I guess I should change CID of my device. Please let me know what CID should I use & also how can I get my devices PG86IMG.zip
---------
I downloaded & tried
RUU_SHOOTER_U_ICS_35_S_hTC_Asia_WWE_3.28.707.1_Radio_11.77.3504.00U_11.25.3504.06_M_release_264110_signed.zip
but same error CID incorrect Update Failed
Can any one tell me how to change CID of Locked device I have done it before but I don't remember it now
Sent from my HTC EVO 3D X515m using Tapatalk 2
HBOOT downgraded with phone after OTA update to ICS (HBOOT 1.53) successfully . But brick it was hard until after the ninth attempt succeeded to brick with updating bootloader
Same here managed to change cid,
After that after 3 hours of trial & errors managed to get brick,
After that managed to get downgrade on Windows 7 PC with VMPlayer (Ubuntu).
Now on LOCKED 1.49.0007 Now trying to get it Unlocked Can anyone tell me whats to best method for GB Unlock without HTCDEV.com
Device now GB a HBOOT 1.49.0007,S_ON ?
->Unlock with old good Revolutionary, this make also S-OFF and when need also CWM recovery
Optional ->flash custom Touch Recovery
->after from (4EXT) Recovery flash root or any Custom rom with root build-in
I am using ubuntu for ControlBear, after I enter the command it says
== ControlBear 0.11 beta for JuopunutBear S-OFF ==========
(c) Copyright 2012 Unlimited.IO
If you have acquired this software from anywhere
other than our website this version may be out of
date and unsupported. Please see our website for
instructions on how to use this tool and for support.
This program may not be redistributed or included in other
works without the express permission of Team Unlimited.
www.unlimited.io | [email protected]
sh: 1: .tmp/fastboot: not found
Starting up......
Testing ADB connection
sh: 1: .tmp/adb: not found
please help ....:crying:
Recently I got a Samsung Galaxy S2, after installing CWM Recovery and Cyanogenmod 11 (4.4.4 KitKat) on it I attempted to remove the simlock by using Galaxy S2 SIM Unlock v1.0 (by Chainfire) - Unfortunately the generated code did not unlock the simlock.
I continued my attempts to remove the simlock by directly Bit Flipping nv_data.bin.
After I have made changes to the file I copied it back to /esf/nv_data.bin and ensured file ownership and permissions remained the same.
After rebooting I noticed the /esf/nv_data.bin was overwritten by the firmware/system and my changes were lost.
The significant contents of nv.log are as follows:
Code:
Thu Oct 30 16:29:25 2014: fail - no checksum info
Thu Oct 30 16:29:25 2014: NV restored
Thu Oct 30 16:29:25 2014: MD5 status = (OFF)
I am unable to calculate a checksum hash since the phone seems to use a modified version of the md5sum utility, if I proceed with standard md5 I get the following in nv.log:
Code:
Thu Oct 30 16:38:23 2014: checksum fail
Thu Oct 30 16:38:23 2014: NV restored
What hashing algorithm is used by the phone and how can I make it accept the modified version of nv_data.bin?
Tips on other methods how to remove the simlock are also welcome.
HTC One X+ S728e (pm35110) HANG IN LOGO
details as below
***unlocked***
ENRC2B_U PVT ship s-on rl
HBOOT-1.72.0000
CPLD-NONE
MICROP-NONE
RADIO-3.1204.171.33
EMMC-BOOT MODE DISABLED
CPU-BOOTMODE DISABLED
HW SECURE BOOT:ENABLED
MODEM PATHFF
DETAILS IN MULTI TOOL AS BELOW
MODEL:ENRC2B_U
IMEI:3535.....9189
BUILD:2.18.707.6
CID:HTC_038
HBOOT:1.72.0000
MIDM3511000
SECURITYN
REGION:ASIA_INDIA
i got latest file
PM35IMG_ENRC2B_U_JB_50_S_hTC_Asia_WWE_2.18.707.5_R adio_3.1204.171.33_release_335132_signed.zip
tried this file via otg in hboot-stuck at """rom parsing start...."""
full details as below
zipfile[PM35DIAG.zip] not found
[region] no gift files....
[preload] loading preload content.....
[preload] preload content not found
loading PM35IMG.ZIP image
seeking zip file
reading zip file
b4 seeking zip file done
flashing zip file
signature checking...
rom parsing start...
now stuck-tried two pendrives and mmc also.stuck at ""rom parsing start"""
is it flash file problem?
phone build 2.18.707.6 and flash file build 2.18.707.5(lower version).but radio version same.
so i think flash file problem.
anyway to downgrade build version form 2.18.707.6 to 2.18.707.5?