wiki:Android/HTC/Vision/HackingNotes

Hacking Notes

For the complete list of my articles on Android devices and software, including analysis of devices and system firmware, lists of external resources and tools, and How-To instructions, check the front page of this wiki under the Android heading.

Connecting using serial-over-USB to talk to Radio or HBoot

On a Linux host it is possible to talk to the HTC device using a serial-over-USB link via a /dev/ttyUSB* device link. The key to creating the serial port is knowing the device's USB vendor and product IDs, and loading the usbserial kernel module with the ID.

With an HTC Vision in normal operating mode:

lsusb | grep HTC
Bus 001 Device 047: ID 0bb4:0c91 High Tech Computer Corp. 

This is defined in arch/arm/mach-msm/board-vision.c

static struct android_usb_platform_data android_usb_pdata = {
	.vendor_id	= 0x0bb4,
	.product_id	= 0x0c91,
	.version	= 0x0100,
	.product_name		= "Android Phone",
	.manufacturer_name	= "HTC",
	.num_products = ARRAY_SIZE(usb_products),
	.products = usb_products,
	.num_functions = ARRAY_SIZE(usb_functions_all),
	.functions = usb_functions_all,
};

However, the USB product ID changes depending on whether the device is in regular operations or HBoot or Fastboot mode.

To get the USB product ID in HBoot mode switch the device off, then start it in HBoot mode by holding down the volume-down rocker and simultaneously pressing and releasing the power button. Once the HBoot menu appears on the device check the new product ID:

lsusb | grep HTC
Bus 001 Device 047: ID 0bb4:0c94 High Tech Computer Corp. 

Note also that if the device is started in Fastboot mode it's product ID will be 0x0FFF. This is the same mode entered when the HBoot rebootRUU command is issued. If the device starts in RUU mode the splash screen is a white-on-black "htc", and pressing a key replaces it with a text console view showing "RUU" or "RUU USB". If the device starts in FastBoot mode it will show "FASTBOOT" or "FASTBOOT USB" on the text console view.

Load the usbserial kernel module on the Linux host PC with the device's HBoot ID:

sudo modprobe usbserial vendor=0x0BB4 product=0x0C94

Monitor the kernel log whilst connecting the device (Press Ctrl+C to quit the tail -f command):

tail -f /var/log/kern.log
Oct 19 13:28:34 hephaestion kernel: [252682.164986] usbcore: registered new interface driver usbserial
Oct 19 13:28:34 hephaestion kernel: [252682.165748] USB Serial support registered for generic
Oct 19 13:28:34 hephaestion kernel: [252682.166675] usbcore: registered new interface driver usbserial_generic
Oct 19 13:28:34 hephaestion kernel: [252682.166679] usbserial: USB Serial Driver core
Oct 19 13:28:45 hephaestion kernel: [252693.684062] usb 1-3: new high speed USB device using ehci_hcd and address 48
Oct 19 13:28:45 hephaestion kernel: [252693.833364] usb 1-3: configuration #1 chosen from 1 choice
Oct 19 13:28:45 hephaestion kernel: [252693.834624] scsi31 : SCSI emulation for USB Mass Storage devices
Oct 19 13:28:45 hephaestion kernel: [252693.834974] usbserial_generic 1-3:1.1: generic converter detected
Oct 19 13:28:45 hephaestion kernel: [252693.835092] usb 1-3: generic converter now attached to ttyUSB0
Oct 19 13:28:45 hephaestion kernel: [252693.835309] usb-storage: device found at 48
Oct 19 13:28:45 hephaestion kernel: [252693.835313] usb-storage: waiting for device to settle before scanning
Oct 19 13:28:50 hephaestion kernel: [252698.833231] usb-storage: device scan complete
Oct 19 13:29:11 hephaestion kernel: [252720.000868] generic ttyUSB0: generic converter now disconnected from ttyUSB0
Oct 19 13:29:11 hephaestion kernel: [252720.000904] usbserial_generic 1-3:1.1: device disconnected
Oct 19 13:29:12 hephaestion kernel: [252720.112051] usb 1-3: reset high speed USB device using ehci_hcd and address 48
Oct 19 13:29:12 hephaestion kernel: [252720.252301] usbserial_generic 1-3:1.1: generic converter detected
Oct 19 13:29:12 hephaestion kernel: [252720.252469] usb 1-3: generic converter now attached to ttyUSB0
Oct 19 13:29:12 hephaestion kernel: [252720.275104] scsi 31:0:0:0: Direct-Access     HTC      Vision           0100 PQ: 0 ANSI: 2
Oct 19 13:29:12 hephaestion kernel: [252720.276105] sd 31:0:0:0: Attached scsi generic sg2 type 0
Oct 19 13:29:12 hephaestion kernel: [252720.293378] sd 31:0:0:0: [sdb] Attached SCSI removable disk

This line confirms there is a serial port for the device:

usb 1-3: generic converter now attached to ttyUSB

Check the device port exists:

ls /dev/ttyUSB*
/dev/ttyUSB0

Unstructured Supplementary Service Data Codes

From the radio's AMSS.

*1*0#
#*91*0#
#*43*0#
*#30#
*30#
*1*1#
#*91*1#
#*43*1#
*#31#
*31#
*#77742#
*1*4#
#55#
*55#
*#06# // IMEI
*#76#
*76#
*#77#
*77#

#*88*
03*330
**03*?
*#330?
**03*330?
##21?
*#21?
**21?
*#331?
**03*331?
*#351?
**03*351?
##61?
*#61?
**61?
##002?
*#002?
**002?
*#332?
**03*332?
**042?
#77742?
*77742?
**052?
##62?
*#62?
**62?
*#33?
**03*33?
*#333?
**03*333?
*#43?
*43?
*#353?
**03*353?
**04?
##004?
*#004?
**004?
**05?
*#35?
**03*35?
##37?
*#37?
##67?
*#67?
**67?
 

Resources