Hi,
I'm trying to customize my extended rom before applying it to my Magician. I've downloaded latest WWE rom from FTP site, and extracted all files to a temp folder. I then used xda3nbftool -t -x ms_.nbf to decrypt the ExtRom file. After that, i used a HEX editor to cut the first 128 bytes and generate a "main" part to try and open it in Winimage, but so far without sucess (I'm using ITSME procedure).
Can someone help me trying to find out what i'm doing wrong?
Many thanks.
megalore said:
Hi,
I then used xda3nbftool -t -x ms_.nbf to decrypt the ExtRom file.
Can someone help me trying to find out what i'm doing wrong?
Click to expand...
Click to collapse
The most recent versions of the updates are in a different format:
check here...
Ok, thanks.
I've tried with the perl script you mentioned, but i can't seem to get a readable file on winimage. I used the following command line:
decode.pl ms_.nbf -f 0xEBFE904D
However, the header (.hdr) is perfectly readable in hexedit, so i assume the "encryption" key is correct.
Am i doing something wrong? :roll:
megalore said:
Ok, thanks.
However, the header (.hdr) is perfectly readable in hexedit, so i assume the "encryption" key is correct.
Click to expand...
Click to collapse
That's because the header is not XOR "encrypted".
Try with: decode.pl ms_.nbf -f 0x4D90FEEB
not a developer
hi, i am not a developer and i got to the point where i have the decode.pl from the link in wiki.xda-developers.com... i dont know if that is correct so far, but i dont know how to get this a) from my computer onto the phone and b) if i can then change the windows language from german to english!?
Hi iDG,
Thanks for your reply. I've tried with the key you sent, but still can't mount the FAT16 part in WinImage.
Where do you get those keys? Are they extracted from the encoded file, and from what position?
Thanks.
megalore said:
Hi iDG,
Thanks for your reply. I've tried with the key you sent, but still can't mount the FAT16 part in WinImage. Where do you get those keys? Are they extracted from the encoded file, and from what position?
Click to expand...
Click to collapse
The "key" is the first dword of the unencrypted file. It can be obtained from a SD dump. The value seem to be constant (I've tried several versions).
Can you tell me what version are you trying to decode, so I can do the same here to see what happens?
I'm using WWE_11200_550_11200 from shipped_ROMS on XDA ftp site.
megalore said:
I'm using WWE_11200_550_11200 from shipped_ROMS on XDA ftp site.
Click to expand...
Click to collapse
Works fine here. That's the hexdump of the beginning of the DECODED file:
Code:
00000000 eb fe 90 4d 53 57 49 4e 34 2e 31 00 02 04 01 00 |...MSWIN4.1.....|
00000010 01 00 02 00 98 f8 26 00 26 00 01 00 00 00 00 00 |......&.&.......|
00000020 00 00 00 00 80 00 29 2d 00 f1 07 20 20 20 20 20 |......)-... |
00000030 20 20 20 20 20 20 46 41 54 31 36 20 20 20 00 00 | FAT16 ..|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001b0 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 |................|
000001c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00000200 f8 ff ff ff 03 00 04 00 05 00 06 00 07 00 08 00 |................|
00000210 ff ff 0a 00 0b 00 ff ff 0d 00 0e 00 ff ff ff ff |................|
00000220 11 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 |................|
00000230 19 00 1a 00 1b 00 1c 00 1d 00 1e 00 1f 00 20 00 |.............. .|
00000240 21 00 22 00 23 00 24 00 25 00 26 00 27 00 28 00 |!.".#.$.%.&.'.(.|
00000250 29 00 2a 00 2b 00 2c 00 2d 00 2e 00 2f 00 30 00 |).*.+.,.-.../.0.|
00000260 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 |1.2.3.4.5.6.7.8.|
00000270 39 00 3a 00 3b 00 3c 00 3d 00 3e 00 3f 00 40 00 |9.:.;.<.=.>[email protected]|
00000280 41 00 42 00 43 00 44 00 45 00 46 00 47 00 48 00 |A.B.C.D.E.F.G.H.|
00000290 49 00 4a 00 4b 00 4c 00 4d 00 4e 00 4f 00 50 00 |I.J.K.L.M.N.O.P.|
Check with the results on your side, to see if there's something wrong with the perl script...
Yes, thats what i get too. But WinImage shows no files inside it. I don't think its WinImage problem, because if i use alpine_ext_rom_tool (yes, it works!) from the Alpine forum, i get a similar decoded file which opens right on WinImage. If only the encoding part worked fine...
megalore said:
Yes, thats what i get too. But WinImage shows no files inside it. I don't think its WinImage problem, because if i use alpine_ext_rom_tool (yes, it works!) from the Alpine forum, i get a similar decoded file which opens right on WinImage. If only the encoding part worked fine...
Click to expand...
Click to collapse
I've checked all the fields in the boot sector and everything matches corretcly. The decoded file is a prefectly valid FAT16 volume. The only quirck I can find is that the boot sector declares the disk to be 0x9800 blocks long whereas the file is actually 0xa000 blocks long.
The space for the Ext_ROM in the flash is really 0x9800 blocks long
You could try to cut the file to be 0x1300000 bytes long to see if winimage likes it.
megalore,
if you know the checksum generation for the magician ext_roms then I'd be quite happy to generate a tool similar to the alpine tool - most of the code will be the same.
Although I thought the magician ext roms could be decoded/encoded using itsme's tool?
Bal
Guys,
if it's anything like the alpine ext roms, then the last part consists of two splash screens (nb format).
hope that helps
The Ext_ROM image on the magician only contains the actual FAT16 filesystem. The boot splash image is in a separate space in the flash.
The only tool I know of is the xda3nbf which does not work with the newer (base64-like) rom headers.
The checksum algorithm is, as far as I can tell, unknown.
HI IDG,
hmmmm, that's interesting - maybe I'm confused .... but
If you take the ms_.nbf file from MA_DT_WWE_DutchRetail_11200_550_11200_Ship.exe and extract the header and fat16 image (well what I think is the fat16 part).
The I end up with an fat16 image of size 20,709,376bytes. If from this I extract 0x1300000 - 0x137FFFF and 0x1380000 - 0x13BFFFF and load these into nb_image_converter_859_418.exe as nb files ....
The first is a blank white image and the second is a "Qtek Keep the world in one" cityscape ....
Perhaps the tool you guys use to extract the fat16 image drops this part?
bal666 said:
hmmmm, that's interesting - maybe I'm confused .... but
If you take the ms_.nbf file from MA_DT_WWE_DutchRetail_11200_550_11200_Ship.exe and extract the header and fat16 image (well what I think is the fat16 part).
The I end up with an fat16 image of size 20,709,376bytes. If from this I extract 0x1300000 - 0x137FFFF and 0x1380000 - 0x13BFFFF and load these into nb_image_converter_859_418.exe as nb files ....
Click to expand...
Click to collapse
Yep You're right!
I've never noticed that but the same thing happens for every ms_.nba I have. When I first examined the fat16 part, I did notice the extra data, but being 0xff the content of an erased flash memory, I didn't bother to check further. This makes sense, because the bootsplash image is in fact right after the Ext_ROM, inside the flash.
I've never removed the "excess" data from the ms_.nba because MacOSX does not seem to care. Maybe WinImage does.
Magician ext rom tool
Hi iDG,
yeah weird isn't it? I've just recently noticed it myself - so will start extracting it out separately.
Anyway, Megalore ...
I've attached a tool for the magician similar to the alpine version which allows you to decode and encode extended roms.
It's a bit of a hack at the moment - you'll find some of the message still talk about the alpine, but the mechanics should be fine (I should have a disclaimer about how it could destroy your machine here ... but I'm sure you've already considered that!!!).
For instructions on usage, see the alpine post http://forum.xda-developers.com/viewtopic.php?t=31106&sid=e011e42bce14ded5bf594c1c0484b1bc
Have fun!
PS This retains the splash screens, but "Extra Drive Creator Pro" ignores them ... not sure about winimage - but I'll add that functionality if you have problems.
Thanks bal666!!
Don't worry about the disclaimer, i think we all know the risks, otherwise we wouldn't be here in this forum...
I'll give it a try as soon as i can, and let you know how it turn out.
Thanks guys!
It worked flawlessly. I can now customize my Magician ExtROM without any hassles.
Great Work!!!
Hi Megalore,
that's good news! I'm glad it worked - I'll try to fix the "alpine" messages when I have a chance.
Have fun
Bal
Related
cross posting from universal upgrading ... can someone kill the other thread ?
can someone assist me in changing the nk.exe in a way that allows me to change the deviceid from PU10 to HERM100
i succeded in hexediting the hk.nba from PU10 to HERM with the confirmation that Getdevice data recognize it as HERM
http://wiki.xda-developers.com/index...=GetDeviceData
there are 2 places in the nk.nba where the device type is found
00007074h: 48 00 45 00 52 00 4D ; H.E.R.M
00316c74h: 48 00 45 00 52 00 4D ; H.E.R.M
i need to get H.E.R.M.1.0.0 instead (6 bytes to insert)
00007050h: 2C 00 25 00 64 00 2C 00 20 00 4E 00 61 00 6D 00 ; ,.%.d.,. .N.a.m.
00007060h: 65 00 20 00 69 00 73 00 20 00 25 00 73 00 0D 00 ; e. .i.s. .%.s...
00007070h: 0A 00 00 00 48 00 45 00 52 00 4D 00 00 00 00 00 ; ....H.E.R.M.....
00007080h: 4F 45 4D 47 65 74 43 50 4C 44 5F 47 50 49 4F 28 ; OEMGetCPLD_GPIO(
after dumping the rom including the boot XIP i found that the nk.exe contains this data.
the reason to do it is to "help" bbconnect to recognize it as a hermes
anyone can assist me ?
Hi,
Just a thought - wouldn't it be easier to patch BB Connect to recognise the PU10. I would have thought it tricky to "insert" any bytes, and for nk.exe to work, but to shorten a string in a file might work by either terminating the shorter string with a 00 null byte, leaving it's full length intact, or if it's got a preceeding length attribute, then simply amend that to the shorter value, i.e. from 7 to 4?
Cheers,
Steve.
Hi Friends,
Sincere apologies for not being able to reply your posts & PM's as I have been keeping very busy for the past 3 months.
Since I was on my 1-week vacation, I thought of working on your problems, and have come up with the updated version of this tool. Hope it resolves all your issues.
You would not get any annoying pop-up with this tool now, only the one that has your unlock code...
Steps :
1. Copy 'Cert_SPCS.cab' on your phone & install(run).
2. Copy 'EnableRapi.cab' on your phone & install(run).
3. Establish an Activesync connection with your phone.
4. Unzip the zip file & Run 'Unlock_Touch.exe' on your PC. ( New Unlocker)
5. File 'unlock_code.txt' thus generated will have your unlock code( Eight-digit number).Ignore any other digits if generated.
I HAVE BROKEN THE LCD OF MY HTC TOUCH SO HAVE COME DOWN TO MY NOKIA 6600. INCONVENEINCE, IF ANY; IS REGRETTED.
Cheers,
rishi2504.
You could sponsor me a beer( LCD Screen for my broken Touch) by donating to my Paypal ID - [email protected], if you like this solution...
great. thanks for sharing specially coming from the author itself.
doesnt work
MEBSY said:
doesnt work
Click to expand...
Click to collapse
... why? ...
Do you also have a solution for the herald ? also cid unlocking?
Congrats rishi2504!
Just a few comments about your unlocker:
1) Unlocker needs itsutils.dll and pdocread.exe in folder c:\unlocker otherwise it doesn't work
2) device needs to be RAPI unlocked first
3) unlocker reads 8 bytes starting at offset 0xfc of BK1C, this will work on most touch devices, but not on all, see example output:
Here it will work:
Code:
000000d0 33 37 32 33 30 30 34 30 34 00 00 00 33 35 35 31 |372300404...3551|
000000e0 31 31 31 31 31 31 31 31 31 31 31 00 00 00 00 00 |11111111111.....|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 37 32 31 32 |............7212|
00000100 36 31 33 32 00 00 00 00 00 00 00 00 32 34 00 00 |6132........24..|
00000110 00 00 00 00 00 00 00 00 00 00 00 00 30 30 31 30 |............0010|
Here it will not work, the unlock code is at a different offset:
Code:
000000d0 00 00 00 00 34 30 42 46 42 37 32 34 30 35 35 35 |....40BFB7240555|
000000e0 36 00 00 00 33 35 35 30 30 30 30 30 30 30 30 30 |6...355000000000|
000000f0 30 30 30 00 00 00 00 0f 00 00 00 00 00 00 00 00 |000.............|
00000100 00 00 00 00 34 30 35 34 31 37 31 34 00 00 00 00 |....40541714....|
00000110 00 00 00 00 32 34 00 00 00 00 00 00 00 00 00 00 |....24..........|
To fix this I suggest dumping 20 bytes starting at offset 0xf8
pof said:
Congrats rishi2504!
Just a few comments about your unlocker:
1) Unlocker needs itsutils.dll and pdocread.exe in folder c:\unlocker otherwise it doesn't work
It should'nt really happen coz I have attached these two with the utility...lemme check that...
2) device needs to be RAPI unlocked first
Correct...I forgot to mention about that....
3) unlocker reads 8 bytes starting at offset 0xfc of BK1C, this will work on most touch devices, but not on all, see example output:
Here it will work:
Code:
000000d0 33 37 32 33 30 30 34 30 34 00 00 00 33 35 35 31 |372300404...3551|
000000e0 31 31 31 31 31 31 31 31 31 31 31 00 00 00 00 00 |11111111111.....|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 37 32 31 32 |............7212|
00000100 36 31 33 32 00 00 00 00 00 00 00 00 32 34 00 00 |6132........24..|
00000110 00 00 00 00 00 00 00 00 00 00 00 00 30 30 31 30 |............0010|
Here it will not work, the unlock code is at a different offset:
Code:
000000d0 00 00 00 00 34 30 42 46 42 37 32 34 30 35 35 35 |....40BFB7240555|
000000e0 36 00 00 00 33 35 35 30 30 30 30 30 30 30 30 30 |6...355000000000|
000000f0 30 30 30 00 00 00 00 0f 00 00 00 00 00 00 00 00 |000.............|
00000100 00 00 00 00 34 30 35 34 31 37 31 34 00 00 00 00 |....40541714....|
00000110 00 00 00 00 32 34 00 00 00 00 00 00 00 00 00 00 |....24..........|
To fix this I suggest dumping 20 bytes starting at offset 0xf8
Click to expand...
Click to collapse
Correct again...but I tested it on the Indian ones, and found no reason why it shud'nt work on other versions...thanks for the suggestion...appreciated....!! This forum thrives on experts like you !! )
Will update the instructions and post the updated unlocker..
cheers,
rishi2504
Update : Corrected version is posted now along with RAPI Unlocking files.
i am going to give it a try
after putting itsutils.dll in windows(mobile) dir and pdocread.exe in the C:/unlocker folder it worked just fine
http://wiki.xda-developers.com/index.php?pagename=XdaUtils
Thanks Thanks Thanks
Special thanks to rishi2504 and pof
Works perfect on my MDA Touch
Thanks a lot...
Worked fine for me. Cheers.
Thanks, finally using my Vodafone simcard on my MDA Touch
worked like a freeking charm!
if i'd were gay (or you a women) i'd give you a thousand kisses!
hey rishi.. ur my hero
i followed the instructions but the notepad generated contains nothing...
just blank file....i have the itsutils.dll file needed and the pcdocread.exe..
whats do you think is wrong?.... i dont know what network it is locked to....
any suggestions???
i am getting an error message as follows
"Application created with unregistered version of Quick Batch File Compiler."
The note pad generated is blank.
please help
rgds
SS
same here with orange fr as network... Any ideas ?
Hey Rishi. I guess I am in a fix now. The notepad file created named code contains nothing.
AL also tried the other method, the one given earlier but the unlock code did not chage. I mean it is the same as it was before me running the process.
Please dear help me out
Rajeev
rajismine said:
Hey Rishi. I guess I am in a fix now. The notepad file created named code contains nothing.
AL also tried the other method, the one given earlier but the unlock code did not chage. I mean it is the same as it was before me running the process.
Please dear help me out
Rajeev
Click to expand...
Click to collapse
i had the same but after coppy itsutils.dll ( http://wiki.xda-developers.com/index...ename=XdaUtilsin ) to your windows dir on your mobile phone and pdocread.exe in the C:/unlocker folder (where you extracted Elf_Unlocker.zip ) on your pc it worked just fine
with the earlyer unlocker i had the same problem as you did. The imei en unlock code did not change.
Dont forget to run Cert_SPCS.cab (1ST) and then EnableRapi.cab (2end)
good luck
Hey Dear
which is the windows mobile directory. PLease help yaar
Dont forget to run Cert_SPCS.cab (1ST) and then EnableRapi.cab (2end)
good luck[/QUOTE]
Hey How to run these files. I just copied them to "Mobile Device" folder in my computer and it extracted something. Is it what you mean by running???
I was looking at the PIT image for the device and was curious about this string:
Code:
00000070 3b 00 43 00 3a 00 5c 00 50 00 72 00 6f 00 67 00 |;.C.:.\.P.r.o.g.|
00000080 00 00 61 00 6d 00 20 00 46 00 69 00 6c 00 65 00 |..a.m. .F.i.l.e.|
00000090 73 00 5c 00 45 00 53 00 54 00 73 00 6f 00 66 00 |s.\.E.S.T.s.o.f.|
Anyone know what that is from? there is no t on the next line by the way.
On an unrelated note, does anyone know of any tools to work with rfs natively in linux? I can open the image as vfat but It's missing some obvious stuff (SUID).
xaocon said:
I was looking at the PIT image for the device and was curious about this string:
Code:
00000070 3b 00 43 00 3a 00 5c 00 50 00 72 00 6f 00 67 00 |;.C.:.\.P.r.o.g.|
00000080 00 00 61 00 6d 00 20 00 46 00 69 00 6c 00 65 00 |..a.m. .F.i.l.e.|
00000090 73 00 5c 00 45 00 53 00 54 00 73 00 6f 00 66 00 |s.\.E.S.T.s.o.f.|
Anyone know what that is from? there is no t on the next line by the way.
On an unrelated note, does anyone know of any tools to work with rfs natively in linux? I can open the image as vfat but It's missing some obvious stuff (SUID).
Click to expand...
Click to collapse
What pit is this? Is this one of the old ones (813) ? Or is this one that was pulled for whitehawks?
Bl4ckpheniX said:
What pit is this? Is this one of the old ones (813) ? Or is this one that was pulled for whitehawks?
Click to expand...
Click to collapse
This was pulled for whitehawks. I've never flashed a new pit though.
xaocon said:
This was pulled for whitehawks. I've never flashed a new pit though.
Click to expand...
Click to collapse
Hmm, I will look at it some more.
Sent from my SGH-T959V using XDA Premium App
I am not sure if this is the right place, mostly because I dont know how someone else would categorize this info. Mods exist for a reason, today that reason might be to move this to the correct place
According to google some is new info some is old.
I dumped /dev/block/mmcblk0p7 which appears to be the baseband firmware. It is not compressed or encrypted but rather appears to be a filesystem of some sort.
I have identified that they are using RTOS.com's threadX and traceX.
I identified a zip file which indicates the authors used IBM Rational ClearCase
I identified another zip file which is a process trace, attached here for convenience.
There is a file that appears to be a DES encrypted with mcrypt 2.2 (not compatible with 2.4). 56 bit key so it should not take terribly long to brute force. As I still do not have a firm grasp on the structure of the 32M disk dump I do not know where the key might be. I also do not have an idle system with sufficient capacity to deal with this in a timely fashion. Anyone got some FPGAs from the old bitcoin days?
There are probably some additional things I will eventually find. I have to go away for a few days so I wont be able to work on this until I return. I am going to look through threadX to see if that sheds light on the file format (they have a free demo download). The only other thing I can think of off the top of my head is that maybe the chip itself expects a specific filesystem.
Maybe this post will spur some people to start looking into it more (or publish what they have if they have looked into it).
I have done further digging.
Firmware header - first 512 bytes
Name ... about 0xD is the offset for that section ... about 0x15 is the size of that section
PSI - start at 0x1000 length 0xE000
EBL - start at 0xF000 length 0x019000
MAIN - start at 0x28000 length 0x9D7800
SECPAC - start at 0x9FF800 length 0x800
NV - starts at 0 length 200000 (its from /efs/nv_data.bin)
It becomes easy to see where the start and size offsets are in the header as well. This also tells me the chip is set to little endian mode (arm 11 based). There is still some data I do not know what it does.
I got a bunch of false positives from binwalk suggesting there is LZMA compressed data. None of it validated.
Baseband file XXELLA
Target File MD5 Checksum
ebl e68042d611aef558dc525009e03d2e50
main 99e7aa119c684b1b569dcc1ec867112a
nv_data.bin 5707f4f934b4ad2a4ee4a7530b92073d
psiram 7e3fe83c24c7e1a6b9110cd68e7564e6
secpac 91cb74b48e35f0f6d61f298d841af59a
MAIN is the only one that had anything at all.
gzip compressed data, was "config_spec.txt", from NTFS filesystem (NT), last modified: Fri Dec 21 21:02:29 2012
mcrypt 2.2 encrypted data, algorithm: DES, mode: CBC, keymode: MD5 hash
Zip archive data, at least v2.0 to extract, compressed size: 37806, uncompressed size: 200962, name: "trace.dec"
config_spec.txt just says "No ClearCase Config Spec available"
trace_dec.zip is attached above
the mcrypted file is being brute forced, slowly ... very slowly. 1 core on a busy system. I will likely abort it because it is not going to finish in a reasonable time.
512 bytes of the disk image
Code:
00000000 50 53 49 52 41 4d 00 00 00 00 00 00 00 10 00 00 |PSIRAM..........|
00000010 00 00 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 |................|
00000020 45 42 4c 00 00 00 00 00 00 00 00 00 00 f0 00 00 |EBL.............|
00000030 00 00 00 60 00 90 01 00 00 00 00 00 00 00 00 00 |...`............|
00000040 4d 41 49 4e 00 00 00 00 00 00 00 00 00 80 02 00 |MAIN............|
00000050 00 00 30 60 00 78 9d 00 00 00 00 00 00 00 00 00 |..0`.x..........|
00000060 53 45 43 50 41 43 4b 00 00 00 00 00 00 f8 9f 00 |SECPACK.........|
00000070 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 |................|
00000080 4e 56 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 |NV..............|
00000090 00 00 e8 60 00 00 20 00 00 00 00 00 00 00 00 00 |...`.. .........|
[rest is null]
00000200
reserved
WARNING: Overall procedure requires disassembly and you will lose warranty definitely!
I'm not responsible for bricking or damaging your device! It's not meant for average users at all!
You can consider import Nokia X7 from China for test subject, as it's cheaper than Nokia 8.1.
Let me tell you how HMD Nokia Android devices detect if the unlock key valid.
A standalone partition, mfd stores the Serial Number and IMEI/MEID/MAC address that will be used for bootloader checking.
It will check if your IMEI1 and SN in mfd partition valid for the unlock key instead of NVRAM.
To unlock the phone, you need a Nokia 8 NB1 (at least you need to know it's IMEI1 and SN) and an unlock key requested from HMD officially. If you don't have, please ask one from a Nokia 8 user that successfully requested unlock key. I'm not going to provide my unlock key and IMEI/SN.
Our theory of unlock the bootloader is:
1. Hack the mfd partition with the identification of Nokia 8.
2. Flash the unlock key for Nokia 8 to Nokia 8.1 (X7).
3. Restore mfd partition.
This method is unusable on Nokia 3.1 / 5.1 or Plus and Nokia 1 Plus, although MediaTek models are easier to hack with SP Flash Tool.
Click to expand...
Click to collapse
I guess HMD will block this method soon by changing the public key like before (ProjectCode add 1 or 2), and you can't request unlock key again if lost, so please keep your unlock key at safe place.
Click to expand...
Click to collapse
Let's get started.
Step 1: Download stock firmware or just firehose file from fih-firmware.hikaricalyx.com/hmd_en.html#pnx
You'll need the firehose file from it. I strongly recommend you to use the firehose file from "OSTLA_X7-OTA-Repair_002" package for faster procedure.
Step 2: dump mfd partition
To dump mfd partition, you can either trigger your phone to Qualcomm EDL mode by wire trick or use eMMC programmer, which is too hardcore to be mentioned.
After you remove the back cover, you can find these two points easily. Power off your phone, use tweezers or a wire to short them, and connect it to PC. Position is posted as attachment below. If you did right, the phone will boot to Qualcomm EDL mode and you can remove the tweezers or wire.
Now use QFIL, load the firehose file in stock firmware. To dump the mfd partition, use the partition manager in QFIL, and right click on the mfd partition, properties, then click "read". Dumped mfd partition is located at %AppData%\Qualcomm\QFIL\COMPORT_XX .
Step 3: Use Hex Editor to change IMEI and SN written in mfd partition
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 44 66 4D 5F 00 00 00 00 09 00 00 00 73 77 69 64 DfM_........swid
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 70 72 6F 64 75 63 74 69 64 00 00 00 00 00 00 00 productid.......
00000070 50 4E 58 47 41 4D 30 31 32 33 34 35 36 37 38 39 PNXGAM0123456789
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B0 10 00 00 00 62 74 5F 6D 61 63 00 00 00 00 00 00 ....bt_mac......
000000C0 00 00 00 00 xx xx xx xx xx xx xx xx xx xx xx xx ....xxxxxxxxxxxx
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000100 00 00 00 00 0C 00 00 00 77 69 66 69 5F 6D 61 63 ........wifi_mac
00000110 00 00 00 00 00 00 00 00 xx xx xx xx xx xx xx xx ........xxxxxxxx
00000120 xx xx xx xx 00 00 00 00 00 00 00 00 00 00 00 00 xxxx............
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000150 00 00 00 00 00 00 00 00 0C 00 00 00 69 6D 65 69 ............imei
00000160 5F 31 00 00 00 00 00 00 00 00 00 00 33 35 36 39 _1..............
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
For Nokia 8.1 / X7, IMEI1/IMEI2 aren't written in mfd partition at all, but we can write it as we want.
Note, hacking mfd partition will not change your IMEI in NVRAM, which is illegal. It will only change the IMEI that will verify the unlock key under fastboot mode. As it's not written at all, I can assume HMD Global isn't willing to unlock the Nokia 8.1 / X7 from the beginning.
The position of IMEI1 starts from offset 0x0000016C. I assume the IMEI and SN of your Nokia 8 are 123456789012347 and NB1GAD2780012345, which I needn't to mention where to find.
Here's the modified mfd partition:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 44 66 4D 5F 00 00 00 00 09 00 00 00 73 77 69 64 DfM_........swid
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 70 72 6F 64 75 63 74 69 64 00 00 00 00 00 00 00 productid.......
00000070 4E 42 31 47 41 44 32 37 38 30 30 31 32 33 34 35 NB1GAD2780012345
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B0 10 00 00 00 62 74 5F 6D 61 63 00 00 00 00 00 00 ....bt_mac......
000000C0 00 00 00 00 xx xx xx xx xx xx xx xx xx xx xx xx ....xxxxxxxxxxxx
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000100 00 00 00 00 0C 00 00 00 77 69 66 69 5F 6D 61 63 ........wifi_mac
00000110 00 00 00 00 00 00 00 00 xx xx xx xx xx xx xx xx ........xxxxxxxx
00000120 xx xx xx xx 00 00 00 00 00 00 00 00 00 00 00 00 xxxx............
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000150 00 00 00 00 00 00 00 00 0C 00 00 00 69 6D 65 69 ............imei
00000160 5F 31 00 00 00 00 00 00 00 00 00 00 31 32 33 34 _1..........1234
00000170 35 36 37 38 39 30 31 32 33 34 37 00 00 00 00 00 56789012347.....
Save it to another place, and please keep your original mfd partition for us to restore.
Step 4: Write back the mfd partition and unlock the bootloader
Use QFIL to write back the mfd partition by either Partition Manager or writing your own rawprogram0.xml, which I needn't to mention here.
After mfd partition written back, please perform force reboot by pressing both volume up key and power key. Then boot your phone to fastboot mode by any method you're familiar with. You still can't replace the cover back yet.
Now flash the unlock key for Nokia 8 to it:
Code:
fastboot flash unlock unlock.key
fastboot flashing unlock
Under Android 9 bootloader, "fastboot flashing unlock_critical" command will be treated as "fastboot flashing unlock", so you can't perform critical unlock, unless you downgrade the bootloader part (abl, xbl, xbl_config and tz partitions) to PNX-124F firmware, which you can find in the PNX-124F-0-00CN-B05 stock firmware.
Then confirm bootloader unlock on the phone as usual.
Step 5: Restore mfd partition
To prevent strange issues, you still need to restore your original mfd partition under Qualcomm EDL mode, which I needn't to mention how to do.
After that, you may replace the back cover and phone rooting / custom rom installation is allowed.
That covers the whole bootloader unlock theory. Since it uses the unlock key from Nokia 8 and I tricked the phone as Nokia 8, I called the unlock method "NB1-Collision". However, I can clearly see HMD is still not prepared for bootloader unlock.
Because even bootloader is unlocked, retail device still doesn't allow us to flash any partitions as we want.
When flashing a partition, it will tell us "Flashing is not rooted for fused device". When trying to perform temporarily boot under fastboot mode with retail abl, it will tell us "Unknown command", and same "Flashing is not rooted for fused device" error under service abl.
So the next step is how can we hack the fuse status to disable - this is up to yours.
As for how can I unlock and root the phone without disassembly, it's paid method that I can't disclose here.
hikari_calyx said:
As for how can I unlock and root the phone without disassembly, it's paid method that I can't disclose here.
Click to expand...
Click to collapse
And how much, if not secret?
luiszevs said:
And how much, if not secret?
Click to expand...
Click to collapse
$12 for unlocking Nokia X7 / 8.1 / 9 PureView. As for where to request, this can't be mentioned here - Google is always your best friend.
hikari_calyx said:
...Google is always your best friend.
Click to expand...
Click to collapse
wow,really ? :laugh: ,you wrote " it's paid method " , I asked "how much" , not "how" . You answered, thank you, I will think, do I need unlock & root? while everything suits me ...
luiszevs said:
wow,really ? :laugh: ,you wrote " it's paid method " , I asked "how much" , not "how" . You answered, thank you, I will think, do I need unlock & root? while everything suits me ...
Click to expand...
Click to collapse
XDA, everything should be free.. who is charging ??
light.apps said:
XDA, everything should be free.. who is charging ??
Click to expand...
Click to collapse
Hikari ofcourse
Again, search the web.
Even if we unlock is there twrp available?
Aftab_khatri said:
Even if we unlock is there twrp available?
Click to expand...
Click to collapse
is twrp not available??
Later today I will be receiving the Nokia 8.1, an Android One phone. I want to have the boot loader unlocked, and run LineageOS. Does anyone know if it can be done? I really would want the phone to be google free. I am not a developer, so will be needing help from someone trustworthy.
wrp2015 said:
Later today I will be receiving the Nokia 8.1, an Android One phone. I want to have the boot loader unlocked, and run LineageOS. Does anyone know if it can be done? I really would want the phone to be google free. I am not a developer, so will be needing help from someone trustworthy.
Click to expand...
Click to collapse
No, the BL can't be unlocked right now. As you can see on XDA, there's no custom rom for Nokia 8.1 / Nokia X7.
nickyip123 said:
No, the BL can't be unlocked right now. As you can see on XDA, there's no custom rom for Nokia 8.1 / Nokia X7.
Click to expand...
Click to collapse
Would it still be possible to install another "launcher" on this phone, so the "ask google" bar will be hidden on the home screen?
Ofcourse. Lawnchair for example. Change settings to hide Google
nickyip123 said:
No, the BL can't be unlocked right now. As you can see on XDA, there's no custom rom for Nokia 8.1 / Nokia X7.
Click to expand...
Click to collapse
Thank you for your response. Since the phone is brand new and I haven't even unpacked it, I am ready to send it back for a refund. Is there a phone that has similar specs and approximate price (300 euro) as the Nokia 8.1 that I could run LineageOS on?
A good speaker and large screen are some of the things important to me. I do not do any gaming.
I am located in the Netherlands, Europe. Is it an easy process to install LOS (I am not an expert in these things and my schedule is overfull as is), or will I need to find someone who is willing to do it for me for a fee? In the latter case, where would I go?
Is it recommended for lay men to run LOS on their phones, as when something goes wrong they won't know what to do?