[GUIDE] How to get xoom cdma version running on other CDMA EvDO network - Xoom Android Development

(There may be something missed in the following steps. if u got problem, feel free to feedback)
It works on Xoom CDMA 3.0/3.1 version.
after upgrade to 3.1, the pppd configuration file was reset , so we should redo step 2.13 to get 3G connection
1.Preparing
1.1 AN & AAA
AN & AAA can be understood as the user name and password of EvDO network.
AN: you can get AN from your phone through cdmaworkshop or QPST or QXDM。
AAA:you can get AAA from some phone by using cdmaworkshop,such as HTC EVO 4G。maybe you can get AAA from provider also.
in this post, i assume the AN is "[email protected]".
1.2 SID & NID
System ID & Network ID of provider, which can be found by search engine.
1.3 Tools
installing cdmaworkshop and "HW virtual serial port"(HWVSP) on Windows OS.
In HWVSP, uncheck the "nvt enabled" option to disable nvt(Network Virtual Terminal, rfc2217), or you would be unable to connect to xoom. (thanks lesjaw for pointing this out)
If you can read chinese, I would prefer VSPM instead of HWVSP to create virtual serial port, because VSPM is much faster.
It has free version, can be download at http://www.powerip.net/product_VSPM.htm.
1.4 important tips
before the change, write down or backup the original data for recovering case
2.Hacking
2.1 switching xoom to DIAG mode
hold on VOL-UP & VOL_DOWN button, then press power button for about 5 seconds, until you see the following text on the upper-left corner:
Code:
Powering on BP
Cold-booting Linux
Reading ODM fuse:1
(PS: you can do this at any time, no need to turn off xoom.)
2.2 making xoom and Windows PC connected
Method 1:through USB cable
after connecting xoom and PC by USB cable, you could get a network card named "Motorola USB Networking Driver", and the PC would get IP 192.168.16.1, xoom get IP 192.168.16.2
Method2:through WiFi
Connect xoom & PC to the same WiFi network.
2.3 creating DIAG port on Windows PC
run "HW virtual serial port" or other virtual port tool , create a virtual serial port to
IP:192.168.16.2(USB Method) or XXX.XXX.XXX.XXX(xoom WiFi address)
port: 11008
2.4 connect to diag port
run CDMAWorkshop, or other crack tool ,such as QPST, select the virtual serial port created at step 2.3 as DIAG port.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
2.5 write PRL
write the correct PRL into xoom by using CDMAWorkshop or other crack tool.
2.6 change MDN
Dir_Number(MDN):change Dir_Number to the first 10 digits of AN
you can also change MDN at step 2.12.
2.7 change AN
we can not modify AN through CDMA workshop or QPST directly.
to changing AN, we have to write some NV items, including 8040,8041,8042,8043,8091.
Backup nv items:
reading nv-items 8040,8041,8042,8043,8091 through cdmaworkshop
Modify nv items:
item 8040,8041,8042,8043,8091 are all the same.
change them to end part of AN exclude first 10 digits. in this case, it's "[email protected]".
you need to change the string into ASCII code (for example,35 36 37 38 39 40 6D 79 63 64 6D 61 2E 63 6E)
Write nv items
the following is content of sample, you can change it, then write back to xoom through CDMAWorkshop.
Code:
[NV items]
[Complete items - 5, Items size - 128]
08040 (0x1F68) - OK
35 36 37 38 39 40 6D 79 63 64 6D 61 2E 63 6E 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
08041 (0x1F69) - OK
35 36 37 38 39 40 6D 79 63 64 6D 61 2E 63 6E 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
08042 (0x1F6A) - OK
35 36 37 38 39 40 6D 79 63 64 6D 61 2E 63 6E 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
08043 (0x1F6B) - OK
35 36 37 38 39 40 6D 79 63 64 6D 61 2E 63 6E 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
08091 (0x1F9B) - OK
35 36 37 38 39 40 6D 79 63 64 6D 61 2E 63 6E 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2.8 confirm update of AN
in CDMAworkshop, check HDR Username at EVDO tab.
2.10 change IP Behaviour to "Simple IP"
you can do this by CDMAWorkshop or QPST.
2.11 change AAA
Method 1:at CDMA workshop EVDO tab, input AAA(HDR pass), then write into Xoom.
Method 2:write NV item 1192 through CDMAWorkshop, the sample AAA is 123456.
Code:
[NV items]
[Complete items - 1]
01192 (0x04A8) - OK
06 31 32 33 34 35 36 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
(06: password length, 31 32 33 34 35 36: password ASCII code)
2.12 change SID,NID
run motorola field test util in DIAG mode.
the command is:
Code:
am start -a android.intent.action.MAIN -n com.motorola.modemutil/.FieldMenu
then change to the SID,NID of Provider in "Program Menu".
you should take it carefully, just update the fields you really understand.
(if you haven't changed MDN yet, you can change it in passing).
you can run the command in terminal emulator, or by android SDK.
(Tips: to run it on adb shell, first download an app named "adbwireless".
turn on wifi, connect pc and xoom to the same wifi AP.
run adbwireless, turn on adb via wifi.
it shows IP: port, such as 192.168.X.X: 5555.
at windows command prompt, run
Code:
adb connect IP: PORT
then run
Code:
adb shell
)
2.13 modify android pppd configuration file
this step maybe isn't necessary.
you should need to do this if you still can not get 3g connection after above steps.
to do this step, you need to root xoom first.
please see other post about how to root xoom.
Code:
adb remount
adb pull /system/etc/ppp/peers/pppd-ril.options
make a backup of pppd-ril.options file.
change
Code:
user [email protected]
password NotUsed
to your ppp dial-up username and password.
in china, it's
Code:
user [email protected]
password vnet.mobi
save the change, run
Code:
adb push pppd-ril.options /system/etc/ppp/peers
after these operations, you should see 3g icon on the bottom-right corner.

Hi Hawk, do you need to root before you do this? Thanks.

Also, do we have to change ESN of the xoom in CHina in order to get evdo? Thank you!

ljwnow said:
Also, do we have to change ESN of the xoom in CHina in order to get evdo? Thank you!
Click to expand...
Click to collapse
if you just want to using EvDO, then you should ignore ESN modifing.
in fact, i'm using factory ESN of xoom now.
btw, there is no way being found to change ESN of xoom. you need to change ESN on the provider side to get 1x network working.
for ur first question, i think rooting is not necessary for EvDO hacking.
evenif without rooting, we can still run the offical programming app made by motorola which i mentioned it at the end of the post.
Sent from my Xoom using XDA App

hawk2k8 said:
if you just want to using EvDO, then you should ignore ESN modifing.
in fact, i'm using factory ESN of xoom now.
btw, there is no way being found to change ESN of xoom. you need to change ESN on the provider side to get 1x network working.
for ur first question, i think rooting is not necessary for EvDO hacking.
evenif without rooting, we can still run the offical programming app made by motorola which i mentioned it at the end of the post.
Sent from my Xoom using XDA App
Click to expand...
Click to collapse
Thanks for your reply. Would you also post a guide for enabling voice and 1x, please? Thank you.

ljwnow said:
Thanks for your reply. Would you also post a guide for enabling voice and 1x, please? Thank you.
Click to expand...
Click to collapse
I have tried the hidden emergency caller, it told me voice is disabled.
I found some SIP UI built-in, so maybe we can see a integrated VoIP caller on android tablet in the near future.
To enable 1x service, we should change ESN on the provider side to the factory ESN of xoom, then get the changed AKEY from provider, and write it into xoom. It succeeded on Motorola Droid X .

Hawk, great find..
but i step 2.7 Writing NV Item, i always got "Phone Does Not Answer"
i use Motorola USB Network to connect my PC to Xoom.
i use www.whiterabbit.org/android to convert nv asci file..
what is AAA? does it mean AKEY?
update :
Finally i succeed write 4 NV Items..
but in NAM, i still got SID/NID error, here is the log
Write MIN1... Success
Write MIN2... Success
Write Directory number... Success
Write Banner... Success
Write NAM name... Success
Write MCC... Success
Write MNC... Success
Write SID/NID pairs... Failed
Write Primary channels... Success
Write Secondary channels... Success
Write SCM... Success
Write SCI... Skipped
Write Accolc... Success
Write Current NAM... Success
Write True IMSI... Success
Write PRL status... Success
Write System selection... Success
Write Otapa status... Success
Click to expand...
Click to collapse
QPST always give unspecified error if i open Service Programing, the phone does connect (i can see it in QPST Configuration), i use QPST 2.7 323 version, any advice?

lesjaw said:
Hawk, great find..
but i step 2.7 Writing NV Item, i always got "Phone Does Not Answer"
i use Motorola USB Network to connect my PC to Xoom.
i use www.whiterabbit.org/android to convert nv asci file..
what is AAA? does it mean AKEY?
Click to expand...
Click to collapse
http://www.whiterabbit.org/android/ is great, but some of his items are not necessary for xoom. we should just need item 8040,8041,8042,8043, which is being used to generate AN by radio firmware.
i haven't met "Phone Does Not Answer" message by using CDMAWorkshop to write these nv_items, maybe you can try to write one item at one time to avoid it.
"what is AAA? does it mean AKEY?"
CDMA network has 2 services, the one is high-speed EvDO(data-only) service ,the other is low-speed data-voice sharing 1x service.
AAA is HDR(High Data Rate) password, being used in EvDO service for Authentication,Accounting and Authorization.
AKEY is being used in CDMA-1X network, for voice and 1x service.

lesjaw said:
but in NAM, i still got SID/NID error, here is the log
QPST always give unspecified error if i open Service Programing, the phone does connect (i can see it in QPST Configuration), i use QPST 2.7 323 version, any advice?
Click to expand...
Click to collapse
oh, i forgot it. I changed SID/NID successfully only in motorola programming app. (guide is updated)
and QPST 2.7.323 can not connect to xoom, you should upgrade it.QPST 2.7.355 should work.

3g iusacell/unefon CDMA or telcel GSM what work?
Hi hawk2k8:
My xoom is MZ600 Im live in Mexico
Can use your procedure for use my carrier 3g telcel GSM?
o
Maybe buy sim 3g the iusacell o Unefon CDMA?
Please helpme
Regards

m4tr1s said:
Hi hawk2k8:
My xoom is MZ600 Im live in Mexico
Can use your procedure for use my carrier 3g telcel GSM?
o
Maybe buy sim 3g the iusacell o Unefon CDMA?
Please helpme
Regards
Click to expand...
Click to collapse
No sir, this is for CDMA only.

hawk2k8 said:
oh, i forgot it. I changed SID/NID successfully only in motorola programming app. (guide is updated)
and QPST 2.7.323 can not connect to xoom, you should upgrade it.QPST 2.7.355 should work.
Click to expand...
Click to collapse
i still dont have luck with QPST 2.7.355, have tried QPST 2.7.363 too, it does connect but always time out when tried to read phone
any other sugested application?

lesjaw said:
i still dont have luck with QPST 2.7.355, have tried QPST 2.7.363 too, it does connect but always time out when tried to read phone
any other sugested application?
Click to expand...
Click to collapse
I'm having a similar issue. I am using HW Virtual Serial Port 2.5.10 and QPST 2.7 B3.55. What happens is the USB link is created but the device shows up as "No Phone" in QPST. I am about to try CDMA Ware in a sec.

deflon said:
I'm having a similar issue. I am using HW Virtual Serial Port 2.5.10 and QPST 2.7 B3.55. What happens is the USB link is created but the device shows up as "No Phone" in QPST. I am about to try CDMA Ware in a sec.
Click to expand...
Click to collapse
2.7.363 does recognize my number.. but i still got time out error after pressing "read Phone" button..
CDMA WS give me this for NV item 1192
[NV Items]
[Complete items - 0]
1192 (0x04A8) - Access denied
Click to expand...
Click to collapse
i still can't understand this
2.11 change AAA
Method 1:at CDMA workshop EVDO tab, input AAA, then write into Xoom.
Method 2:write NV item 1192 through CDMAWorkshop, the sample AAA is 123456.
Click to expand...
Click to collapse
my evdo and 1x password carier is my MEID, let said 99000074221234
what should i edit in this ?
[NV items]
[Complete items - 1]
01192 (0x04A8) - OK
06 31 32 33 34 35 36 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Click to expand...
Click to collapse

lesjaw said:
2.7.363 does recognize my number.. but i still got time out error after pressing "read Phone" button..
CDMA WS give me this for NV item 1192
i still can't understand this
my evdo and 1x password carier is my MEID, let said 99000074221234
what should i edit in this ?
Click to expand...
Click to collapse
Just realized you are using CDMA WS now and not QPST. I just bought the software but awaiting the key =(

Mode Diag
When put mode Diag my Xoom
Powering on BP
Cold-booting Linux
Reading ODM fuse:1
After 5 - 10 sec, the xoom auto boot normal
What is the problem, my xoom is rooted

m4tr1s said:
When put mode Diag my Xoom
Powering on BP
Cold-booting Linux
Reading ODM fuse:1
After 5 - 10 sec, the xoom auto boot normal
What is the problem, my xoom is rooted
Click to expand...
Click to collapse
that's normal, just continue the step of the procedure to inject ur carrier

lesjaw said:
2.7.363 does recognize my number.. but i still got time out error after pressing "read Phone" button..
CDMA WS give me this for NV item 1192
i still can't understand this
my evdo and 1x password carier is my MEID, let said 99000074221234
what should i edit in this ?
Click to expand...
Click to collapse
I tested QPST 2.7.355 on windows 7 just a moment ago.
to slow down the connection between xoom and pc, i created a virtual port via WiFi.
it worked without any error, although the reading speed was a bit slow.
NV-item 1192 is Write-only, can not be read out.
for AAA=99000074221234, item 1192 should be
Code:
[NV items]
[Complete items - 1]
01192 (0x04A8) - OK
0E 39 39 30 30 30 30 37 34 32 32 31 32 33 34 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0E : password length , 14 in decimal
39 39 30 30 30 30 37 34 32 32 31 32 33 34 : your password
BTW: i have updated the guide, it missed the last step for pppd configuration.

aarrgghh, I have tried 3 different wifi (access point) qpst service programing still didn't work, but qpst file explorer does can read the phone..the only thing left is NV item for UserName and password now..hiks..phone has signal and show 1x data but its status is connecting ..never get connected..
Update my mistake..QPST does work, i must disable NVT Enabled in HWVSP setting
Sent from my Xoom using XDA Premium App

lesjaw said:
aarrgghh, I have tried 3 different wifi (access point) qpst service programing still didn't work, but qpst file explorer does can read the phone..the only thing left is NV item for UserName and password now..hiks..phone has signal and show 1x data but its status is connecting ..never get connected..
Update my mistake..QPST does work, i must disable NVT Enabled in HWVSP setting
Sent from my Xoom using XDA Premium App
Click to expand...
Click to collapse
Thanks lesjaw I was able to connect to the xoom using QPST after disabling NVT.

Related

Howto edit a .nbf file?

Hi all,
can you explain me how to edit or convert an nbf file, (in the specific, a fsc n560 rom WM6.0) to view the rom content?
I found many applications for HTC models, but noone was good for my rom...
thank you.
anyone who can help me?
i imagine you would need a kitchen
yes, but which kitchen???
try this link on how to cook a rom
http://forum.xda-developers.com/showthread.php?t=313920
joel2009 said:
try this link on how to cook a rom
http://forum.xda-developers.com/showthread.php?t=313920
Click to expand...
Click to collapse
thanks.
but still no answers...
http://www.google.com/search?rlz=1C...eid=chrome&ie=UTF-8&q=how+to+edit+an+nbf+file
try that
found nb and nbh..........
NBHextract (http://forum.xda-developers.com/showthread.php?t=289830) - Extract contents from NBH files
htc rom tool (http://forum.xda-developers.com/showthread.php?t=311909) - Repack NBH files from *.nb files
sorry, i already tried these 2 links ... but doesn't help me...
Newplow suggested these 2 links instead for the beginning...but how to begin?
http://forum.xda-developers.com/showthread.php?t=298327
http://wiki.xda-developers.com/index.php?pagename=OEM Package Tutorial
According to here nbf can be extracted using winzip or winrar..... thats a start..........
joel2009 said:
According to here nbf can be extracted using winzip or winrar..... thats a start..........
Click to expand...
Click to collapse
thanks for the help, but..
nbf it's not an archive. if you try to open with winrar it will open like an unknown file...it needs to be decoded and opened with a hex editor I think...
I think you have to use HTC64_Extended_ROM_Tool.exe to decode your nk.nbf file, you will obtain nk.fat and nk.prj. Keep nk.fat, rename to os.nb and go on with imgfstools. I hope it works in this way.
davideuck said:
I think you have to use HTC64_Extended_ROM_Tool.exe to decode your nk.nbf file, you will obtain nk.fat and nk.prj. Keep nk.fat, rename to os.nb and go on with imgfstools. I hope it works in this way.
Click to expand...
Click to collapse
HAHA well i'm glad i was of some use.... i kept bumping it to the top until someone finally got to ti that knew what the hell this was i do everything but cook about i probably out to try but it sounds pretty time consuming..... owell best of luck to you
davideuck said:
I think you have to use HTC64_Extended_ROM_Tool.exe to decode your nk.nbf file, you will obtain nk.fat and nk.prj. Keep nk.fat, rename to os.nb and go on with imgfstools. I hope it works in this way.
Click to expand...
Click to collapse
I've tested this steps with a HTC Universal rom and it worked, then you can extract the os.nb file in a veru simple way with Bepe's "dumprom.exe", after this use PackageTool and you will have SYS and OEM folders.
davideuck said:
I've tested this steps with a HTC Universal rom and it worked, then you can extract the os.nb file in a veru simple way with Bepe's "dumprom.exe", after this use PackageTool and you will have SYS and OEM folders.
Click to expand...
Click to collapse
sorry but, it can't work with this file...if i do directly with dumprom with the nbf i can extract 2.02 mb of files (i think the bootloader cause the list of files names are all similar boot*...something).
If i use htc64 doesn't work at all...it makes an error extracting just 512 kb...without any sense...
please could you try with this file, if i make some errors...?
fsc.newplowe.com/cgi-bin/files/dl.pl?file=N560.WM6.0.038g.SDHC.SQL.7z
thank you for the help!
SOLUTION!
Ok,
I've downloaded your file and tested. To extract the os.nb do this steps:
1) open your os_213U.nbf with an Hex-editor, from the start you will see this:
Code:
[COLOR="red"]4E 35 36 30 00 00 00 00 00 00 00 00 00 00 00 32
2E 31 33 2E 30 30 30 31 20 45 4E 47 00 00 D7 07
58 F3 00 00 0C 02 00 00 04 80[/COLOR] E9 FD FF 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2) cut all these red bytes, then your file will start as this:
Code:
E9 FD FF 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3) save this file as "os.nb", then you will go on with dumprom or imgfstool!
That's ALL!
I think that you can edit your rom and at the end you have to reinsert those red bytes at the beginning of your new rom and rename to .nbf.
davideuck said:
Ok,
I've downloaded your file and tested. To extract the os.nb do this steps:
1) open your os_213U.nbf with an Hex-editor, from the start you will see this:
Code:
[COLOR="red"]4E 35 36 30 00 00 00 00 00 00 00 00 00 00 00 32
2E 31 33 2E 30 30 30 31 20 45 4E 47 00 00 D7 07
58 F3 00 00 0C 02 00 00 04 80[/COLOR] E9 FD FF 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2) cut all these red bytes, then your file will start as this:
Code:
E9 FD FF 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3) save this file as "os.nb", then you will go on with dumprom or imgfstool!
That's ALL!
I think that you can edit your rom and at the end you have to reinsert those red bytes at the beginning of your new rom and rename to .nbf.
Click to expand...
Click to collapse
Thanks for this help!!!
Tomorrow I will try...it could be a very significant begin, I hope...
Per caso sei italiano?
Grazie mille!!!
Certo che sono italiano!!
Se hai bisogno di altro aiuto non esitare a chiedere anche tramite PM.
davideuck said:
Certo che sono italiano!!
Se hai bisogno di altro aiuto non esitare a chiedere anche tramite PM.
Click to expand...
Click to collapse
I've tried this method, now dumprom doesn't work but...nbinfo shows the rom structure perfectl!
Now I want to extract the various parts...but don't know how to exactly proceed...
can you help me?
Can I contact via IM?
Thank you!

HTC p3300 problem

I sd installed a factory rom, and after reboot, it stops at a O2 welcome screen, so aparently it was a O2 wm6 rom. Is there any way to repair it.
I can enter bootloader and i have ipl 3.04.0001 spl 3.04.0000
I tried to install HTC_P3300_WWE_3.13.405.1_4.1.13.44_02.94.90_Ship_R but i get INVALID VENDER ID error. i tried sd flash but doesn't start
ca anyone give me a link to htc p3300 wm5 factory rom?
41 52 54 45 31 30 30 30 30 00 00 00 00 00 00 00 ARTE10000.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
48 54 43 5F 5F 48 31 30 00 00 00 00 00 00 00 00 HTC__H10........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
cid HTC__H10
which rom should I install?

Update rom problem - bootloader only

I sd installed a factory rom, and after reboot, it stops at a O2 welcome screen, so aparently it was a O2 wm6 rom. Is there any way to repair it.
I can enter bootloader and i have ipl 3.04.0001 spl 3.04.0000
my CID is ARTE1000 an I tried to install this HTC_1.12.405.01_026790_WWE_SHIP. I verified with hex edit and this rom is ARTE1000 but still i get INVALID VENDER ID
why?
Hello
Hello Hello Hello Hello
41 52 54 45 31 30 30 30 30 00 00 00 00 00 00 00 ARTE10000.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
48 54 43 5F 5F 48 31 30 00 00 00 00 00 00 00 00 HTC__H10........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
cid HTC__H10
which rom should I install?
topic closed
I used the original rom and it worked H__10 is norwegian

Goal: S-off HOX (TEGRA3)

Hey guys, as i said above, i want to get the HOX+ S-off'd (and maybe the HOX if it's not already, not checked) if anyone has idea's and so on, run through on this thread lets get this ball rolling!!
Moderator Warning
Keep discussions speisifc to the goal of getting S-off on the device. All other discussions will be deleted.
IHTC One X+ Infos will be adapted to this as soon as possible.
Names for the devices are:
Model ID: PM35110
Model Name: S728e
aka One X+
Model ID: PJ46100 aka
Model Name: S720e
aka One X​
So as the title says, we're facing the problem of not having S-OFF yet, although the One X (S720e) has been released nine months ago. The One X+ is newer but since it has the same processor family, it's accountable to this project. It's possible to unlock the bootloader via HTCdev but it doesn't gives us S-OFF. The Unlock via HTCdev gives us only partially control over Bootloader and Recovery. Since it's release date, some great Devs including Xmoo, Football, Mike1986 and more tried to disable the security check. Unfortunatly without a solution for the masses. Also the One X+ (S728e) is relatively new on the market, so THIS is maybe the first thread in the world regarding S-OFF on the S728e Unlike on other HTC phones, on which hardware solutions like the XTC-Clip, or software solutions like revolutionary or any similar software did the job, on the One X they're not going to work. At the moment the only known method is the official HTC's way.
Ways to set the devices S-OFF​
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
--------------DIAG + JAVCARD Route--------------​
Infos I could gather. At the moment these infos are only valid for the S720e:
monx® said:
Basically u need adb/android SDK before proceed.
[WITH ROOT ACCESS]
[+] Dump/copy boot.img
Code:
Command prompt :
> adb shell
> su
> dd if=/dev/block/mmcblk0p4 of=/sdcard/boot.img
More partition/img availabe to dump. Will update later.
[WITHOUT ROOT ACCESS]
Currently only /system is usable
1) Android SDK (just need adb)
2) Download busybox
3) Command prompt :
> adb push busybox /data/local/busybox
> adb shell
> cd /sdcard/
> chmod 755 /data/local/busybox
> /data/local/busybox tar cvf sysdump.tar /system
4) Ignore tar: error exit delayed from previous errors'. Is done correctly.
----------------------------------------------------------------------
Just finished dumped my semi-virgin One X system partition from SEA WWE stock ROM .
The file would be OneX_SEA_WWE_1.26.707.2_SYSTEM_DUMP.zip 558.3 MB
Click to expand...
Click to collapse
Radio (The Radiomodule on S720e is an Intel X-Gold 626 chip [XMM6260]) location (xmoo's post Radio) Documentation of the Radio chip and direct download:
xmoo; said:
Mike found out Radio is probably: \system\etc\QUO_6260.fls.clean
7.96MB
Commands located in QUO_6260.fls.clean
CALIB_NVM
DYNAMIC_NVM
STATIC_NVM
SEC_DATA
PSI_RAM
If I could believe the following:
Found the same commands in a datasheet: "MSM3000Qualcomm, Inc.MOBILE STATION MODEM"
http://www.datasheetarchive.com/MSM3000-datasheet.html
So guess we got the Radio located!
Click to expand...
Click to collapse
Possible Hboot location (blubber's post Hboot):
blubber; said:
xmoo; said:
How do you know this?
/EBT does not excist on my phone.
mmcblk0p2 -> /dev/block/platform/sdhci-tegra.3/by-name/WDM
mmcblk0p16 -> /dev/block/platform/sdhci-tegra.3/by-name/DUM
mmcblk0p17 -> /dev/block/platform/sdhci-tegra.3/by-name/MSC
mmcblk0p20 -> /dev/block/platform/sdhci-tegra.3/by-name/PDT
Click to expand...
Click to collapse
of course it does not exist as i have written a few times before!
it is not accessible with a stock kernel!
i know it is there:
Code:
130|[email protected]:/ # hexdump -C /dev/block/mmcblk0|grep EBT
000000e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
and the EBT partition does contain the bootloader!
Click to expand...
Click to collapse
CID Check needs to be bypassed (xmoo's post CID check)
xmoo said:
Guys, the diag files have "CIDNUM: 11111111" in it.
Can't change it cause the file gets corrupted.
So only way to boot it up is by passing the CID check.
This is were the Smartcard or Goldcard comes in.
We tried the one from http://psas.revskills.de/?q=goldcard with no success.
I remember for some devices you had to change 00 to 11, or something like that.
Maybe this has to be done for this device aswell. Also I remember something that SDHC cards were not supported, or they are... been a long time ago.
So your help is need.
Create a goldcard which works.
Remember to test it like this: http://forum.xda-developers.com/show....php?t=1714056
Thank you.
Click to expand...
Click to collapse
Partiton list (Football's post Partition list)
Football said:
After intensive digging in some stuff I have found this. This is whole partition list for One X with all addresses and lengths of partitions...
Code:
[partition]
name=BCT
id=2
start_location=0x00
size=0x400000
[partition]
name=PT
id=3
start_location=0x400000
size=0x200000
[partition]
name=EBT
id=4
type=bootloader
start_location=0x600000
size=0x400000
[partition]
name=DIA
id=5
type=bootloader
start_location=0xA00000
size=0x400000
[partition] (Board Information)
name=BIF
id=6
start_location=0xE00000
size=0x200000
[partition]
name=GP1
id=7
start_location=0x1000000
size=0x200000
### WLAN firmware ###
[partition]
name=WLN
id=8
start_location=0x1200000
size=0x600000
#filename=wlan.img
### WLAN Data + MFG Data ###
[partition]
name=WDM
id=9
start_location=0x1800000
size=0x200000
filename=WDM.img
### Radio Calibration Data ###
[partition]
name=RCA
id=10
filesystem_type=ext3
start_location=0x1A00000
size=0x600000
### Linux Kernel OS ###
[partition]
name=LNX
id=11
start_location=0x2000000
size=0x800000
filename=boot.img
### Recovery ###
[partition]
name=SOS
id=12
start_location=0x2800000
size=0x800000
filename=recovery.img
### PG1FS ###
[partition]
name=PG1
id=13
start_location=0x3000000
size=0x1000000
### PG2FS ###
[partition]
name=PG2
id=14
start_location=0x4000000
size=0x1000000
### PG3FS ###
[partition]
name=PG3
id=15
start_location=0x5000000
size=0x1000000
### Software Info ###
[partition]
name=SIF
id=16
start_location=0x6000000
size=0x400000
filename=SIF.img
### Splash1 ###
[partition]
name=SP1
id=17
start_location=0x6400000
size=0x400000
### Reserve1 ###
[partition]
name=RV1
id=18
start_location=0x6800000
size=0x1C00000
### System ###
[partition]
name=APP
id=19
filesystem_type=ext3
start_location=0x8400000
size=0x50000000
filename=system.img
### Cache ###
[partition]
name=CAC
id=20
filesystem_type=ext3
start_location=0x58400000
size=0x14000000
### Internal SD ###
[partition]
name=ISD
id=21
start_location=0x6C400000
size=0x650000000
### Userdata ###
[partition]
name=UDA
id=22
filesystem_type=ext3
start_location=0x6BC400000
size=0x89400000
filename=userdata.img
### Memory dump ###
[partition]
name=DUM
id=23
start_location=0x745800000
size=0x200000
### MISC Partition ###
[partition]
name=MSC
id=24
start_location=0x745A00000
size=0x200000
### Radio File System ###
[partition]
name=RFS
id=25
start_location=0x745C00000
size=0x600000
### Develop Log ###
[partition]
name=DLG
id=26
start_location=0x746200000
size=0x1600000
### PDATA for MASD ###
[partition]
name=PDT
id=27
start_location=0x747800000
size=0x200000
[partition]
name=GPT
id=28
type=GPT
start_location=0x747A00000
#size=0xFFFFFFFFFFFFFFFF
size=0x200000
Click to expand...
Click to collapse
Mike1986's Partition Info (mike1986's post One X Partition Info)
mike1986. said:
This thread's content might brick your device.
This is not a ROM thread, so I'm not going to answer again and again and again the same questions over and over and over again.
You can't read - quit this thread now. You can read but you can't understand more or less simple things - quit as well.
You can read and you understand things, but you are too lazy to read the whole thread before asking the question - watch this first. And quit.​
This is what we know so far:
Some conclusions:
1. It's very nice to see that finally someone separated "internal sd card" from userdata partition. So it's no longer linked to /data/media, as it used to be on Asus Transformer, Transformer Prime, Galaxy Nexus etc. but it's a separate partition now - mmcblk0p14. Basically the biggest benefit from that is that now formatting userdata partition will no longer erase virtual sd card content.
2. It seems that NFC and WLAN deep settings are stored on separate partitions: mmcblk0p1 (wlan) and ? (NFC).
3. There is a 5th PHYSICAL core, but it's invisible to the system. Android only sees the 4 main cores. The 5th companion core is not controlled by Android. Tegra 3 architecture itself handles the load balancing between the main cores and the companion core. (Thanks to Diamondback)
4. There is no radio.img in current RUUs.
Download firmware for HTC One X (PJ4610000)
Firmware from 1.28.401.9 RUU
--- MD5 checksum: 83375DF988C86E92417AA8949012A1C2 *PJ46IMG.zip ---
Supported devices:
--- CID's added by users requests are marked with green color ---
cidnum: HTC__001
cidnum: HTC__E11
cidnum: HTC__203
cidnum: HTC__Y13
cidnum: HTC__102
cidnum: HTC__405
cidnum: HTC__304
cidnum: HTC__032
cidnum: HTC__J15
cidnum: HTC__A07
cidnum: HTC__016
cidnum: HTC__M27​
Why it's better then full RUU:
1. It doesn't contain stock recovery
2. It doesn't contain stock, non rooted system
3. It doesn't contain secured boot.img
4. It wont wipe your data partition
5. It's much smaller
PJ46IMG.zip content: [UPDATE: 25.03.2012]
android-info.txt - updated [20.04.2012]
bct.img - updated [25.03.2012]
rcdata.img - updated [20.04.2012]
How to flash:
1. Check your CID using fastboot getvar cid and MID using fastboot getvar mid
2a. If your CID and MID are supported by default, navigate to point 3.
2b. If your CID or MID is not supported by default, do this: (you do it at your own risk)
2c. Open PJ46IMG.zip (don't extract it)
2d. Open android-info.txt in text editor
2e. Add your cidnum: or modelid: to the list, save file and close archive
3. Place PJ46IMG.zip on your SD card
4. Boot your device holding power button + vol down button
5. Follow instructions on the screen
Additional information:
1. Flash above firmware at your own risk!
2. It's recommended to flash it before flashing custom ROM based on proper RUU!
3. Unlocking via htcdev.com will change your CID number into "none".
4. RUU variants:
x.xx.61.x - Orange UK (United Kingdom)
x.xx.75.x - Orange ES (Spain)
x.xx.110.x - T-Mobile UK (United Kingdom)
x.xx.111.x - T-Mobile DE (Germany)
x.xx.112.x - T-Mobile AT (Austria)
x.xx.114.x - T-Mobile NL (Netherlands)
x.xx.118.x - T-Mobile PL (Poland)
x.xx.161.x - Vodafone UK (United Kingdom)
x.xx.166.x - Vodafone CH-DE (Switzerland - Germany)
x.xx.163.x - Vodafone FR (France)
x.xx.169.x - Vodafone AT (Austria)
x.xx.206.x - O2 UK (United Kingdom)
x.xx.207.x - O2 DE (Germany)
x.xx.401.x - World Wide English
x.xx.707.x - Asia WWE (World Wide English)
x.xx.720.x - Asia India
x.xx.771.x - Hutchison 3G UK (United Kingdom)
x.xx.862.x - Voda-Hutch AU (Australia)
x.xx.980.x - Optus AU (Australia)
x.xx.1400.x - HTC China
Please post here your findings, thoughts or experience with after flashing images listed above.
Click to expand...
Click to collapse
Mike1986's addition (mike1986's post Addition)
mike1986 said:
Something more:
/system/etc/Flash_Loader.conf
boot_port_name=/dev/ttyACMX0
fw_download_port_name=/dev/ttyACMX0
baudrate=921600
BootTimeOut=3000
CommTimeOut=1000
eep_normal_mode=m
file_name=/data/modem_work/QUO_6260.fls
#file_name=QUO_6260.fls
#file_name=XMM6260_SIC.fls
#log_fname=/dev/null
log_fname=/data/modem_work/Flash_Loader.log
Click to expand...
Click to collapse
also
\system\bin\poweron_modem_fls.sh
Line 55: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
Line 55: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
Click to expand...
Click to collapse
and
\system\bin\poweron_modem_hboot.sh
Line 50: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
Line 50: /system/bin/InjectionTool -i ${backup_dir}/QUO_6260.fls.clean -o ${Injected_dir}/QUO_6260.fls -n ${work_dir} -s ${sec_dir}
Click to expand...
Click to collapse
And from flash_loader.log
Start downloading item 'CODE:../HW/XMM6260_V2_USB-HSIC_FLASHLESS_EDE_1.0/MODEM_DEBUG/QUO_6260.fls'' from file '/data/modem_work/QUO_6260.fls
Click to expand...
Click to collapse
Click to expand...
Click to collapse
This is how HTC does it:
My attempt (tried also on locked bootloader with the same output)
Things you'll need for this trick:
- USB OTG-Y-Cable. You can also build your own with this guide : How to make external powered OTG Cable
- USB SD Cardreader
- MicroSD Javacard (if you can bypass cid check, the Javacard is not needed) Xmoo said this one is used by HTC: GO-Trust® Secure microSD Java. It costs 980 US Dollars together with the SDK. Also, even if you have the Javacard you have to build the Application environment.
- 5V+ Power supply (Standard wall charger)
- PJ46DIAG.zip= clean S58 Data program specificly for the S720E/S728e. The correct DIAG has tot have a size of 964kb or 941kb and must contain the string "clean s58..." which can be checked with hexedit or any similar hex editor.
The procedure:
1. Put PJ46DIAG.zip on the Secure MicroSD Javacard
2. Plug it into the USB SD Cardreader
3. Plug the Cardreader into the female end of USB OTG-Y-Cable
4. Plug the OTG-Y-Cable into the USB port of the phone
5. Plug the cable onto the power supply
6. Reboot into bootloader
7. Once in Bootloader the file will be load by the phone and you'll land in S58 Menu. Clean S58 Data and you've successfully set your device S-Off
And here's the problem with this method. 1. A Javacard is really hard to get. I've never saw one, no one I know has ever saw one 2. The Diag file can't be leaked. The ones I've attached here are useless as Xmoo said and maybe proved. I have attached them though. So anyone interested and willing to help can investigate them.
As we know, the Diag file's for the One X can't be leaked. They're spread to choosen HTC-Repair centres, so a leak will easily be traced back. This would bring the affected people in some serious trouble. But this is interesting. These guys over on pdacentre use the official method. It's suspicious, kind of. For now, this is the only know method. It cost's around 2000 rubel (65€ | 85$) + shipping depending on your location. Of course this isn't an appropriate solution. Another thing; Why do we need a Javacard? Well, because the DIAG files will only work on devices with SuperCID (11111111) not on normal CID (HTC__XXX). So another way is to bypass the CID check.
Rough diagram of a Javacard
Copyright © 2011 GOTrust Technology Inc., All rights reserved.
TOOLBOX
The DIAG files I've linke don't have any function except from superwipe. They're only meant to be used as a test file to check if we can load such DIAG files.:
Goal: S-off HOX+ and maybe the HOX (TEGRA3)
Obtaining HTC One X Diag File to Manage S-OFF!!
[S-OFF]Development
ENG Hboot 0.03
PJ46DIAG_4
DIAG files of older HTC devices
NVflashdrivers
Radio Documentation
TEGRA 3 Documentation. PM me for password.
Click to expand...
Click to collapse
How do I know that I have the correct DIAG file? ;
The clean DIAG has a size of 964kb or 941kb. Or look at the image above. If your DIAG is called like them it could be the correct one also. But to be really sure, do the following;
Download any HEXeditor you can get. Open the DIAG file with the HEXeditor and search for keywords like "clean", "s58", . If you find these two strings in the DIAG file, it could be the correct one. We'd appreciate it if you could upload the file.
"clean s58"
Known and working DIAG files for the One X
What's already been done:
xmoo; said:
13-04-2012 XDA.CN releases pictures showing someone succesfully has S-OFF'd his device. Tool is for sale here: http://item.taobao.com/item.htm?id=10824156715
17-04-2012 Thread made.
17-04-2012 We have found someone with a S-OFF device, and a newer HBOOT than the one from XDA.CN. Trying to get access to the HBOOT.
18-04-2012 OTA 1.28 brings HBOOT 0.94.
18-04-2012 New member with a S-OFF device is willing to help.
19-04-2012 HBOOT 0.43 S-OFF rfs.img received and uploaded.
19-04-2012 RFS.img is not the correct file, searching continues...
19-04-2012 Radio located, click here
26-04-2012 HBOOT probably located here
15-05-2012 NVFlash app + APX Drivers added
12-06-2012 Tegra 3 Manual added, see here!
16-06-2012 HBOOT 1.11 from the test-keys uploaded here!
16-06-2012 Huge development, read more about it!
18-06-2012 Need to find a way to by-pass CID check.
19-06-2012 Football Partition list for One X with all addresses and lengths of partitions which can be found here.
27-06-2012 Huhge thread clean-up and update.
04-07-2012 Had the chance to play with a S-OFF device, read more about it here! ENG HBOOT which is used in test, is located here.
09-07-2012 Javacard with DIAG will work, but won't be a good solution cause no one got a legit Javacard and the DIAG files can't be leaked!
14-07-2012 Video added which shows the Javacard with DIAG method. Video can be found here.
14-07-2012 The ENG HBOOT 0.03 that Football uploaded lost it's sign. I re-uploaded it and re-checked the file and it should be good now. You can find the new .zip here.
FAQ.
What is S-OFF?
S-OFF stands for Security-OFF
S-OFF means that the NAND portion of the device is unlocked and can be written to. The default setting for HTC’s devices is S-ON, which means that neither can you access certain areas of the system nor can you guarantee a permanent root. Furthermore, signature check for firmware images is also ensured by the S-ON flag.
What has already been done?
-Tried flashing DIAG file, but with no success. File needs SuperCID.
-Tried flashing ENG HBOOT as zip file, but with no success. File needs SuperCID.
-Tried flashing modified DIAG file, but with no success. File needs SuperCID.
-Tried flashing modified HBOOT as zip file, but with no success. Signature check failed.
-Tried creating a Goldcard, but won't work. The Goldcare is for Qualcomm devices.
-Root while phone is LOCKED, won't work. Only will work on the Qualcomm One X and One XL.
-Ask the Chineese guy with the S-OFF tool. Won't share, cause he needs his money.
-Tried flashing files over recovery, but with no success.
-Tried flashing TETS and MFG ROMs, but with no success. Phone needs S-OFF because the ROMS are not sighned.
-Tried changing CID, but won't work. Only will work on the Qualcomm One X and One XL.
-Tried commands over ADB, but with no success.
-Tried XTC clip, won't work.
How Do I Know If My Device Is S-ON Or S-OFF?
That is easy to verify. Simply boot into HBOOT (bootloader) on your device, and the text on top will show the flag status as either S-OFF or S-ON. A full root generally means S-OFF.
S-OFF – What And Why?
HTC have installed a sort of security check whose level is determined by S-OFF/S-ON. Essentially, this security level is a flag stored on the device’s radio that checks signature images for any firmware before it is allowed to be written to system memory. This hinders using any custom ROMs, splash images, recovery etc., and also restricts access to the NAND flash memory. However, when security level is set to S-OFF, the signature check is bypassed, allowing a user to upload custom firmware images, unsigned boot, recovery, splash and HBOOT images, as well as official firmware that has been modified, this enabling maximum customization of your HTC Android device.
Furthermore, S-OFF also reduces restrictions on accessing the NAND flash memory on the device, allowing all partitions (including /system) to be mounted in write mode while the operating system is booted.
Where is it located?
Don't know yet, here are the partitions.
How can I flash through SD?
Tutorial added here!
What HBOOT status have we seen so far?
ENDEAVORU PVT SHIP S-ON RL
ENDEAVORU PVT SHIP S-OFF RL
ENDEAVORU PVT ENG S-OFF RL
ENDEAVORU XE ENG S-OFF RH
ENDEAVORU PVT MFG RH
ENDEAVORU XE SHIP S-OFF RH
ENDEAVORU UNKNOWN ENG S-OFF RH
Partition list for One X with all addresses and lengths of partitions
Football share the full list which can be found here.
How does HTC do it?
They do it with a smartcard/javacard/goldcard (What ever you want to call it) in combination with the DIAG file. Proof is in the attachment.
Click to expand...
Click to collapse
--------------Alternative APX MODE Route--------------​
xmoo said:
Hey guys,
Please stop PM'ing me about APX Mode. I get like 10 PM's a day.
How to get in
Nobody really knows. The most common way has been pressing volume up and down together while device is off and then plugin USB while connected to a computer.
How to get out
When your device is in APX Mode, HTC fixes it in repair. Someone here on XDA PM'd me with this video and said it should work: http://www.youtube.com/watch?v=rsnl_LIgzt0
I have not tried it myself, so just give it a try and share with the rest.
All the other discussions about APX can be done here, please stop pm'ing me.
Thank you!
Click to expand...
Click to collapse
Alright Folks! TripNRaVer has made something rudimentary, awesome, fascinating...words can't describe....Work!! Here You go, APX DRIVERS FOR THE ONE X
TripNRaVeR said:
For those of you that are in APX Mode or want to mess with APX here is the modified driver for the One X.
Now you have acces to the device again through USB.
Todo:
- Plug the usb cable in hox
- Goto device manager
- Search for APX or Unknown device or whatever it is listed
- Choose update driver
- Choose manually select driver
- Select the folder where you extracted the zip file
- Install drivers
Use nvflash to gain acces to the device again.
Download:
http://tripndroid.bindroidroms.com/TripNDroid-HOX-APX-Driver.zip
Nvflash:
- Use nvflash binary to gain acces to the device
- Including flash.cfg for endeavoru to use with nvflash.exe
- Including a bct file
http://tripndroid.bindroidroms.com/tripndroid_nvflash.zip
Click to expand...
Click to collapse
PLEASE read on the threads I've linked, before you start discussion. People really did some great development.
My HOX Will be S-OFF soon, got acces to a Java white card to S-OFF in seconds..
Sent from my HTC One X using xda app-developers app
bobcoenen said:
My HOX Will be S-OFF soon, got acces to a Java white card to S-OFF in seconds..
Sent from my HTC One X using xda app-developers app
Click to expand...
Click to collapse
Well, do you have the correct diag file? And do you have HTC's private key to sign the Javacard? You have to be more specific otherwise your post isn't helping us in ANY way...I accidentally hit the thx button, don't be smug.
Yes my friend has the diag file, his HOX is already S-OFF. I will try to post a screenshot next week when mine is done. I'm not trying to be smug
Sent from my HTC One X using xda app-developers app
---------- Post added at 07:50 PM ---------- Previous post was at 07:46 PM ----------
The S-OFF process is done with a y-cable with a card reader an usb charger on the other end. For what i understood the java card is very rare.
Sent from my HTC One X using xda app-developers app
matt95 said:
well, i've been on HTC since i passed on Android and every HTC device has got S-OFFed 2 or 3 months later from the day one... i don't think this will happen unfortunately, i really believed in this but now is time to be realist.
Click to expand...
Click to collapse
You know that there's NO hard-, software which isn't vulnearable or which hasn't got an exploit, don't you? No need to be pessimistic or realistic if we keep staying constructive and productive, somehow this will be done call me a dreamer, but... let's just try to give our best, ok? This would be fine. I just think the One X hasn't got the attention it has actually deserved. Its release date was too close to the release of the gs3. HTC's great devs are mostly familiar with Qualcomm processors. Never before they've worked with a Tegra 3 processor. The available Tegra 3 devices (Asus TFXXX[T]) don't have the problem with S-Off/On, it's enough for them to be unlocked. So none of the devs who managed bootloader unlock on this Tegra devices faced this problem. This and many other avoidable reasons caused the lack of development and it's surely one of the reasons why we didn't got s-off yet.
I have just cleaned the thread up NO MORE off topic!
Sent from my HTC One X+ using xda app-developers app
After a free way so people dont need to send they're phones anywhere
Sent from my HTC One X+ using xda app-developers app
ppcd9220 said:
I've succeded in overwriting the CID. Just used count= parameter for DD command. (Block size=512b).
I've replaced my CID with another one. disconnected, connected, performed test readout. The CID string is changed.
Unfortunately it looks like it is back-uped somewhere and checked at start-up.
Because after rebooting my CID is back.
Tested 2 times. After changing - I can read it. After reboot it is back to original one.
Does anyone have any other ideas of changing CID and/or S-ON/OFF ?
Click to expand...
Click to collapse
Link to original Thread.
I posted him to ask him how he did it. It was a week ago and he didn't answered until now. My idea was to do this and try to load PJ46DIAG.zip without rebooting. As you know, if you have superCID you don't need a Javacard. Even if I don't have the correct DIAG, at least we'd have a way to load the DIAG until the correct one is out...somehow...
S-OFF via hboot upgrade
TRY AT YOUR OWN RISK. NOT VERIFIED.
I found is an article HERE for S-OFF via HBOOT upgrade. I don't have a CID HTC_621 (taiwan) so I can't try it. Neither I can verify its reliability.
I briefly translate it into english:
My One X (CID HTC_621, hboot 0.94 or 0.95 can't remember the exact version) hboot has to be upgraded to flash Android 4.1.1 so I did a manual upgrade of hboot to 1.31. At the end of the upgrade, I discovered by chance that my One X is now S-OFF. I did a trial by flashing new ROM without flashing boot.img and it works.
So, this S-OFF is done via manual hboot upgrade (for HTC_621) to 1.31. Do not attempt on other CID One X.
Below is the step-by-step procedures:
1. Download RUU for Asia_Taiwan (2.17.709.2 or 2.18.709.x) and Endeavoru_CustomRUU. Make sure One X is locked, go into fastboot and connect to USB. Unzip the Endeavoru_CustomRUU to somewhere. Rename the Official RUU zip to "rom.zip" and put inside the folder of the unzipped Endeavoru_CustomRUU. Run ARUWizard.exe.
2. Make sure the following is run in Windows XP. You will stuck under Windows 7. Make sure all HTC drivers are installed.
3. Download JBFW here and Asia_Taiwan 3.14 OTA here. Unzip the JBFW and the OTA package. Copy the firmware.zip (from OTA package) and the Unlock_code.bin (obtained from htcdev.com) into the JBFW folder.
4. Go into fastboot usb mode, run JBFWFlasher.bat. It will say to put the Unlock_code.bin and custom boot file into the folder (this was done in Step 3 above), and warn this is for certain CID only. I ignore this and click NEXT NEXT NEXT until it is done.
These are the steps I used to obtain (unexpectedly) S-OFF. This is what I want to share and hope you guys get S-OFF soon.
Click to expand...
Click to collapse
TRY AT YOUR OWN RISK. Neither the author or me will be responsible for your device.
singcheng said:
TRY AT YOUR OWN RISK. NOT VERIFIED.
I found is an article HERE for S-OFF via HBOOT upgrade. I don't have a CID HTC_621 (taiwan) so I can't try it. Neither I can verify its reliability.
I briefly translate it into english:
TRY AT YOUR OWN RISK. Neither the author or me will be responsible for your device.
Click to expand...
Click to collapse
Read somewhere that the diag file can't be leaked because it will be traced back to the guy who leaked it. Now can we get it and make our own diag file based on it?
Drefsab said:
Several people have tried this and not had it work.
Click to expand...
Click to collapse
your welcome to discuss the methods here, but PLEASE either show the reasons why or at least link it for me please? I've been looking into this and got a couple of ideas....
hboot
Hey Guys!
Dunno if its worth much but I downloaded the ENG HBoot File you linked in the first post and opened it in a hex editor and poked a little bit around. I found this:
Code:
Settings memory area 10B 00 01 00 Disable patches 0A 00 01 00 Settings memory area 2 Settings memory area 2 first Settings memory area 2 second Settings memory area 2 third 0B 00 01 01 Settings memory area 3 Flash Code memory area 0B 00 01 02
Patch Code memory area 0B 00 01 03 Enable patches 0A 00 01 01 Final Integrity check 0B 00 01 FF%d: SD init
%d: SD init fail !!!%d:SD FAT32 init OK Checking key-card...Checking key-card...
%d: Not key-card !!!%d: Key-card DMCID.dat Open '%s' file success !!!
hFile = 0x%x, file_size = 0x%x
Read '%s' (%d != %d B)
[email protected]=0: Change CID to '%s'4: Change CID to '%s'Alloc data buffer failOpen '%s' file fail###[ End CDMA Cust Mode ]###
It looks like thats the part where it checks for a "key-card". Probably this Java Card??
Thats well known. With an ENG Bootloader you can do whatever you want including CID Changes.
hexdump of EBT Partition, where Hboot is possibly located. As Footbal said, on a stock kernel this partition is somehow hidden. Even on hboot 1.36.
Code:
[email protected]:/ $ su
[email protected]:/ # hexdump -C /dev/block/mmcblk0|grep EBT
[COLOR="Red"]000000e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|[/COLOR]
000000f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000010e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000010f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000020e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000020f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000030e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000030f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000040e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000040f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000050e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000050f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000060e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000060f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000070e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000070f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000080e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000080f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000090e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000090f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0000a0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0000a0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0000b0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0000b0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0000c0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0000c0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0000d0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0000d0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0000e0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0000e0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0000f0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0000f0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000100e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000100f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000110e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000110f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000120e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000120f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000130e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000130f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000140e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000140f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000150e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000150f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000160e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000160f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000170e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000170f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000180e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000180f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000190e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000190f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0001a0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0001a0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0001b0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0001b0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0001c0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0001c0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0001d0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0001d0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0001e0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0001e0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0001f0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0001f0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000200e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000200f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000210e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000210f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000220e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000220f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000230e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000230f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000240e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000240f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000250e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000250f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000260e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000260f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000270e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000270f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000280e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000280f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000290e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000290f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0002a0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0002a0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0002b0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0002b0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0002c0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0002c0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0002d0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0002d0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0002e0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0002e0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0002f0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0002f0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000300e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000300f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000310e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000310f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000320e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000320f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000330e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000330f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000340e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000340f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000350e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000350f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000360e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000360f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000370e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000370f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000380e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000380f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000390e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000390f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0003a0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0003a0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0003b0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0003b0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0003c0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0003c0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0003d0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0003d0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0003e0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0003e0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0003f0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0003f0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000400e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000400f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000410e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000410f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000420e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000420f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000430e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000430f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000440e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000440f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000450e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000450f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000460e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000460f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000470e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000470f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000480e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000480f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000490e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000490f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0004a0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0004a0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0004b0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0004b0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0004c0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0004c0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0004d0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0004d0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0004e0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0004e0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0004f0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0004f0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000500e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000500f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000510e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000510f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000520e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000520f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000530e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000530f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000540e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000540f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000550e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000550f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000560e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000560f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000570e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000570f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000580e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000580f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000590e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000590f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0005a0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0005a0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0005b0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0005b0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0005c0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0005c0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0005d0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0005d0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0005e0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0005e0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0005f0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0005f0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000600e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000600f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000610e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000610f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000620e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000620f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000630e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000630f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000640e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000640f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000650e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000650f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000660e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000660f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000670e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000670f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000680e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000680f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
000690e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
000690f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0006a0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0006a0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0006b0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0006b0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0006c0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0006c0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0006d0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0006d0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0006e0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0006e0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0006f0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
xxx....
blubbers said:
these are the partitions seen by the OS:
Code:
APP CAC DLG DUM ISD LNX MSC PDT PG1 PG2 PG3 RCA RFS RV1 SIF SOS SP1 UDA WDM WLN
none of these partitions contain the hboot!
these are the partition actually on the emmc:
Code:
APP BCT BIF CAC DIA DLG DUM EBT GP1 GPT ISD LNX MSC PDT PG1 PG2 PG3 PT RCA RFS RV1 SIF SOS SP1 UDA WDM WLN
so, you won't be able to access the hboot partition (on a s-off device neither) without a bit of work,
Click to expand...
Click to collapse
nitrous² said:
Thats well known. With an ENG Bootloader you can do whatever you want including CID Changes.
hexdump of EBT Partition, where Hboot is possibly located. As Footbal said, on a stock rom this partition is somehow hidden. Even on hboot 1.36.
Code:
0016b0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0016c0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0016c0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0016d0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0016d0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0016e0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0016e0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0016f0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0016f0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001700e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001700f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001710e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001710f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001720e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001720f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001730e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001730f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001740e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001740f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001750e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001750f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001760e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001760f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001770e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001770f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001780e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001780f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001790e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001790f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0017a0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0017a0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0017b0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0017b0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0017c0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0017c0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0017d0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0017d0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0017e0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0017e0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0017f0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0017f0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001800e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001800f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001810e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001810f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001820e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001820f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001830e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001830f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001840e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001840f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001850e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001850f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001860e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001860f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001870e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001870f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001880e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001880f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001890e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001890f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0018a0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0018a0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0018b0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0018b0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0018c0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0018c0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0018d0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0018d0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0018e0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0018e0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0018f0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0018f0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001900e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001900f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001910e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001910f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001920e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001920f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001930e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001930f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001940e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001940f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001950e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001950f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001960e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001960f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001970e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001970f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001980e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001980f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001990e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001990f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0019a0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0019a0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0019b0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0019b0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0019c0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0019c0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0019d0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0019d0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0019e0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0019e0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
0019f0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
0019f0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001a00e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001a00f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001a10e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001a10f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001a20e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001a20f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001a30e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001a30f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001a40e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001a40f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001a50e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001a50f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001a60e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001a60f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001a70e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001a70f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001a80e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001a80f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001a90e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001a90f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001aa0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001aa0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001ab0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001ab0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001ac0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001ac0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001ad0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001ad0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001ae0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001ae0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001af0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001af0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001b00e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001b00f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001b10e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001b10f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001b20e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001b20f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001b30e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001b30f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001b40e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001b40f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001b50e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001b50f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001b60e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001b60f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001b70e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001b70f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001b80e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001b80f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001b90e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001b90f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001ba0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001ba0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001bb0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001bb0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001bc0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001bc0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001bd0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001bd0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001be0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001be0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001bf0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001bf0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001c00e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001c00f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001c10e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001c10f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001c20e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001c20f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001c30e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001c30f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001c40e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001c40f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001c50e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001c50f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001c60e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001c60f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001c70e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001c70f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001c80e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001c80f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001c90e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001c90f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001ca0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001ca0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001cb0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001cb0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001cc0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001cc0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001cd0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001cd0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001ce0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001ce0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001cf0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001cf0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001d00e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001d00f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001d10e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001d10f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001d20e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001d20f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001d30e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001d30f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001d40e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001d40f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001d50e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001d50f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001d60e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001d60f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001d70e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001d70f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001d80e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001d80f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001d90e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001d90f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001da0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001da0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001db0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001db0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001dc0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001dc0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001dd0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001dd0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001de0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001de0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001df0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001df0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001e00e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001e00f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001e10e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001e10f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001e20e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001e20f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001e30e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001e30f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001e40e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001e40f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001e50e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001e50f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001e60e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001e60f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001e70e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001e70f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001e80e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001e80f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001e90e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001e90f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001ea0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001ea0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001eb0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001eb0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001ec0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001ec0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001ed0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001ed0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001ee0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001ee0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001ef0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001ef0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001f00e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001f00f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001f10e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001f10f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001f20e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001f20f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001f30e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001f30f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001f40e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001f40f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001f50e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001f50f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001f60e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001f60f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001f70e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001f70f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001f80e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001f80f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001f90e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001f90f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001fa0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001fa0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001fb0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001fb0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001fc0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001fc0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001fd0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001fd0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001fe0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001fe0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|
001ff0e0 03 00 00 00 00 00 00 00 04 00 00 00 45 42 54 00 |............EBT.|
001ff0f0 12 00 00 00 03 00 00 00 00 00 00 00 45 42 54 00 |............EBT.|e
Click to expand...
Click to collapse
Will the new hboot 1.39 be the same as well
Sent from my Nexus 7 using xda premium
RohinZaraki said:
Will the new hboot 1.39 be the same as well
Sent from my Nexus 7 using xda premium
Click to expand...
Click to collapse
I'm not on hboot 1.39, but you could try it with following commands:
Code:
D:\fastboot>adb shell
[email protected]:/ # hexdump -C /dev/block/mmcblk0|grep EBT
nitrous² said:
I'm not on hboot 1.39, but you could try it with following commands:
Code:
D:\fastboot>adb shell
[email protected]:/ # hexdump -C /dev/block/mmcblk0|grep EBT
Click to expand...
Click to collapse
When my phone receives the JB update (stupid branding -.- ) I will root it and have a look, maybe I can find something
nitrous² said:
If there's someone with an s-off device, here's a command with that old htc devices can be set back to s-on. But there's no way I know how to set back to s-off as you may know
"fastboot oem writesecureflag 3"
You've been warned, only at your own risk!!!!
You've been warned, only at your own risk!!!!
You've been warned, only at your own risk!!!!
Click to expand...
Click to collapse
Is there a similar fastboot command we can try for S-Off ? I mean, there may be one.
RohinZaraki said:
Is there a similar fastboot command we can try for S-Off ? I mean, there may be one.
Click to expand...
Click to collapse
don't think so, they would have already tried it
i'm still poking and prodding my HOX+ for ideas plus doing research, not found anything that's not already been mentioned here...by the way people are welcome to make new threads in this section for development purposes....like porting FireFox OS and so on.

Bus pass?

Hi just wondering if there is anything I could do to make this card expiry date longer?
It expired on Tuesday. Anything I could do?
** TagInfo scan (version 2.00) 2014-04-13 14:07:30 **
-- INFO ------------------------------
# IC manufacturer:
NXP Semiconductors
# IC type:
MIFARE DESFire EV1 (MF3ICD41)
# DESFire Applications:
ITSO public transport application
Provision of citizen services #0
* UK National Smartcard Project
Provision of citizen services #1
* UK National Smartcard Project
Provision of citizen services #2
* UK National Smartcard Project
Provision of citizen services #3
* UK National Smartcard Project
Provision of citizen services #4
* UK National Smartcard Project
-- NDEF ------------------------------
# NFC data set storage not present:
Maximum NDEF storage size after format: 4094 bytes
-- EXTRA ------------------------------
# Memory information:
Size: 4 kB
Available: 2.2 kB
# IC detailed information:
Capacitance: 17 pF
# Version information:
Vendor ID: NXP
Hardware info:
* Type/subtype: 0x01/0x01
* Version: 1.0
* Storage size: 4096 bytes
* Protocol: ISO/IEC 14443-2 and -3
Software info:
* Type/subtype: 0x01/0x01
* Version: 1.4
* Storage size: 4096 bytes
* Protocol: ISO/IEC 14443-3 and -4
Batch no: 0xBA44D7C6C0
Production date: week 38, 2013
# Authentication information:
Default PICC master key
-- TECH ------------------------------
# Technologies supported:
ISO/IEC 7816-4 compatible
Native DESFire APDU framing
ISO/IEC 14443-4 (Type A) compatible
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible
# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.IsoDep, android.nfc.tech.NfcA, android.nfc.tech.NdefFormatable]
android.nfc.tech.NdefFormatable
android.nfc.tech.IsoDep
* Maximum transceive length: 261 bytes
* Default maximum transceive time-out: 6000 ms
* Extended length APDUs supported
android.nfc.tech.NfcA
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 6000 ms
MIFARE Classic support present in Android
# Detailed protocol information:
ID: 04:81:68:7A:62:36:80
ATQA: 0x4403
SAK: 0x20
ATS: 0x067577810280
* Max. accepted frame size: 64 bytes (FSCI: 5)
* Supported receive rates:
- 106, 212, 424, 848 kbit/s (DR: 1, 2, 4, 8)
* Supported send rates:
- 106, 212, 424, 848 kbit/s (DS: 1, 2, 4, 8)
* Different send and receive rates supported
* SFGT: 604.1 us (SFGI: 1)
* FWT: 77.33 ms (FWI: 8)
* NAD not supported
* CID supported
* Historical bytes: 0x80 |.|
# Memory content:
PICC level (Application ID 0x000000)
* Default PICC master key
* PICC key configuration:
- PICC key changeable
- PICC key required for:
~ directory list access: no
~ create/delete applications: no
- Configuration changeable
- PICC key version: 0
Application ID 0xA00216 (ITSO public transport application)
* Default master key
* Key configuration:
- 2 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: no
- Configuration changeable
- Master key required for changing a key
* 16 files present
- File ID 0x00: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 21 7D 00 40 80 00 01 FE C3 58 A9 00 00 00 00 |.!}[email protected]|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 88 8A A2 62 42 8F 00 00 08 00 00 |........bB......|
[0030] 00 08 00 03 F8 2D 68 29 2A 9E 24 2C A3 3A BF 00 |.....-h)*.$,.:..|
- File ID 0x01: Backup data, 192 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 1C 01 00 F0 8A A2 62 00 00 00 10 00 FF 00 00 00 |......b.........|
[0010] 00 00 00 02 D1 00 00 1F FF F0 01 00 00 FF 02 72 |...............r|
[0020] BD 00 00 46 1C 2B 6D 39 E9 0E 19 4C 00 00 00 00 |...F.+m9...L....|
[0030] 1C 01 00 F0 8A 9E 7F 00 00 00 10 00 FF 00 00 00 |................|
[0040] 00 00 00 02 D1 00 00 1F FF F0 10 00 00 FF 02 71 |...............q|
[0050] 6F 00 00 5C 44 E0 F5 CF E5 28 41 4B 00 00 00 00 |o..\D....(AK....|
[0060] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0070] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0080] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0090] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[00A0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[00B0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x02: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x03: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x04: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x05: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x06: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x07: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 23 09 00 00 88 B4 2F 03 F8 29 C8 00 00 00 00 00 |#...../..)......|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 FA 00 31 A7 00 35 00 F7 87 A1 DB 89 65 EF AC |...1..5......e..|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x08: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x09: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x0A: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x0B: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x0C: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x0D: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 21 11 00 00 7F FE 40 02 62 6A CF 80 00 8A 8F 40 |[email protected]@|
[0010] 00 FF 00 00 00 00 04 1A 10 00 14 84 00 63 35 97 |.............c5.|
[0020] 00 03 F8 2D 69 00 00 07 32 E0 A5 26 84 E7 BE 4F |...-i...2..&...O|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x0E: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 18 01 FF 00 7F 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 FA 00 31 A7 00 35 01 |...........1..5.|
[0020] 34 8F B7 B5 63 93 CE 08 00 00 00 00 00 00 00 00 |4...c...........|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x0F: Standard data, 32 bytes
~ Communication: plain
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 18 11 63 35 97 01 27 02 02 56 04 07 04 01 00 00 |..c5..'..V......|
[0010] 40 10 08 07 00 00 54 FD 00 00 00 00 00 00 00 00 |@.....T.........|
Application ID 0xF40110
* Default master key
* Key configuration:
- 3 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Master key required for changing a key
* No files present
Application ID 0xF40111
* Default master key
* Key configuration:
- 3 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Master key required for changing a key
* No files present
Application ID 0xF40112
* Default master key
* Key configuration:
- 3 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Master key required for changing a key
* No files present
Application ID 0xF40113
* Default master key
* Key configuration:
- 3 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Master key required for changing a key
* No files present
Application ID 0xF40114
* Default master key
* Key configuration:
- 3 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Master key required for changing a key
* No files present
--------------------------------------
Click to expand...
Click to collapse
Thx
Sent from my C6833 using Tapatalk
This would be considered fraud which is not accepted here on XDA. You're on your own, mate, both in finding the solution to this and in the cell after you get caught.
Cheers!
Thats seriously illegal my friend.
Sent from my SAMSUNG-SGH-I337 using XDA Premium 4 mobile app
Thats seriously illegal my friend.
Click to expand...
Click to collapse
+1 to this .
Thank u
Sent from my SAMSUNG-SGH-I337 using XDA Premium 4 mobile app
How can i get this files from my bus card ? i have phone with nfc and rooted. whic program actually thx
GT-I9500 cihazımdan Tapatalk kullanılarak gönderildi
It is illegal, you know ? We can't help you, but let me give you some tips: you should find a timestamp on the ticket. Find it, find out how it's calculated, and you're on your way (as long as the part containing the timestamp isn't write-protected).
Once you find the problem, I highly suggest you to report the problem to those concerned by the vulnerability, so that they can fix the problem, and maybe reward you somehow
I have already worked in this very field, it is a rather fascinating one !
Edit:
How can i get this files from my bus card ? i have phone with nfc and rooted. whic program actually thx
Click to expand...
Click to collapse
@ahmetozgur I just published an app on here called UltraManager. If your bus card is a Mifare Ultralight tag, you can use my app for the purpose. Otherwise, there are some good apps on Google Play, just look for "NFC tag reader"
How did you get such a detailed information about that card?
Diogo Recharte said:
How did you get such a detailed information about that card?
Click to expand...
Click to collapse
omg so many people asking such simple questions
HEY OP
What card is that ??
im interested in people disposing of beatiful desfire cards xD
i wonder if i can wipe it..
Diogo Recharte said:
How did you get such a detailed information about that card?
Click to expand...
Click to collapse
The application used to capture this card information was TagInfo by NXP. It is available from the Play Store here: https://play.google.com/store/apps/details?id=com.nxp.taginfolite&hl=en
Hello . I live in Madrid (Spain), and I have a transportation voucher. I would like "hack" it, but I would like know for where I can start haha I saw _darkjoker_ said : "you should find a timestamp on the ticket" . How can I do it? I downloaded the program TagInfo by NXP but I need an app where I can change the information of the chip. Is there an app? Because when you buy another month the store clerk swipes the card through a machine NFC ...
If anyone knows anything about this, comment it
Thanks
Hello. Quick question about a ISO 14443-3A id card. Does it support GPS? In other words can it be tracked by GPS? May be a dumb question, but I am not familiar with how the technology works and I'm trying to figure out capabilities. Thanks in advance
GadgetMonger said:
Hello. Quick question about a ISO 14443-3A id card. Does it support GPS? In other words can it be tracked by GPS? May be a dumb question, but I am not familiar with how the technology works and I'm trying to figure out capabilities. Thanks in advance
Click to expand...
Click to collapse
nfc is near field communication, the way it works is there is an antenna/coil inside the tag/card that when next to a tag reader gets a charge from it, giving power to the ic on the card. so the card cannot be directly tracked by gps. BUT, it is possible to have gps enabled tag readers which could track you every time you get close enough to one.
Hello,
Most bus pass technology uses desfire cards with two logical addresses one is public for all the world to see and the other is private , the private sector is encrypted and is updated everytime you put money on it or use it. Also as a duel layer defence most implementations of this technology uses back to base system which means everytime you tap it the card is used to query a database to verify that there is money for the trip and to check if the card is currently being used for a trip.
In NSW Australia we have opal cards they work by storing the balance information and activity in public storage so you can check it through a NFC enabled device and then storing the cards sensitive information in private storage that only the readers at stations and in top up locations can use. Every time we tap on the balance on the card is checked with a database and updated locally when needed then at the end of the trip the cards balance is updated from the central database to the card.
So I don't believe you can simply add more time ( or money) to most bus pass cards.
MRCaratacus said:
Hello,
Most bus pass technology uses desfire cards with two logical addresses one is public for all the world to see and the other is private , the private sector is encrypted and is updated everytime you put money on it or use it. Also as a duel layer defence most implementations of this technology uses back to base system which means everytime you tap it the card is used to query a database to verify that there is money for the trip and to check if the card is currently being used for a trip.
In NSW Australia we have opal cards they work by storing the balance information and activity in public storage so you can check it through a NFC enabled device and then storing the cards sensitive information in private storage that only the readers at stations and in top up locations can use. Every time we tap on the balance on the card is checked with a database and updated locally when needed then at the end of the trip the cards balance is updated from the central database to the card.
So I don't believe you can simply add more time ( or money) to most bus pass cards.
Click to expand...
Click to collapse
Did you ever work out a way to add money to the card? Im in nsw too and i have a school opal card so i dont have to pay anyway but im interested.
Unfortunately no , unless you hack into the database and locate your cards identifier then add money from the central DB , there is no way you can "hack" more money on the card , and even if you could the moment you tapped on it would always take the databases values as correct and either adjust your cards balance or detect the fraud and lock the card down.
Might have a solution but...
buckofive said:
The application used to capture this card information was TagInfo by NXP. It is available from the Play Store here:]https://play.google.com/store/apps/details?id=com.nxp.taginfolite&hl=en
Click to expand...
Click to collapse
It's illegal and we cannot help you in doing what you want.
In theory if you use an app like Mifare classic tool, that has a tool to compare dumps, you can get what changed like time, money or whatever. But that must be done if its with testing nfc cards and just for getting knowledge, not money.
hello
i have nfc card which i use it in university restaurant to pay a lunch could i hack it and but more money
pls help me
can't he overwrite the hex for the date, e.g. Production date: week 38, 2013 -> Week 38, 2018 ?
abood.456 said:
hello
i have nfc card which i use it in university restaurant to pay a lunch could i hack it and but more money
pls help me
Click to expand...
Click to collapse
thats fraud.

Categories

Resources