Version 32 (modified by 14 years ago) (diff) | ,
---|
Radio S-OFF
WORK IN PROGRESS - NOT DONE YET
Howto (Overview of the steps)
WARNING: You're backing up the radio partition, but be aware you are seriously messing with your phone here with a lot of potential for screwing things up. Do so at your own risk.
- Perm root your phone
- Make a backup of partition 7 of your phone, copy the image of partition 7 to your PC and modify it with a HEX-editor
- Use a custom kernel and the appropriate wp-this module to get rid of the write protection of the radio partitions
- Push the modified partition 7 image back to phone and copy it to the partition 7
At this point in time the @secu_flag is removed from your phone and your phone is S-OFF.
Optional step - verify the S-OFF (Overview of the steps)
- start hboot, attach a serial console to it and start rtask c. Attach a serial console to the now running AT-command interpreter and run some AT-commands to verify the success
1. Perm root your phone
See http://forum.xda-developers.com/wiki/index.php?title=HTC_Vision#Rooting_the_G2 for instructions on how to perm-root.
2. Backup partition 7
Create a backup of your partition 7:
Get a adb-shell:
adb shell
In the shell
su dd if=/dev/block/mmcblk0p7 of=/sdcard/mmcblk0p7-ori.img
Exit the shell and copy the image to your PC. (On your PC)
mkdir p7 cd p7 adb pull /sdcard/mmcblk0p7-ori.img mmcblk0p7-ori.img
Make a copy of the image
cp mmcblk0p7-ori.img mmcblk0p7-new.img
Hex-edit the file
I use bless for the manual patches and dd for the bigger part. OS X users may consider using 0Xed
- The CID:
Edit mmcblk0p7-new.img and change the string T-MOB010 at position 0x200 (decimal offset 512) to the string 11111111
- the secu_flag:
Edit mmcblk0p7-new.img and change the byte 0x01 at 0xA00 (decimal offset 2560) to 0x00
- Set the area 0x80000 to 0x82ffff (decimal offset: 524288 to 8585215) to all zero. So get rid of your hex editor, and lets just use dd on your computer.
dd if=/dev/zero of=mmcblk0p7-new.img seek=524288 bs=1 count=196608 dd if=mmcblk0p7-ori.img of=mmcblk0p7-new.img bs=1 seek=720896 skip=720896
- Back to the hex editor. Edit mmcblk0p7-new.img and set the 4 bytes at 0x80000 to 78 56 F3 C9 and set the 4 bytes at 0x807fc to 49 53 F4 7D
That's it. Now we need to install the modified partition 7 to the phone.
3. Use custom kernel and module to get rid of the write protection
To update the radio image you will have to get around two forms of protection-- first is the kernel restrictions on writing to the radio partition. Then, there is the emmc firmware chip's read-only protection.
So, you will have to first install a special cyanogenmod-based kernel that disables the kernel protection for the radio partition. Then you'll also need a "wp-this" kernel module for this kernel that drops the emmc write protection.
The boot.img that contains the kernel can be found here: http://www.thinkthinkdo.com/boot-new.img
The wp-this module for this kernel is here http://www.thinkthinkdo.com/wpthis-cyanogen.ko
Install the custom kernel from your computer using fastboot.
First boot your G2 into fastboot mode (press Power Button and the trackpad Button until the screen with the surfing androids appear and it says FASTBOOT or FASTBOOT USB in red).
Make sure you've downloaded fastboot onto your computer. It comes along with "adb" with the Android SDK
(note-- on the Mac, you may want to say "fastboot-mac" instead of "fastboot" below)
(On your PC)
fastboot erase boot fastboot flash boot boot-new.img
Reboot the phone into normal mode and copy the new image to the G2
4. Copy the modified partition 7 back to the phone
(On the PC)
adb push mmcblk0p7-new.img /sdcard/
Also copy the wp-this module-- you're about to use it.
adb push wpthis-cyanogen.ko /sdcard/
Now get a shell on the phone:
adb shell
In the shell:
insmod /sdcard/wpthis-cyanogen.ko dd if=/sdcard/mmcblk0p7-new.img of=/dev/block/mmcblk0p7 sync
Wait a minute to make sure that the changes stick.
Reboot the phone.
If all went well, you did it! Here are some optional steps to make sure you did it right:
5. Verify you did it right
So in the following steps, here's what you're looking for:
@CID: 11111111 <--- this response means you have superCID! Congrats!
@SIMLOCK= 00 <--- this means your simlock is off.
@secu_flag: 0 <--- this means your radio is S-OFF. Congrats.
Linux verification
5a start rtask c in hboot
Plug your phone into your computer, and in a terminal, type the following:
On your computer:
sudo modprobe -r usbserial sudo modprobe usbserial vendor=0x0BB4 product=0x0C94 sudo screen /dev/ttyUSB0
rtask c
This will terminate your console session. Attach the serial to the new USB-device
5b Verify the success using the AT-command interpreter
On your computer:
sudo modprobe -r usbserial sudo modprobe usbserial vendor=0x05c6 product=0x9002 sudo screen /dev/ttyUSB2
In the following code there is mixed commands and answers. You only type the commands the start with AT.
ATE1 ATV1 AT@CID? @CID: 11111111 OK AT@SIMLOCK?AA @secu_flag: 0 AT@SIMLOCK?40 @SIMLOCK: 00 OK AT$QCPWRDN
At this point your phone will power down and reboot.
Mac Verification
To verify all went well on a mac, do this:
- Plug in your mac to your phone
- In the Terminal, type this:
adb shell
this puts you in the phone's shell. now it's a simple matter of the following:
(note the # is your prompt. Don't type the "#". The lines without the # are returned by the phone.)
# stop ril-daemon # cat /dev/smd0 & # echo -e 'ATE1\r' > /dev/smd0 0 # # echo -e 'ATV1\r' > /dev/smd0 OK # echo -e 'AT@CID?\r' > /dev/smd0 @CID: 11111111 OK echo -e 'AT@SIMLOCK?40\r' > /dev/smd0 # AT@SIMLOCK?40 @SIMLOCK= 00 OK #echo -e 'AT@SIMLOCK?AA\r' > /dev/smd0 AT@SIMLOCK?AA @secu_flag: 0 OK # echo -e 'AT$QCPWRDN\r' > /dev/smd0 # AT$QCPWRDN OK
Your phone should reboot.
It should look something like that anyway. It may look slightly different if you were typing while the computer was sending you back information.
Attachments (2)
- p7_s-off.c (2.8 KB) - added by 14 years ago.
- p7_s-off (6.7 KB) - added by 14 years ago.
Download all attachments as: .zip