HTC sensation/pyramid, workaround about lk2nd/postmarketos

This is about htc-pyramid device (sensation ; maybe sensation XE and sensation 4G)

Three parts :

  1. UART Logs
  2. S-OFF process
  3. LK2ND

UART logs

in order to get uart logs :

you need :

  1. htc pyramid device of course

  2. usb to uart converter

  3. linux with the minicom tool

  4. tools to unscrew and disassembly the device

  5. lot of time and patiency

process :

  1. save the content of your device

  2. power it off

  3. disassembly it

  4. unplug the screen (it's not possible to reach the uart pinout with the screen connected

  5. connect the usb/uart converter in USB to the computer

  6. connect the GND from converter, to a piece of metal (the one covering the microsdcard slot, for example (see picture 1)

  7. connect the RX from the converter, to the “purple” mark, among the pinout of the PCB (see picture 1)

  8. in linux, just open minicom -d /dev/ttyUSB0

  9. UART logs should appear

Picture 1:

Mirror of Picture 1: https://img.tedomum.net/data/pyramidUART-156999.png

example of UART log (to be completed) at:

https://paste.debian.net/hidden/147f9804/ https://paste.debian.net/hidden/abc2e7e7/

s-off process

On windows 7:

  1. obtained the (right model that time) RUU exe for htc-pyramid, and restored it to manufacturer's default ROM :

RUUPYRAMIDLEICS35SHTCEurope3.33.401.153Radio11.76A.3504.00U11.24A.3504.31Mrelease281004_signed

[what is weird, that i looked here and here, that RUU -to restore's htc's oem default software- has been “commented” as on topic for HTC Sensation XE/4G. Here, device is from 2011/3G...]

Result is that one flashes well on the device, whom goes back to complete factory defaults.

To flash the RUU :

(requires that both htc's drivers are installed, plus adb/fastboot are present into the computer, and command lines executed from the adb/fastboot directory)

a. first save/backup your device

b. then reboot in fastboot mode

c. after, with device connected to computer in USB, do either :

c1: launch directly the RUU[..].exe from Windows 7

or

c2:
> fastboot flash oem.zip

the required files are stored on :

for fastboot flash zip, the oem zip is at :

https://archive.org/download/HTC-files/rom.zip

for the RUU exe for windows's htc wizard :

https://archive.org/download/HTC-files/RUU_PYRAMID_LE_ICS_35_S_HTC_Europe_3.33.401.153_Radio_11.76A.3504.00U_11.24A.3504.31_M_release_281004_signed.exe

for temproot + controlbear / s-off process, all files can be found at :

dont forget to enable the usb debug from android's developper menu, the process to unhide it is well known.

https://archive.org/download/HTC-files/htc-pyramid-sensation-allfiles-soff-temproot.7z

  1. applied the temp_root script

log of temproot at :

https://paste.debian.net/hidden/470bf608

  1. applied the controlbear to remove s-off : this step required to disassembly a bit the device (back cover with battery, removed), plus took ~4 hours of attempts

the “wire trick” is very hazardous and hard to do/follow/understand, and i do not wish to anybody to encounter this step. Worst ever than volte injection on android.

[then the device is s-off, i can't believe it]

Notice that controlbear's step requires absolutely to get a ready-to-be-formated microsd card inside the phone, or will never continue the process.

log of controlbear at :

https://paste.debian.net/hidden/fb6489c4

LK2ND

this device can run LK2ND by usb output, it doesnt brings screen output.

/!\ lk2nd can not run if the device is in s-on /!\

lk2nd's watchdog deactived is required to get lk2nd not rebooting

Adaptation of LK2ND to the htc-pyramid device :

/!\ please notice, the lk2nd could be accessed by usb, will not show up on the screen (on htc logo or hboot) /!\

/!\ lk2nd can not run if device is in S-ON, device in S-OFF mode needed for lk2nd /!\

for this part, various files can be downloaded from :

https://archive.org/download/HTC-files/htc-pyramid-lk2nd-files.zip

  1. copy those two lines :

/* Disable WDG0 */ writel(0, MSMWDT0EN);

into this file : /target/msm8660/init.c

at this place, as result looks like :

https://paste.debian.net/hidden/6f216878/

  1. then compile :

make TOOLCHAIN_PREFIX=arm-none-eabi- lk2nd-msm8660 DEBUG=2

then patch the lk2nd image, with the htc's boot one, to make it bootable :

python3 /pyramid-files/patch-boot-img.py /pyramid-files/htc-pyramid/boot_htc-pyramid.img /path/to/lk2nd/build-lk2nd-msm8660/lk.bin /tmp/lk2nd-patched.bin

patch-boot-img.py can be found both on the archive.org repository, plus as raw (plain text) at the following :

https://paste.debian.net/hidden/d268c92e/

  1. then attempt to boot, as device powered on in fastboot mode :

fastboot boot /tmp/lk2nd-patched.bin

fastboot getvar result :

https://paste.debian.net/hidden/d7c5d938/

  1. admire the output logs :

https://paste.debian.net/hidden/936a028b/

contact the author : @lm2@piaille.fr or @tkr@piaille.fr on mastodon (be patient)