Do we really need S OFF

Lately there has been a lot of confusion about if we - HTC users - really need S-OFF on our devices. I think its time to make this case as clear as possible, and clear up any remaining doubts.

First of all, S-OFF stands for "Security OFF" and S-ON for "Security ON". Its a term specific to HTC devices (and refers to digital signature checking on the bootloader "hboot"). Retail devices always come with SHIP S-ON locked bootloaders. Hboot can also be found in an engineering version (ENG as opposed to SHIP), but its not easy to get such a device.

You should also know the "fastboot" term: it is a diagnostic protocol used primarily to modify the flash filesystem via a USB connection from host computer. After enabling the protocol on the device itself (entering "fastboot" mode from inside the bootloader), it will accept a specific set of commands sent to it via USB using a command line, for example "fastboot flash boot boot.img" or "fastboot erase cache".

Whats the main difference between S-ON and S-OFF from the end-user point of view?

With S-OFF you can:

• Flash in fastboot original parts of the firmware like: Trust Zone (tz.img), Resource Power Manager (rpm.img), Advanced Digital Signal Processor (adsp.img), bootloader (hboot.img), Radio Config Data (rcdata.img), Splash Screen and others, very often device specific firmware like Consumer IR (cir.img) for the television remote controller in HTC One.
• Flash in fastboot custom parts of the firmware above, however Ive never seen in my life anyone compiling custom rpm.img or tz.img. Ive seen custom bootloaders and Splash Screens only. You can also flash modified radio.img but there is rarely anyone out there who does this.
• Use more advanced fastboot commands, for example you can change the CID (Carrier ID) of your device or even MID (Model ID). And this one is the most important one in the context of this article.
• Reset the Tampered flag, so your device does not show up as "Relocked" if you relock your bootloader.

For about 2 years you have been able to unlock bootloaders of selected HTC devices on the htcdev.com webpage. Unlocking your bootloader results in an "UNLOCKED" message in the bootloader screen, and allows you to use some of the fastboot commands. For example system, boot and recovery partitions are no longer locked and you can flash a custom boot or recovery onto your device. This doesnt mean S-OFF, but it does give you some more control over your device.

Sometimes there are differences specific to the SoC ("System on a Chip") of each device. Both HTC One X and One X+ (nVidia Tegra 3) have locked out the capability to flash the boot partition from inside recovery, even if your bootloader is unlocked. It is possible to flash the boot partition only via the "fastboot flash boot <boot image name>" command. On the newest HTC smartphone - HTC One (Qualcomm Snapdragon S600) you can use either fastboot or adb shell (dd if=/... of=/...) to write the boot partition.

Do we really need S-OFF?

No, we dont. So what do we need? Because we surely need something. But to understand what we need, its important to realize where the problem is first.

First of all, comparing HTC devices with Nexus devices is a pointless activity. Never do that. Why? Because they are all S-ON (they call it Secure Boot), and updates for Nexus devices contain the following (based on my experience with Samsung Galaxy Nexus):

1. bootloader.img
2. recovery.img
3. GSM radio
4. CDMA radio (in case of CDMA device)

Thats all. On Nexus device you can flash the original bootloader or radio using the "package_extract_file" command in the updater-script. When HTC releases a major update, however, you will get:

1. adsp.img
2. cir.img
3. dzdata_16g.hdr
4. dzdata_16g.img
5. dzdata_32g.hdr
6. dzdata_32g.img
7. dzdata_64g.hdr
8. dzdata_64g.img
9. bootloader.img
10. radio.img
11. recovery.img
12. rpm.img
13. sbl1-1.img
14. sbl1-2.img
15. sbl1-3.img
16. sbl2.img
17. sbl3.img
18. tp.img
19. tz.img
20. more...

See the difference? This firmware images (if updated) are stored inside firmware.zip inside the OTA update. And without S-OFF you can manually update (using fastboot commands or command shell) only recovery, boot, system and sometimes radio. Other partitions are locked and you cant update firmware images other way then only with signed firmware.zip.

Content of HTC OTA update

However, very often, flashing only the content of the system and boot partitions is not enough to have the device fully working. For example, in the HTC One X it was necessary to use the new bootloader together with the official HTC Jelly Bean update, otherwise your device wouldnt boot with an older bootloader. This is why flashing a custom ROM for an HTC device is nowhere the same as flashing a custom ROM on a Nexus device. Apart from having the latest system files, you need to have the latest firmware.zip package flashed as well.

Because HTC sells their devices to different carriers around the world, they need to accept some requirements. For example carrier branding. Because of carrier branding, HTC has more than one version of the RUU (ROM Update Utility) for each device. To indicate the difference between the branded and un-branded versions of the same device, HTC used so called "CID" numbers. 

To find out your current CID number (together with some other useful info) you can use the "fastboot getvar all" command. Also, keep in mind that every OTA update checks CID/MID numbers before it will start to patch your system:

                         ifelse( is_ship_bootloader(getprop("ro.bootloader")) == "t" ,
                         assert(check_cid(getprop("ro.cid"), "00000000" , "11111111" ,
                         "22222222" , "33333333" , "44444444" , "55555555" , "66666666" ,
                         "77777777" , "88888888" , "99999999" , "HTC__001" , "HTC__E11" ,
                         "HTC__102" , "HTC__203" , "HTC__405" , "HTC__Y13" , "HTC__304" ,
                         "HTC__032" , "HTC__A07" , "HTC__J15" , "HTC__016") == "t"););
                         ifelse( is_ship_bootloader(getprop("ro.bootloader")) == "t" ,
                         assert(check_mid("full", "PN0710000") == "t");,
                         assert(check_mid("simple", "PN0710000") == "t"););

Obviously "check_cid" includes also SuperCIDs (00000000, 11111111, ...).

Content of android-info.txt

Its all in updater-script, so it can be easily edited anyway. But the real problem is different. As mentioned already, every OTA update contains firmware.zip - package with bootloader, radio, touch panel drivers, trust zone and other parts of important firmware. It also contains the "android-info.txt" file, where CIDs/MIDs are listed, so your S-ON bootloader wont let you flash an original firmware.zip if your CID number is not listed there. Yes, Im not talking here about custom radio, bootloader or anything custom at all. Original, untouched firmware.zip from an OTA update cant be flashed onto the device if the CID number doesnt match. Is it a problem? Yes, this is the real problem were dealing here with. Not S-ON/S-OFF, but CID restrictions and an inability to change the CID number.

How this can be resolved? "android-info.txt" is a plain text file, so it can be edited easily. If your CID number is not on the list, just add one more line with your CID. However, as long as your device is S-ON, you wont be able to flash it, because every firmware.zip is signed with a special key. Once firmware.zip is modified, the signature is broken and the bootloader will reject the request to update it. But there is a different method: you can change the CID number on your device with a fastboot command "fastboot oem writecid <cid number>". The best CID number to use is one of the WWE CIDs (for instance HTC__001). But wait - you cant use this particular fastboot command without S-OFF.

Is this problem a real one, or just some sort of users ill-informed craving? Its very real, because without the ability to flash firmware.zip from a WWE OTA update, every user from any carrier or different world region is forced to wait months to receive OTA updates customized to his CID. Everyone can de-brand his device easily by flashing a stock system image, but it wont be enough: because firmware.zip with corresponding parts of the firmware is needed at the same time. This isnt about the OTA itself, its about the firmware.zip inside that OTA update.

Dangers:

So what are the dangers of obtaining S-OFF on your device? Some of the partitions in the device are extremely sensitive and can result in your device being bricked if they are even slightly corrupted. With S-OFF you can access all of these partitions and the slightest corruption during transfer (whether that be a power spike or you jiggled the cable slightly) can result in a bricked device as it does not check for signatures.

Here’s an example which has almost happened to me once on an S-OFF device: I was flashing a boot.img via fastboot, the command is: "fastboot flash boot boot.img". However I had made a small but significant typo: "fastboot flash hboot boot.img", simply by mis-hitting the B key; this command would be rejected by a device with S-ON as it is a protected partition, but would be accepted on a device with S-OFF. If I had pressed enter without checking the command, my device would have turned into a paperweight in seconds.

One of the most popular protected partitions the hacking community enjoy flashing is the radio partition. This is also a partition where the slightest corruption will cause your phone to brick. The FCC guidelines state the the radio must be booted with a separate processor (I guess to decrease the risk of it being tampered with), so what happens in a phone when it turns on is: radio is booted via a dedicated processor by the first stage loader, initialising the radio hardware (Wifi, Data, Bluetooth, etc.). Radio successfully boots and initiates the first stage loader to use the main CPU to load the second stage loader into RAM (also known as the SPL). Depending on the boot operation, it will either initiate the system or recovery. So without a functioning radio, the main CPU will not kick on and boot the phone.

Some other facts:

1. You dont need S-OFF to root your device.
2. You dont need S-OFF to be able to run Titanium Backup or other applications that requires root access. You just need root privileges for that.
3. You dont need S-OFF to flash custom recovery image onto your device.

To summarize:

We dont need S-OFF, but we do need the ability to edit the CID number on the device (lets say at least on officially UNLOCKED devices), or the firmware.zip packages inside an OTA update should not be signed, so that "android-info.txt" can be easily edited, or the CID restrictions from android-info.txt should be removed (MID is enough to ensure that the right firmware gets to the right devices).

Something to re-think?

Even if we dont need S-OFF Im quite worried about the policies of mobile companies and carriers. Their philosophy is "the more you are locked down, the more you are protected". That means Police should not fight with criminals, but everyone should just lock down their doors, windows and stay at home instead. Its far easier and cheaper to lock down mobile devices and not allow root access rather then improving the security in other areas.

Can you imagine that you just bought a brand new notebook for $3000 and:

• you can login only as a Guest (no Administrator account available by default),
• you cant change your operating system,
• you cant use applications that requires Administrator privileges,
• you cant browse freely the content of your hard drive.

You would say "Where the hell is my freedom?!" Here comes the answer from your notebook manufacturer - "For your own security, you dont have any freedom". Sounds like a George Orwell story to me.

I want the same freedom on my phone that I have on my PC.

This article was written in a cooperation with Shen Ye

Have any questions or comments? Feel free to share! Also, if you like this article, please use media sharing buttons (Twitter, G+, Facebook) down this post!

PS. I want thank to Tom Kelsall, my HTC Elevate companion for his help in a proper grammar redaction of the review! Thanks Tom!

Read More..

Removable battery do we really need it

With every release of a new smartphone the same question is asked - will it have removable battery? If you believe that removable batteries are a "must have" nowadays, please keep reading. I hope youll change your mind!

First of all - there is a solution. Battery banks seems to be a great alternative for removable batteries. You can check my review of HTC Battery Bank here. It works with every device equipped with micro-USB port. Now lets compare both solutions.

Capacity

Samsung Galaxy S3 has a removable battery with capacity of 2100mAh. Typical battery bank has a capacity of 6000mAh. This means, that Galaxy S3 can be charged almost 3 times with such battery bank! If you are going to use your smartphone heavily the whole day, only one backup battery might be not enough for you. With battery bank you can start your day with more then 8000mAh on board (battery inside device + battery bank).

Conclusion: 2300mAh vs. 6000mAh

Winner: battery bank

Size

Typical smartphone battery dimensions are around 6,3 x 5,0 x 0,5. Battery bank I was tested is of course bigger - 9,7 x 4,2 x 2,2. Is it really a disadvantage? I dont think so. Its small enough to be inserted into a pocket of your jeans or jacket. I think there are even smaller battery banks available on the market, so the size shouldnt be a problem here. Also, removable batteries are indeed smaller, but keep in mind their capacity is twice/triply lower.

Conclusion: 6,3 x 5,0 x 0,5 vs 9,7 x 4,2 x 2,2

Winner: removable battery

Charging

Battery bank can be charged regardless of device battery. It has its own USB cable and charging port, so you can charge both devices -  smartphone and battery bank at the same time. What about removable batteries? Well, if you dont have a removable battery charger (which costs extra money of course!) you will have to charge battery inside your device first, then switch batteries and charge the backup battery. The risk of braking battery cover latches is quite big, especially when it comes to plastic, which has its own lifetime and bending abilities. It seems that battery bank in this case is much more convenient and comfortable.

Conclusion: charging inside the device vs. independent charging

Winner: battery bank

Price

Original backup battery price is about $30. Yes, I know you can find non-original replacements for $10 as well, but lets compare only original parts. Typical battery bank costs is around $40 - $80 ($75 for HTC Battery Bank). However these prices vary from place to place and may be slightly different in your country, keep that in mind. Comparing 1:1 its easy to see that external batteries are indeed cheaper. But to make the comparison fair, we need to establish the price/capacity relationship. 1mAh from 2300mAh backup battery ($30) is a cost of about $0,0130, while 1mAh from 6000mAh battery bank ($75) costs about $0,0125.

Conclusion: $0,0130 vs. $0,0125

Winner: battery bank

Design

When speaking about the design I mostly think about device design. However, battery banks looks definitely better and more aesthetic than regular removable batteries. Having a removable battery back cover doesnt allow uni-body construction, like HTC One has. Design is a matter of taste, but personally I prefer uni-body construction over having a plastic back cover. But again - its a matter of taste, so no winner here.

Conclusion: plastic back cover vs. uni-body construction

Winner: draw

Usability

Practical approach is also important. Driving a car or sitting in a crowded bus might be a situation when your device is out of power. Now imagine you need to: 1) take out your battery backup, 2) turn off the device, 3) remove the back cover, 4) replace the battery, 5) close the back cover, 6) turn on the device, 7) hide your primary battery. So... 7 steps including the inevitability of turning off the device. With battery bank you just need to take it out and plug into the device. Thats it. No need to turn on/off or disassemble your device. Keep in mind that battery bank doesnt work only as external battery, it is mainly a battery charger, so after some time you can hide it back.

Conclusion: 7 steps to change battery vs. take out and plug in

Winner: battery bank

Compatibility

External batteries are not compatible between devices. You cant use Samsung Galaxy Note II battery in Samsung Galaxy S3. You cant use HTC Sensation battery in HTC One S. If you buy backup battery for your particular device, youll probably sell it together with the device or give it as free bonus one day. Battery bank is compatible with every device equipped with micro-USB port and can be your life-companion for years. However, you should be aware that battery bank might not be able to charge your tablet.

Conclusion: lack of compatibility with other devices vs. compatibility with all micro-USB smartphones

Winner: battery bank

Device lifetime (added 23-03-2013)
Due to many comments under this article I decided to agree with one point that was very often mentioned by users preferring removable battery. However, I think it needs some bigger explanation. It is a fact, that having non removable battery results in lack of possibility to exchange it for new one, once the old battery cant give your device enough power anymore. But is it really a problem? I took the warranty statements from my HTC One X+ and I found nothing about limited warranty for battery (like Samsung have - only 6 months). This means, that once battery is non removable, it doesnt have shorter warranty. So in my case battery is under 24-months warranty service. I think that is a positive aspect for the consumer, right? In some cases it might be also 12-months, but it depends on particular law regulations in each country.

Conclusion: removable battery with 6-months warranty vs. non-removable battery with 12/24-months warranty - both solutions have some advantages
Winner: draw

Possibility to reset the device (added 25-03-2013)
One more category added. Very often I hear that possibility to remove the battery is the only way to reset the device once its not reacting anymore and system just hanged. This is not true. Every device have ability to reset the system using hardware keys. In most cases its a combination of 3 buttons: power + volume up + volume down. You need to hold these buttons for about 5-20 seconds, depends on the device. Even if your device has a removable battery, it is better to use above combination to avoid breaking the plastic back cover latches.

Conclusion: you can reset your device no matter if it has removable battery or not

Winner: draw

So whats the score? Battery bank won in 5 comparisons, external battery in 1 comparison and there were also 3 draws. For me, personally, battery banks are better replacement for external batteries. It gives you bigger capacity for the same prize, extended usability and it looks better.

Do you have a different point of view or some experience with one of the approaches presented above? Please leave a comment below! Also, if you like this article, please use media sharing buttons (Twitter, G+, Facebook) down this post!

Read More..

Cameras in Phones what do we really need

An awful lot is being said about mobile phone cameras just lately; and we have HTC to thank for opening the conversation with the introduction of their HTC One which has half as many pixels at twice the size of anyone elses. Before we begin Im going to get some ground rules. I wont use marketing terms; so I will talk about how many pixels a camera sensor has, and what size they are. You wont hear me talking about mega- or ultra- anything. Next is that I will show my meaning with diagrams - Im a visual person and it helps me to explain. Please bear with me on this post; theres a lot to read but its worth it at the end.

A digital camera uses a lens to focus an image onto an oblong of special material which has a number of sensors on it; each sensor is called a pixel and usually contains three sub-pixels; a red, a blue (actually two blues but dont worry about that) and a green one. Each of these sends a signal to the camera depending how much light of that colour is falling onto it. Bigger pixels produce a bigger signal for the same amount of light than smaller ones. When signals are small, the amount of noise (erroneous signal levels produced simply by electrons moving around) is a bigger percentage of the whole signal because noise is a constant backdrop. When the signals are bigger therefore, its easier to pick out the signal, from the noise. More noise means that the signal produced by a smaller pixel is less accurate which means the final photo may not have exactly the same colour from each pixel receiving the same light.

Camera sensors line up their pixels in rows and columns - and the cameras rating is often quoted by counting them. For instance a 10MP camera contains ten million pixels (roughly). These are arranged in a rectangular grid with a side length ratio of 16:9 - so thats 4213 pixels across and 2370 pixels high. If you have a sensor which is 7mm across, each pixel is 7/4213=1.662 microns across (microns = thousandths of a millimetre).

In the real world, standard sensor sizes and pixel sizes exist; a 13 million pixel camera in a phone will have pixels about 1.1 microns across; this gives a sensor width of about 4.55mm (there are 4128 pixels across the image). In the HTC One, the best photos are 2688 pixels across, and the pixels are 2 microns across giving a sensor width of about 5.4mm.

Figure 1 - 4 million large pixels

Figure 2 - 8 million (smaller) pixels on same size sensor

Now we can start looking at construction. Take a look at Figure 1. This shows a camera with large pixels - the lens is focussing the image onto an area exactly the same size as the sensor. In Figure 2, we gave the camera more pixels (which really does give more detail in the image but at the expense of noise and grain - and also less sensitivity at low light levels). Of course; straight away you want more, BIGGER pixels. Figure 3 shows that if you make that happen, the image doesnt cover the whole sensor; the light falls on a little bit of it. So - in Figure 4 we move the sensor further away to ensure the image covers all the pixels.

Figure 3 - 8 million large pixels with no other changes

Figure 4 - Sensor moved away, but the lens size is unchanged.

However; the same amount of light, entering the lens, is now spread over a wider area: this dims the light hitting each individual pixel, which reduces the signal output and increases the noise. The only way to change this is to make the lens bigger - the aperture wider - so that more light gets in. This is shown finally in Figure 5.

Figure 5 - all required changes incorporated.

So - how far back do we have to move the lens? Simple trig shows us the answer. Imagine the "field of view" of the lens is about 60° (not unreasonable): the light coming in from the left and right cross over in the centre of the lens and make a triangle with the sensor as the base... an equilateral triangle is formed with all angles at 60° and all sides the same length (lets call it 5.4mm to stick with the HTC Ones sensor size). So the lens must be 2.7mm away from the sensor. If we now make the sensor an 8MP one (3800x2140 pixels) that gives a width of 7.6mm - the lens still has a viewing angle of 60° so that means the sensor has to be 3.8mm away from the lens. Obviously I have used 60° as the lens viewing angle because it makes the angles, sines and side lengths easy to calculate - the numbers are probably quite different in real life but you get the idea: to get double the megapixels you have to move the sensor further from the lens, which means you need a bigger lens to gather the light needed to adequately illuminate it. Lenses very rapidly increase in price with size - a lens 4mm across instead of 2mm might cost three or four times as much. (BTW - the large circular opening on the back of the phone is NOT the lens; the lens is the tiny dark speck in the centre of it).

In practical terms for a smartphone? This means that, to get an 8 million pixel camera, with pixels 2 microns across, your phone would need to be about 16-18mm thick (at least at the cameras location); and the phone would cost upwards of US$1000 - possibly even more - JUST because of the lens.

This isnt something which can be corrected with better design, or better lenses; the only way to mitigate this increase in size and cost would be to make smaller pixels which had the properties of larger ones - and that my friends is the nirvana of a pixel scientist! The very best technology available is going into these phones - and with todays tech were stuck with these limitations. In another article Ill talk about why I believe 4MP at 2 microns across is enough.

This article is also to be found on its author personal blog.

Have any questions or comments? Feel free to share! Also, if you like this article, please use the media sharing buttons (Twitter, G+, Facebook) under this post!

Read More..