Changes between Version 33 and Version 34 of radio_s_off


Ignore:
Timestamp:
11/30/10 00:26:03 (14 years ago)
Author:
anonymous
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • radio_s_off

    v33 v34  
    11= Radio S-OFF =
    2 '''WORK IN PROGRESS - NOT DONE YET'''
    32
    4 == Howto (Overview of the steps) ==
    5 
    6 '''WARNING:  You're backing up the radio partition, but be aware you are seriously messing with your phone here with a lot of potential for screwing things up.  Do so at your own risk.'''
    7 
    8 1. Perm root your phone
    9 
    10 2. Make a backup of partition 7 of your phone, copy the image of partition 7 to your PC and modify it with a HEX-editor
    11 
    12 3. Use a custom kernel and the appropriate wp-this module to get rid of the write protection of the radio partitions
    13 
    14 4. Push the modified partition 7 image back to phone and copy it to the partition 7
    15 
    16 At this point in time the @secu_flag is removed from your phone and your phone is S-OFF.
    17 
    18 == Optional step - verify the S-OFF (Overview of the steps) ==
    19 
    20 5. start hboot, attach a serial console to it and start rtask c.  Attach a serial console to the now running AT-command interpreter and run some AT-commands to verify the success
    21 
    22 === 1. Perm root your phone ===
    23 See [http://forum.xda-developers.com/wiki/index.php?title=HTC_Vision#Rooting_the_G2] for instructions on how to perm-root.
    24 
    25 === 2. Backup partition 7 ===
    26 Create a backup of your partition 7:
    27 
    28 Get a adb-shell:
    29 {{{
    30 adb shell
    31 }}}
    32 
    33 In the shell
    34 {{{
    35 su
    36 dd if=/dev/block/mmcblk0p7 of=/sdcard/mmcblk0p7-ori.img
    37 }}}
    38 Exit the shell and copy the image to your PC.
    39 (On your PC)
    40 {{{
    41 mkdir p7
    42 cd p7
    43 adb pull /sdcard/mmcblk0p7-ori.img mmcblk0p7-ori.img
    44 }}}
    45 Make a copy of the image
    46 {{{
    47 cp mmcblk0p7-ori.img mmcblk0p7-new.img
    48 }}}
    49 ==== Hex-edit the file ====
    50 I use bless for the manual patches and dd for the bigger part.  OS X users may consider using [http://www.suavetech.com/0xed/0xed.html 0Xed]
    51 
    52 1. The CID:
    53 
    54 Edit mmcblk0p7-new.img and change the string T-MOB010 at position 0x200 (decimal offset 512) to the string 11111111
    55 
    56 2. the secu_flag:
    57 
    58 Edit mmcblk0p7-new.img and change the byte 0x01 at 0xA00 (decimal offset 2560) to 0x00
    59 
    60 
    61 3. Set the area 0x80000 to 0x82fff (decimal offset: 524288 to 536575) to all zero.  So get rid of your hex editor, and lets just use dd on your computer.
    62 
    63 {{{
    64 dd if=/dev/zero of=mmcblk0p7-new.img seek=524288 bs=1 count=196608
    65 dd if=mmcblk0p7-ori.img of=mmcblk0p7-new.img bs=1 seek=720896 skip=720896
    66 }}}
    67 
    68 4. Back to the hex editor.  Edit mmcblk0p7-new.img and set the 4 bytes at 0x80000 to 78 56 F3 C9 and set the 4 bytes at 0x807fc to 49 53 F4 7D
    69 
    70 That's it. Now we need to install the modified partition 7 to the phone.
    71 
    72 === 3. Use custom kernel and module to get rid of the write protection ===
    73 
    74 To update the radio image you will have to get around two forms of protection-- first is the kernel restrictions on writing to the radio partition.  Then, there is the emmc firmware chip's read-only protection.
    75 
    76 So, you will have to first install a special cyanogenmod-based kernel that disables the kernel protection for the radio partition.  Then you'll also need a "wp-this" kernel module for this kernel that drops the emmc write protection.
    77 
    78 The boot.img that contains the kernel can be found here: [http://www.thinkthinkdo.com/boot-new.img]
    79 
    80 The wp-this module for this kernel is here [http://www.thinkthinkdo.com/wpthis-cyanogen.ko]
    81 
    82 Install the custom kernel from your computer using fastboot.
    83 
    84 First boot your G2 into fastboot mode (press Power Button and the trackpad Button until the screen with the surfing androids appear and it says FASTBOOT or FASTBOOT USB in red).
    85 
    86 Make sure you've downloaded fastboot onto your computer.  It comes along with "adb" with the [http://developer.android.com/sdk/installing.html Android SDK]
    87 
    88 (note-- on the Mac, you may want to say "fastboot-mac" instead of "fastboot" below)
    89 
    90 (On your PC)
    91 {{{
    92 fastboot erase boot
    93 fastboot flash boot boot-new.img
    94 }}}
    95 Reboot the phone into normal mode and copy the new image to the G2
    96 
    97 === 4. Copy the modified partition 7 back to the phone ===
    98 (On the PC)
    99 {{{
    100 adb push mmcblk0p7-new.img /sdcard/
    101 }}}
    102 
    103 Also copy the wp-this module-- you're about to use it.
    104 
    105 {{{
    106 adb push wpthis-cyanogen.ko /sdcard/
    107 }}}
    108 
    109 Now get a shell on the phone:
    110 {{{
    111 adb shell
    112 }}}
    113 In the shell:
    114 {{{
    115 insmod /sdcard/wpthis-cyanogen.ko
    116 dd if=/sdcard/mmcblk0p7-new.img of=/dev/block/mmcblk0p7
    117 sync
    118 }}}
    119 Wait a minute to make sure that the changes stick.
    120 
    121 Reboot the phone.
    122 
    123 If all went well, you did it!  Here are some optional steps to make sure you did it right:
    124 
    125 
    126 === 5. Verify you did it right ===
    127 
    128 
    129 So in the following steps, here's what you're looking for:
    130 
    131 '''@CID: 11111111''' <--- this response means you have superCID!  Congrats!
    132 
    133 '''@SIMLOCK= 00'''  <--- this means your simlock is off.
    134 
    135 '''@secu_flag: 0'''  <--- this means your radio is S-OFF.  Congrats.
    136 
    137 ==== Linux verification ====
    138 
    139 ===== 5a start rtask c in hboot =====
    140 
    141 Plug your phone into your computer, and in a terminal, type the following:
    142 
    143 On your computer:
    144 
    145 {{{
    146 sudo modprobe -r usbserial
    147 sudo modprobe usbserial vendor=0x0BB4 product=0x0C94
    148 sudo screen /dev/ttyUSB0
    149 }}}
    150 {{{
    151 rtask c
    152 }}}
    153 This will terminate your console session. Attach the serial to the new USB-device
    154 ===== 5b Verify the success using the AT-command interpreter =====
    155 
    156 On your computer:
    157 
    158 {{{
    159 sudo modprobe -r usbserial
    160 sudo modprobe usbserial vendor=0x05c6 product=0x9002
    161 sudo screen /dev/ttyUSB2
    162 }}}
    163 
    164 In the following code there is mixed commands and answers. '''You only type the commands the start with AT'''.
    165 {{{
    166 ATE1
    167 ATV1
    168 AT@CID?
    169 @CID: 11111111
    170 
    171 OK
    172 AT@SIMLOCK?AA
    173 @secu_flag: 0
    174 
    175 AT@SIMLOCK?40
    176 @SIMLOCK: 00
    177 
    178 OK
    179 
    180 AT$QCPWRDN
    181 }}}
    182 
    183 At this point your phone will power down and reboot.
    184 
    185 ==== Mac Verification ====
    186 
    187 To verify all went well on a mac, do this:
    188 
    189 1.  Plug in your mac to your phone
    190 2.  In the Terminal, type this:
    191 
    192 {{{
    193 adb shell
    194 }}}
    195 
    196 this puts you in the phone's shell.  now it's a simple matter of the following:
    197 
    198 (note the # is your prompt.  Don't type the "#".  The lines without the # are returned by the phone.)
    199 
    200 {{{
    201 # stop ril-daemon
    202 # cat /dev/smd0 &
    203 # echo -e 'ATE1\r' > /dev/smd0
    204 0
    205 #
    206 # echo -e 'ATV1\r' > /dev/smd0
    207 OK
    208 # echo -e 'AT@CID?\r' > /dev/smd0
    209 @CID: 11111111
    210 
    211 OK
    212 echo -e 'AT@SIMLOCK?40\r' > /dev/smd0
    213 # AT@SIMLOCK?40
    214 @SIMLOCK= 00
    215 
    216 OK
    217 #echo -e 'AT@SIMLOCK?AA\r' > /dev/smd0
    218  AT@SIMLOCK?AA
    219 @secu_flag: 0
    220 
    221 OK
    222 # echo -e 'AT$QCPWRDN\r' > /dev/smd0
    223 # AT$QCPWRDN
    224 OK
    225 }}}
    226 
    227 Your phone should reboot.
    228 
    229 It should look something like that anyway.  It may look slightly different if you were typing while the computer was sending you back information.
     3Moved to [http://forum.xda-developers.com/wiki/index.php?title=HTC_Vision#Subsidy_Unlock.2C_SuperCID.2C_and_Radio_S-OFF the official wiki].  Use those instructions as it is up-to-date.