Related
This should allow you to remove the security and CID locks from the HTC Hero.
Do *not* attempt this if you haven't done this sort of thing before or are at all unsure; I can't be held responsible if you break your phone.
You will need:
* An HTC debug *serial* cable. There are instructions on how to build one elsewhere on xda-developers.com.
* Serial terminal software - I use minicom under linux myself.
* A USB cable.
* The zip file downloaded from here.
* A PC with a copy of the "fastboot" program.
* A HERO handset with the 63.18.55.06_6.35.04.25 radio firmware version and the 1.76.0004 HBOOT version. Other versions can probably be supported, but I've no interest in doing this myself. However, source is included in the download for others to do so if they wish.
Overview:
The MSM7201A used on the Hero has two CPU cores, an ARM9 and an ARM11. The ARM9 runs the radio software, and the ARM11 runs android. The ARM9 boots its own bootloaders first, which sets up the radio, and security. It then boots the ARM11 CPU, which runs its own bootloader, providing the "fastboot" functionality amongst other things.
Both CPUs use the same DRAM, but there is a hardware paritioning system built into the MSM7201A which prevents each CPU from writing to each others memory spaces. Luckily this can be disabled.
The ARM9 bootloader can be entered by holding VOLUP when powering up. The phone will vibrate three times and the power LED will be green. However the screen will remain black. This supports many serial commands, only a few of which are available in security-locked mode.
The ARM11 bootloader can be entered by holding VOLDOWN or BACK when powering up. It shows the three-androids-on-skateboards logo. It supports USB control using the android-specific fastboot protocol, but also has a serial HBOOT mode which supports a few commands. There is a second hidden set of commands which are not accessible without software patching.
This patch will:
* Temporarily enable the additional ARM11 commands.
* Temporarily disable checks on a few ARM9 radio AT commands to allow the removal of locks.
The patches to the software are done in RAM, so the patches will "vanish" on a powercycle. However, executing the patched AT commands below will write to HTC config area in flash, so the security-off and super-CID modes /will/ persist.
Instructions:
Note: all commands obviously need <ENTER> pressed after them
1. Connect the serial cable and start your terminal software (115200 8N1)
2. Power up the phone holding down VOLDOWN (this boots into the ARM11 HBOOT mode). You should see various messages and get a command prompt.
3. Type "rtask b" and wait for a while until it says "AT-Command Interpreter ready" (this starts the radio software running on the ARM9 and accesses its AT interface).
4. Type "retuoR" (this returns to the ARM11 HBOOT software).
5. Enter fastboot mode by pressing the "BACK" button on the phone.
6. Unplug the serial cable and plug in the USB cable.
7. Boot the hackspl.img by running "fastboot boot hackspl.img" on your PC.
8. The screen will go black and show the normal boot logo. However if you press "VOLDOWN" the screen should clear and you'll re-enter HBOOT mode.
9. Unplug the USB cable and plug in the serial cable again.
10. Type "rtask b" - This will enter the radio AT interface.
11. Type "ATE1" - this will enable character echo mode, which helps with typing a lot!
12. Type "[email protected]=8,0" - this will disable security. It should print "0" when done, which may take a few seconds.
13. Type "[email protected]=11111111" - this will set the "Super-CID". It should print "0" when done, which may take a few seconds.
14. Type "retuoR" - returns to the ARM11 bootloader.
15. Type "erasebcid" - this will erase the "backup CID" from the ARM11.
After this lot, your phone should be security unlocked and be super-CID. On reboot, the ARM11 skateboard screen should say "S-OFF" instead of "S-ON"
on the top line. On a normal boot, you should see "Device is Super-CID" printed over the serial port at some point before it boots android.
You will be able to flash system/boot/recovery etc directly using the fastboot command from your PC.
If you type "h" after step 15, you'll see a much bigger list of commands than normal - these are the ARM11 hidden commands.
If you boot into the ARM9 bootloader (hold VOLUP on powerup) with security-off, and type "h" you'll see a list of some of the ARM9 commands. There are actually more; it just doesn't list them in the help screen.
Thanks for this hack adq. Just tried this now and can confirm it worked fine.
For console I built a TTL console cable using "HTC Multifunction Audio Cable YC A300". This connector has 2xEXT USB (1 for headphone and 1 for data/charge) pluss 2xheadphone plugs. Inside there is two boards. 1 board connected for USB Data/Charge and one for the others. So removing the board for headset and connecting the pins to TTL adapter I got both console and USB connectivity at the same time. Hence, I did not have to replug during your process
My device was factory programmed with hboot 1.76.0007 and radio 63.18.55.06EU_6.35.06.18. I downgraded from both these to the ones you specified before attempting the hack.
I have now upgraded back to hboot 1.76.0007 and radio 63.18.55.06EU_6.35.06.18. The security and cid is still keept from the hack!
Great job adq,
Best regards,
Exion
great work adq, works fine!
Exion said:
I have now upgraded back to hboot 1.76.0007 and radio 63.18.55.06EU_6.35.06.18. The security and cid is still keept from the hack!
Click to expand...
Click to collapse
Even if the bootloader says HERO CVT SHIP S-OFF, the fastboot boot command does still not work in 1.76.0007 bootloader. So I have reverted back to 1.76.0004 again for now. Maybe there is more we need to modify ?
Exion said:
Thanks for this hack adq. Just tried this now and can confirm it worked fine.
For console I built a TTL console cable using "HTC Multifunction Audio Cable YC A300". This connector has 2xEXT USB (1 for headphone and 1 for data/charge) pluss 2xheadphone plugs. Inside there is two boards. 1 board connected for USB Data/Charge and one for the others. So removing the board for headset and connecting the pins to TTL adapter I got both console and USB connectivity at the same time. Hence, I did not have to replug during your process
My device was factory programmed with hboot 1.76.0007 and radio 63.18.55.06EU_6.35.06.18. I downgraded from both these to the ones you specified before attempting the hack.
I have now upgraded back to hboot 1.76.0007 and radio 63.18.55.06EU_6.35.06.18. The security and cid is still keept from the hack!
Great job adq,
Best regards,
Exion
Click to expand...
Click to collapse
hello . can u please take some photos on HTC Multifunction Audio Cable YC A300 and the inside of it so i cnow what i need to do
Quick question to adq:
Is the unlocking with serial cable the only way to get this done? Or is there a way to flash a S-OFF SPL using normal methods?
If not, then I guess it's time to bring out the ol' good soldering iron
Thanks, made this a sticky, file moved to a more permanent location
Nice!
I need to make myself a cable now...
P
Could it be possible to make the cable using a USB2serial adapter and than use an extUSB breakout board and a rs232 connector and solder them together (correct pins) and then just connect the rs232 to the USB2rs232 adapter and the adapter in PC?
B
packetlss said:
Quick question to adq:
Is the unlocking with serial cable the only way to get this done? Or is there a way to flash a S-OFF SPL using normal methods?
If not, then I guess it's time to bring out the ol' good soldering iron
Click to expand...
Click to collapse
Hi, not with the code as it is right now. However, there's no reason someone else couldn't take the code and remove the serial requirement; this was simply the fastest way to get the thing working. I'm not very interested in doing this myself though, as I want to get on with looking at other things.
oblika said:
Could it be possible to make the cable using a USB2serial adapter and than use an extUSB breakout board and a rs232 connector and solder them together (correct pins) and then just connect the rs232 to the USB2rs232 adapter and the adapter in PC?
B
Click to expand...
Click to collapse
Hi, I use a USB->(3.3v) serial adapter with the HTC serial breakout board soldered to the other side of it; my laptop doesn't have a serial interface otherwise.
hi!
just to ask, what will be advantages of this??
greetings
adq said:
Hi, I use a USB->(3.3v) serial adapter with the HTC serial breakout board soldered to the other side of it; my laptop doesn't have a serial interface otherwise.
Click to expand...
Click to collapse
I currently have a Digitus USB 2.0 -> rs232 (http://www.digitus.info/en/products/accessories/?c=1216&p=3530). Does this adapter seem ok to you?
I have done some googling and found out that it has FTDI chip (FT232BM)? I just want to make sure that it uses 3.3V.
http://www.ftdichip.com/Products/FT232BM.htm
http://www.ftdichip.com/Documents/DataSheets/DS_FT232BM.pdf
---
Where did you order the breakout board? I'm from Slovenia (Europe). Where would be the best place to order?
B
Can somebody with S-OFF dump their SPL?
oblika said:
I currently have a Digitus USB 2.0 -> rs232 (http://www.digitus.info/en/products/accessories/?c=1216&p=3530). Does this adapter seem ok to you?
I have done some googling and found out that it has FTDI chip (FT232BM)? I just want to make sure that it uses 3.3V.
http://www.ftdichip.com/Products/FT232BM.htm
http://www.ftdichip.com/Documents/DataSheets/DS_FT232BM.pdf
---
Where did you order the breakout board? I'm from Slovenia (Europe). Where would be the best place to order?
B
Click to expand...
Click to collapse
Ah - if that's specifically a USB->RS232 adaptor, that will most likely run at 12v, so it'd fry the phone.
www.sparkfun.com have the HTC breakout boards; they also have USB->3.3v serial adaptors such as http://www.sparkfun.com/commerce/product_info.php?products_id=198, but you'll have to make certain its *definitely* 3.3v; even 5v might fry it. I paranoidly checked at the last minute with a voltmeter.
There's an instructables article about it here: http://www.instructables.com/id/Android_G1_Serial_Cable/
Looking about, I see www.coolcomponents.co.uk have such things in the UK.
Adq, sorry to bother you again.
Looking at your suggestions above, would these items make a good start off point to for making a cable then?
http://www.coolcomponents.co.uk/catalog/product_info.php?products_id=100
http://www.coolcomponents.co.uk/catalog/product_info.php?products_id=266
felikz said:
just to ask, what will be advantages of this??
Click to expand...
Click to collapse
I would like to know this too, thanks.
O MY GOD,Can someone translate it into Chinese?It is very important to me...................
thank you adq!
KinkyGolab said:
hello . can u please take some photos on HTC Multifunction Audio Cable YC A300 and the inside of it so i cnow what i need to do
Click to expand...
Click to collapse
Hi KinkyGolab,
You can get the pinout details/pictures from my wiki http://www.suphammer.net/Hero/ExtUSB
Please note there is two PCB's in the dongle. I have only investigated the connections for the audio board (where the TTL serial signals are available).
Please use a TTL 3v level serial adapter when connecting to the serial pins. Connecting the serialport of your pc directly to the serial pins of the HTC will damage your HTC.
Best regards,
Exion
erm guys, what should be the reason to break the security of one's phone?!
I'm trying to connect an PL2303 USB serial converter to my Samsung Galaxy S2 (to use in Slick USB 2 Serial Terminal app) but the device is not regonized by my phone. (dmesg reports hub 2-0:1.0: unable to enumerate USB device on port 1) I've allready tried to compile my own kernel with different configurations (including the serial port driver) but non of them seams to work. Is there a way to get this device to work on the Samsung Galaxy S2? (On my Transformer Prime TF201 the device works perfectly)
Edit: I' am using CyanogenMod 9. (Misstyped it when creating the thread)
Does Nokia N1 got OTG support? I have Tried to connect my USB Flash through OTG cable but doesn't work for me ....
Doesn't work for me either >_<
I don't have an otg cable myself (yet) but can you try to use USB Host Diagnostics (available in play store) and post the report?
FYI I got an OTG cable myself and it didn't work. I dug a bit deeper and found out that OTG is most likely not implemented because Nokia N1 is using legacy usb controller over usb C - see below:
Converting USB 2.0 OTG SoCs to USB Type-C
While existing Device, Host, and DRD devices can be converted to support the USB Type-C connection with some effort, it is not practical to convert existing OTG SoCs. OTG requires a new state machine using the configuration channel to support USB Type-C. Host Negotiation Protocol is used to swap host and device role for OTG, while Power Delivery communication is used to change roles for USB Type-C. Combined, these challenges preclude simple upgrades of OTC SoCs to USB Type-C. - See more at: https://www.synopsys.com/Company/Pu...esign-type-c-2015q1.aspx#sthash.Ri02Guwe.dpuf
Click to expand...
Click to collapse
The only chance to get otg to work is most likely preparing a kernel patch (are the sources even available?) to manually switch the connector to host mode and power the attached device externally
After a bit of hacking around I was able to enable usb otg on my N1!
I've had a look at kernel sources for device with similar SoC (Nexus Player) and saw an interesting debugfs entry. To my surprise it worked like a charm and immediately detected the attached usb hub with a thumb drive, it even powered the hub so I didn't have to use an external power source!
To enable host mode, the following command has to be enterted in root console:
echo A > /sys/kernel/debug/usb/dwc3_debugfs_root/otg_id
Caveats (will try to find a way to resolve them):
- after enabling host mode N1, won't charge from the usb port - a reboot is required to enable the charging again
- probably same is true for pheripherial mode (connecting n1 to a pc). In theory, changing a to b in the above echo command should bring the tablet back to normal mode but for some reason it won't charge without a reboot so I'm assuming that same is true for non otg usb connectivity. Will have a look at the sources and debug messages to find out what's going on
wodz69 said:
After a bit of hacking around I was able to enable usb otg on my N1!
I've had a look at kernel sources for device with similar SoC (Nexus Player) and saw an interesting debugfs entry. To my surprise it worked like a charm and immediately detected the attached usb hub with a thumb drive, it even powered the hub so I didn't have to use an external power source!
To enable host mode, the following command has to be enterted in root console:
echo A > /sys/kernel/debug/usb/dwc3_debugfs_root/otg_id
Caveats (will try to find a way to resolve them):
- after enabling host mode N1, won't charge from the usb port - a reboot is required to enable the charging again
- probably same is true for pheripherial mode (connecting n1 to a pc). In theory, changing a to b in the above echo command should bring the tablet back to normal mode but for some reason it won't charge without a reboot so I'm assuming that same is true for non otg usb connectivity. Will have a look at the sources and debug messages to find out what's going on
Click to expand...
Click to collapse
Thanks for your hard job.
I have tried on my N1. It is amazing that otg did work. However, the otg can not coexist with charging function as yours. Hope someone could find a solution.
adagiov said:
Thanks for your hard job.
I have tried on my N1. It is amazing that otg did work. However, the otg can not coexist with charging function as yours. Hope someone could find a solution.
Click to expand...
Click to collapse
Hey,
Are you on Android 5.1.1 or 5.0 ?
I've had a look at the code of the usb driver of the a phone with similar chipset (asus zenfone 5) and it seems that the source of the problem is that the tablet fails to detect an appropriate charger type, which could mean either that the otg cable does not support this or the code of the driver does not work properly with usb C. Was wondering if something changed around this after the update?
wodz69 said:
Hey,
Are you on Android 5.1.1 or 5.0 ?
I've had a look at the code of the usb driver of the a phone with similar chipset (asus zenfone 5) and it seems that the source of the problem is that the tablet fails to detect an appropriate charger type, which could mean either that the otg cable does not support this or the code of the driver does not work properly with usb C. Was wondering if something changed around this after the update?
Click to expand...
Click to collapse
Hi, mine N1 is still running the android 5.0.
I am afraid Root is the prerequisite to hack otg. Unfortunately, root is not available on android 5.1.1 till now, so even the android 5.1.1 driver support it, that won't help.
Thanks,dude.
Yeah exactly for that reason I haven't upgraded my tablet yet
Hi !
I have a problem with my P1C72, when I plug it to any computer, it is not recognized as a usb device : in Windows it appears as an unknown device, with a code 43 error, and no hardware identification number (shown as USB\UNKNOWN, no VID or PID)
It does this either in recovery, fastboot or normal use.
It charges alright though
At first I thought it was the USB board, so I ordered a new one, and changed it, but the problem stays the same.
So I am wondering, could it be software related ? Some configuration file that got screwed somewhere ?
Or is the USB controler located elsewhere than on the board with the micro USB port ?
Does someone has an idea ?
hi, I just installed the beta build of the AOSP Oreo Rom and soon after finding working-ish gapps twrp was gone, and I hadn't had a chance to root yet, and so i went to my computer to manually flash recovery but my device refuses to get recongized, i have installed latest google and universal drivers, but they dont show up for me to set them to my nexus. Im running Latest win10 on my desktop, using a known good usb cable and have switched between the only usb 2.0 ports i have (2) i've tried in normal boot state and in fastboot, but the drivers wont match up to proceed. does anyone know anything about this, is this an issue with win10 or is it something else?
Do assuming that no one has encountered this before I guess I'll just wait until a app that can root comes out for Oreo and hopefully that can get me fixed up but if in the meantime someone comes across this and actually has some insight any help would be very much appreciated.
deathblade said:
someone comes across this and actually has some insight any help would be very much appreciated.
Click to expand...
Click to collapse
Since fastboot does not work then do the following:
win10 may be broken, check for flo ID = 18D1:4EE0 using alternative OS - if it still does not work then...
repair broken N7 USB port or re-seat the wide silver cable to fix USB data lines
:good:
Thank for your suggestion, I'm downloading the iso right now, will post back after following instructions, hope this works
ok, just followed your instructions, and this is what i got
[email protected] ~ $ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 002: ID 13fe:5500 Kingston Technology Company Inc.
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 004: ID 04f2:b40e Chicony Electronics Co., Ltd HP Truevision HD camera
Bus 002 Device 003: ID 1a40:0101 Terminus Technology Inc. Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
[email protected] ~ $
I dont see the ID you are referring to
Also I reseated the cables with no change and visually inspected the port and solder joints and all seem ok, here are a few pics ( I apologise about any quality issues, I'm not a photographer) EDIT: so I verified the data connection works just fine, was able to view contents on an otg flash drive, is there anyway to use an otg flash drive to force auto install a custom recovery?
deathblade said:
EDIT: so I verified the data connection works just fine, was able to view contents on an otg flash drive
Click to expand...
Click to collapse
I see that your laptop has both USB2 and USB3 ports. Please boot N7 in fastboot mode, connect it to USB2 then USB3 while checking lsusb for the ID. Note that the ports use different PC hardware and drivers and one of them appear to be either unsupported or faulty.
Also "a known good usb cable" may be good for charging but not for data transfer so just try another one.
Had a comparable issue recently due to win10 preferring some default driver over Google driver for fastboot.
k23m said:
I see that your laptop has both USB2 and USB3 ports. Please boot N7 in fastboot mode, connect it to USB2 then USB3 while checking lsusb for the ID. Note that the ports use different PC hardware and drivers and one of them appear to be either unsupported or faulty.
Also "a known good usb cable" may be good for charging but not for data transfer so just try another one.
Click to expand...
Click to collapse
Ok just tried with usb 2 and 3.0 ports same result, but oddly the listing does differ from my previous, it is now show an Intel device (I assume my CPU or a chipset) that wasn't listed before. But still no Nexus. Will try with a different cables later today as I have to hunt one down (just moved)
ok, so i just found another cable (with builtin otg usb port ) and even in windows 10 it worked just fine, thank you so much for your help. the cable i was using before was an anker gold tipped nylon braided 10ft usb cable, my guess is that at 10ft it has too much resistance to actually work properly for such data based tasks. I will at some point get another (smaller) anker cable to test this theory