BETA Project: A Gold Card for the Prophet - JAMin, XDA Neo, S200 Software Upgrading

After a lengthy discussion with some developers on this board, I'm going to try and see if it is possible to create a Gold Card for the Prophet.
This is a very low level process, so ONLY try to follow along if you really know what you are doing !!!
So, what are we going to do ? well, create an SD image to be able to un-brick a Prophet (hopefully)
As this SD image will try to circumvent the bootloader security it is called a Gold Card.
We will use itsme typhoonnbfdecode.pl to create this image. (Thx to itsme for his great tool set !)
Creating a "normal" SD Image isn't that hard, to trick comes when you need to fool the bootloader and bypass the security.
Steps:
1. Find out what your docuniqueid is (is not be needed, but nice to have anyway)
2. Find out what your cardid is
3. Change the first two digits of the cardid to 00
4. Find out which -p keys to use (my guess is tornado)
5. Extract IPL/SPL/GSM/OS/SPLASH from a original ROM for the correct model (G3 or G4)
6. Use typhoonnbfdecode.pl to create and SD image (gold card)
7. Test the sucker in my bricked G3
So, let's try to get something working:
I will skip step 1 for now as Its not needed.
2. To get the cardit we need to read a memory dump from another Prophet with the sd card inside
pmemmap -s 0x06000000 -w deviceexe.mem -p 0x10000000-0x12000000
we are dumping the section of memory where device.exe is running (you can check this with pps)
In this memory dump we search for the unicode string 'Memory Card'
This is where I am at the moment, as the above was done on another HTC device I think I need to search for a new mem location where the cardid is stored.
So any people reading this that know another way of getting the sd cardid, let me know.
Example cardids:
# 55 4500 accf6300 55 3832314453 4453 03 'UE...c.U821DSDS.' .. my minisd
# 3f 5100 09531f40 03 424d383231 4e49 18 '[email protected]' .. my kingston
# 3f 3c00 65ba4764 07 3832314453 4d54 02 '?<.e.Gd.821DSMT.' .. my daneelec
# 00 4200 0f588942 41 4238323153 4150 01 .... bjorns sdcard

glad to help you
glad to help you un-brick your phone but need more details on these steps.
I am not a programmer so you'll have to explain more.
I do generally pick up these things quick, but will need to point me in the right direction.

AbuYahya said:
glad to help you un-brick your phone but need more details on these steps.
I am not a programmer so you'll have to explain more.
I do generally pick up these things quick, but will need to point me in the right direction.
Click to expand...
Click to collapse
Don't worry, I will update as I find out more

Hi,
Few months back I tried to make one for my Device but was unsuccessfull as I was not able to get DOC uniqueID and finding SD Card's unique ID is hell of a JOB.
So I Quit at that time but after seeing your post, I am again feeling energetic.
However the only method I know is as under.
Dont remember the exact location but will let you know (Taken somwhere from XDA Forum)
Finding out the docuniqueid
it is in memory at 0x8e01509c:
pmemdump 0x8e01509c 0x10
alternatively you can use this:
pdocread -l
Finding out the cardid (this is more difficult)
first find out the section of device.exe with pps usually it is 0x06000000. then save this section to a file using:
pmemmap -s 0x06000000 -w deviceexe.mem -p 0x10000000-0x12000000then in this memory dump, search for the unicode string 'Memory Card':
findstr "Memory Card" deviceexe.memthen dump the memory starting 0x18 bytes before where memory card was found:
dump deviceexe.mem -o 0x90a2a0 -l 0x90this results in something like this:
0090a2a0: 53 42 44 53 ec 00 00 00 f0 6f b7 03 00 00 00 00 SBDS.....o......
0090a2b0: 68 ea 8f 00 00 00 00 00 4d 00 65 00 6d 00 6f 00 h.......M.e.m.o.
0090a2c0: 72 00 79 00 20 00 43 00 61 00 72 00 64 00 00 00 r.y. .C.a.r.d...
0090a2d0: 63 00 65 00 30 00 00 00 00 00 00 00 00 00 00 00 c.e.0...........
0090a2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090a2f0: 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ................
0090a300: 30 b1 90 00 68 bf 90 00 70 12 b5 03 5c a9 00 80 0...h...p...\...
0090a310: ff 00 00 00 00 55 45 00 ac cf 63 00 55 38 32 31 .....UE...c.U821
0090a320: 44 53 44 53 03 ab 40 40 92 ff 4f fa fe c0 83 59 [email protected]@..O....Ynote: that the SBDS signature needs to be there.
the 16 bytes starting at 0x90a315, 55 45 00 ac ... etc are the cardid.

DoCtOr_X said:
Hi,
Few months back I tried to make one for my Device but was unsuccessfull as I was not able to get DOC uniqueID and finding SD Card's unique ID is hell of a JOB.
So I Quit at that time but after seeing your post, I am again feeling energetic.
However the only method I know is as under.
Dont remember the exact location but will let you know (Taken somwhere from XDA Forum)
Finding out the docuniqueid
it is in memory at 0x8e01509c:
pmemdump 0x8e01509c 0x10
alternatively you can use this:
pdocread -l
Click to expand...
Click to collapse
If you look at my post above you can see I'm doing the same
however, pdocread on a bricked phone obviously doesnt work, however the docuniqueid MIGHT not be needed.
for cardid is trickier, as the cardid seems to be hidden on a different memory location then normal (read, older devices)
I'm trying serveral things to get to this

I just bought a new cardreader, so I can continue testing this

Hi,
Wish u best of luck but unfortunately I have no success.

Any Success ????

working on something that might get us a working gold card
stay tuned

Ok, it's possible to create a gold card, meaning, that I can create an SD that will lower the sec level to 0
This is nice, however doesn't help (yet) with the G3/G4 wrong SPL problem.
But it is one step closer as it is now confirmed that you lower the sec level using this method.
Next step will be to see if I can "update" an existing G3 SD Image with the cardid of my card and get it to boot.
I know it might not make sence what I'm saying now, but it's just an update on the progress made so far, and yes I will update the first post with a how to.
more later.

Nice, keep up the good work!

Well Done, I am really amazed.
Thanks & please keep it up.

So am I understanding that right you need another htc which is working to get the cardid? Is it possible to get all that done just with a regular cardreader plugged into the computer?...

cr0ssy said:
So am I understanding that right you need another htc which is working to get the cardid? Is it possible to get all that done just with a regular cardreader plugged into the computer?...
Click to expand...
Click to collapse
It MIGHT be, but I haven't tried that yet

Huh they are very similar
Hi Jesterz so far I have the same problem as you are with my dev g3
with spl from g4
So did you get your device to boot or what ideas do you have
Maybe this will help us Customize_rom_PDAMobiz_Editon_Upgrade_Rom_for_IPLSPL_2.15.0001_v.1.02

Help
Dear Jesterz, could You please help me.I used your RUU-Prophet-g4-AKU2.2-2.20-2.47.21-Jester-r1 to flash my G3 so i did not read carefully your post. It passed but device stills in bootloader mode. Is it possible to solve my problem and how.I have not other prophet to make goldcard. Tnanks in advance

mjankovic said:
Dear Jesterz, could You please help me.I used your RUU-Prophet-g4-AKU2.2-2.20-2.47.21-Jester-r1 to flash my G3 so i did not read carefully your post. It passed but device stills in bootloader mode. Is it possible to solve my problem and how.I have not other prophet to make goldcard. Tnanks in advance
Click to expand...
Click to collapse
Now u must also wait for GoldCrad project....

Yes thank you very much doctor_x so would you please let me know where it is finish and where i can find it

Hi,
If I'm not missing anything, there are actually two types of ID's for SD cards:
1. "Hardware ID", that is truly low-level and is provided by the card manufacturer.
You can use Pocket Mechanic to read it, but I have no idea how you can manage to change it. Please let me know if you have a solution on this one.
2. Let's call it "software id" - an id that you get after your card is formatted (something like a partition id) - you can use a card-reader and some software like Acronis Partition Expert to read and change it.

mjankovic said:
Yes thank you very much doctor_x so would you please let me know where it is finish and where i can find it
Click to expand...
Click to collapse
The main person involved in this project is "Jesterz". I was about to gaveup when jesters started new effort and infused new spirit in the project.
Now lets hope it works but uptill now no breakthrough.

Related

Will this method work to bypass devauth ?

I read somewhere that I dont have to SUPER CID to install a 3rd party ROM, or perhaps our WM6 ROM
"Here is how I got the rom to install without the devauth error.
1) use a hex editor on the rom file and search for the devauth.exe string e.g. 44 00 65 00 76 00 41 00
2) between the "devauth" and the "exe" you will see the hex "00 2e".
3) swap these bytes around so they are "2e 00" instead of "00 2e".
4) This will keep te same checksum but will not allow the devauth.exe to run. well it work in my case at least"
Hope it works
Click to expand...
Click to collapse
Will the above method works? because my phone is still under warranty, and i dont want to void it so early

Building NBH files from RAW files for a Kaiser

Well. I've spent 1 week. Yes, one week. I haven't been productive at all becacuse I've dedicated more than 16 hours per day to find one stupid answer to this question:
Once you dump the rom of your kaiser into the Part00.raw, Part01.raw, Part02.raw and Part03.raw, how can you create an NBH file?
Listen everybody: I've been looking for this site AND OTHERS, and the only gaseous, not so clear at all, lame answers are: "Oh, oh. You need to use Tadzio´s tools".
And that's it. How the f.... do you think that an answer like that is going to work?
Step by Step instructions, people !!!!!
That's what we need to build knowledgebase.
Most people are lazy and want fast answers with out reasearching. That's why they brick their phones. Others, like me, do our their homework but since there isn't anywhere else to ask, so, I have no choice to create a new thread since there isn't NO G.. D..N answer in the forum or in the site !!!!
I have my eyes squared and peeled of looking google's, live search and yahoo results.
Please, people, lets recreate the scenario:
You have a kaiser (TyTN II or what ever you want to call it) phone and you decide that, before bricking, or, even in case of bricking it, you want to copy your original ROM and have a copy of it and also BUILD, for chrisake, a flashable ROM to make the restore procedure easy and dandy.
You download itstools and execute pdocread.exe -l to get the RAW files.
Once you get your 4 RAW files, THEN WHAT????
All what I could find is that you can use some tools from Tadzio called imgfstools but, again, and so nice from you, NO INSTRUCTIONS AT ALL !!!!
So. Any kind soul to give a DETAILED, step-by-step walk through for a Kaiser?
Thanks, community.
http://forum.xda-developers.com/showthread.php?p=1968557
"How to Reconstruct a Dumped ROM & Reconstructed ROMs" by jcespi2005
goye said:
. . . Once you dump the rom of your kaiser into the Part00.raw, Part01.raw, Part02.raw and Part03.raw, how can you create an NBH file?
. . . So. Any kind soul to give a DETAILED, step-by-step walk through for a Kaiser?
Thanks, community.
Click to expand...
Click to collapse
I think this is the thread you want, "How to Reconstruct a Dumped ROM & Reconstructed ROMs" by jcespi2005
Thanks, but no thanks ....
Thanks community for your fast reply.
Well, actually that article "How to Reconstruct a Dumped ROM & Reconstructed ROMs" (http://forum.xda-developers.com/showthread.php?t=337066) from jcespi2005 sucks.
He doesn't give any details of how to do it.
I did learn a lot from doctaJay's videos (http://forum.xda-developers.com/showthread.php?t=372469) on his series "Cooking Guides for the Ultimate Noobs- Screencasts".
Now that's helping the community.
But, no. I need to build FROM SCRATCH my own NBH files using my Part0x.raw files. I don't need to use any one's RUU_Signed.nbh file to cook mine. I need to create FROM SCRATCH the NBH file only from my RAW files, with out using any other NBH file!
I mean ----
0. You tweak your registry IN YOUR PDA, not the computer, to change a Security Policy key:
HKLM\Security\Policies\Policies
valuename '00001001' was set to dword:2, change it to dword:1
YOU NEED TO USE A Registry Tweaker like RegeditSTG. Google it just as I did.
Once you've done all this, then
1. you pdocread.exe -l your ORIGINAL ROM from your kaiser.
So you get an output like this:
210.38M (0xd260000) FLASHDR
| 3.12M (0x31f000) Part00
| 3.63M (0x3a0000) Part01
| 68.50M (0x4480000) Part02
| 135.13M (0x8720000) Part03
STRG handles:
handle a7486c82135.13M (0x8720000)
handle a749618e 68.50M (0x4480000)
handle 074aff52 3.63M (0x3a0000)
handle 074aff76 3.12M (0x31f000)
disk a7486c82
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk a749618e
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 074aff52
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 074aff76
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Cute!
2. Step Two is Supposed to be creating your own, personal NBH installer kit from your original dumped ROM without using any other's ruu_signed.nbh downloaded from some guy's ROM kit.
I've read that you need Tadzio's imgfstools for doing so. See?
Even Tadzio's, the creator of the tool doesn't even explain, men and women !
That's pretty much f...ed up !
3. Open and HardSPL your phone BEFORE doing ANY FLASHING TASKS or you would really end up with a nice paper holder on your desk.
4. You should find a way to back up your RADIO ROM.
That's something completely differerent from the OS ROM. Many people complains that once they use some guy's ROM kit, their phones stop working in their networks.
Me, I live in Japan. I can't just download what ever ROM kit and flash my Kaiser, since in Japan my phone provider, E-Mobile, uses a weird 1700 Mhz W-CDMA frecuency, and most of the ROM kits are flashed for GSM networks and different 800Mhz - 1900 Mhz and 2100 Mhz GSM/GPRS networks.
Many stupidly think that flashing a phone's OS is a matter of downloading a g.. d...ed ROM and "bingo", you got your phone done. Actually, because following this guy jcespi2005's ROM (I can't blame him. You can't blame no one for flashing and messing your own ROM, I want to make that CLEAR), my phone doesn't work.
So .... You have to be careful and teach others to be careful, but the best way is to do a comprehensive, all in one step-by-step guide that will clearify most of the doubts of people.
5. Cook your own ROM's
I think, personally, that following these steps will prevent most people of bugging their phones and, at least, in the worse scenario, be able to some how restore most of the original condition of the kaiser so we can claim service or guarantee.
---------------------------------------
We have our RAW files from scratch, dumped BEFORE DOING anything that potentialy might brick our kaiser.
Now, before cooking and all that (again, thanks doctaJay for your screencasts, you da man !), I need to know:
HOW CAN I BUILD AN IMAGE FILE FROM TOTALLY SCRATCH JUST USING MY OWN RAW FILES !!!
It is said that we can use imgfstools from tadzios, but, as usual, not even a g.. d..med clue here !
Instructions !!
I can commit to post a nice, very in depth screencast for all of the people, but, please, I need to create from scratch, with out using ANYONE's dumped image NBH or ROM, a ROM file.
It's as simple as this: How did the FIRST PERSON IN this community manage to create FROM SCRATCH a NBH from his/her RAW files? And let it be told: FOR A KAISER, for chrisake ! Don't compare apples with oranges, even if they tend to behave alike.
See? That's the nature of the question. I'm not interested in COOKING A ROM, using as a base someone else's ROM.
That's the question, community.
Believe me, once I have all these steps mastered, I will make videocasts (screen casts) in both English and Spanish (Maybe Japanese as well).
So, help me out to help others and in tha way we can help new users in a better way !
Thanks !
i don't know how much reading you did in either post from the other guys but the threads they posted give you a STEP-BY-STEP walkthrough, if you can't read the walkthrough then you're a f*****g idiot and you shouldn't be trying any of the $h1t you are trying to do. READ i read through both of those threads posted and now i can dump a rom and cook one for the hell of it, mine only go to me but whatever. your steps only say "2. Step Two is Supposed to be creating your own, personal NBH installer kit from your original dumped ROM without using any other's ruu_signed.nbh downloaded from some guy's ROM kit.
I've read that you need Tadzio's imgfstools for doing so. See?
Even Tadzio's, the creator of the tool doesn't even explain, men and women !
That's pretty much f...ed up !" well that's not an answer. don't creat a thread just to ***** about how you want an answer, write your own damn program and DIYFS if you want to do everything from scratch.
personally i thank each and every member who has contributed anything, because without the guys here i would still have a stock att rom(minus bloat). thank you chefs and all others that have allowed my phone to be as great as it can be
STEP 1: Extract the RAW (IMGFS) file to a dump directory
imgfstodump part02.raw
fgs......how much more info do you need.
from the rom reconstruction thread.
jcespi2005 said:
2. Download the WWE BaseROM to use in the reconstruction process here http://rapidshare.com/files/5781641...dio_sign_22.45.88.07_1.27.12.11_Ship.rar.html
3. Download the modified version by Alex of Kaiser Kitchen here, that allows to reconstruct the ROM from the dump. Follow the guide included in the Readme using WWE from previous step and to will get you reconstructed ROM from your device.
Click to expand...
Click to collapse
sure i admit, that's not that much info, which is why i gave u the link to doctajay's screencasts, watch all his videos, everything you need is there. what more do you want?
I forgot to mention: My network is not GSM or similiar and I can't smoke my Radio
tubaking182 said:
i don't know how much reading you did in either post from the other guys but the threads they posted give you a STEP-BY-STEP walkthrough, if you can't read the walkthrough then you're a f*****g idiot and you shouldn't be trying any of the $h1t you are trying to do. READ i read through both of those threads posted and now i can dump a rom and cook one for the hell of it, mine only go to me but whatever. your steps only say "2. Step Two is Supposed to be creating your own, personal NBH installer kit from your original dumped ROM without using any other's ruu_signed.nbh downloaded from some guy's ROM kit.
I've read that you need Tadzio's imgfstools for doing so. See?
Even Tadzio's, the creator of the tool doesn't even explain, men and women !
That's pretty much f...ed up !" well that's not an answer. don't creat a thread just to ***** about how you want an answer, write your own damn program and DIYFS if you want to do everything from scratch.
personally i thank each and every member who has contributed anything, because without the guys here i would still have a stock att rom(minus bloat). thank you chefs and all others that have allowed my phone to be as great as it can be
Click to expand...
Click to collapse
Also, I already mentioned this (who's not reading?):
goye said:
4. You should find a way to back up your RADIO ROM.
That's something completely differerent from the OS ROM. Many people complains that once they use some guy's ROM kit, their phones stop working in their networks.
Me, I live in Japan. I can't just download what ever ROM kit and flash my Kaiser, since in Japan my phone provider, E-Mobile, uses a weird 1700 Mhz W-CDMA frecuency, and most of the ROM kits are flashed for GSM networks and different 800Mhz - 1900 Mhz and 2100 Mhz GSM/GPRS networks.
Click to expand...
Click to collapse
That's why I need to create my own ROM from SCRATCH, not taking other ROMs as a base.

Photon Q stuck at Starting Service, IMEI, Baseband gone

I got a new Photon Q from USA
This is my first CDMA phone
I am trying to get it on Reliance CDMA network INDIA.
So, i am trying to edit settings via QPST
Accidently i selected NAM2 which was blank, No settings and phone numbers.
Now phone is trying to start with NAM2 and now it stuck on "Starting Service".
Only phone settings are access able form sliding bar, but IMEI, ESN are blank and baseband is unknown.
Phone is unrooted and running on Stock 4.1.2
Is there any way to get NAM1 back?
will Stock firmware flashing restore it?
This, almost exactly, is happening to me. See thread: forum.xda-developers.com/showthread.php?t=2436869&page=1
Stuck at Starting Services. I don't have a mobile carrier, that is fine, I only use Wifi. But Wifi and BT are both not working. If I hit ON, they turn back off instantly. Cna go to notification bar and settings only, homescreen won't appear, apps won't run. Thanks to anyone for any help!
It is not the same as you didn't use QPST and your phone isn't screwed.
Back to your thread, there you'll get an answer.
@lovepreet39, I'll look into QPST (again, so not my first time) but I won't try anything out, so I will only guess what you could do.
QPST is a powerful tool, trying anything around there might break the phone.
Epicenter714 said:
This, almost exactly, is happening to me. See thread: forum.xda-developers.com/showthread.php?t=2436869&page=1
Stuck at Starting Services. I don't have a mobile carrier, that is fine, I only use Wifi. But Wifi and BT are both not working. If I hit ON, they turn back off instantly. Cna go to notification bar and settings only, homescreen won't appear, apps won't run. Thanks to anyone for any help!
Click to expand...
Click to collapse
Please quit cross-posting. You've already created a thread dedicated to your issue, which is really all you needed - cross-posting dilutes the community effort, and we have quite a small community here.
I just flashed firmware again with RSD lite. Now phone booting properly and all features are available.
But it becomes useless because IMEI and MEID becomes zero.
I tried QPST, CDMA TOOL, CDMA Workshop
But i unable to restore MEID.
Please any body here tell me how to restore MEID/IMEI
What happens if you select NAM1 again?
Have you made a backup of your configurations? (That was the first thing I did.)
Loader009 said:
What happens if you select NAM1 again?
Have you made a backup of your configurations? (That was the first thing I did.)
Click to expand...
Click to collapse
Now NAM1 and NAM2 both are blank, i have a NV item backup but restoring it does not do anything.
Is there any way?
I want my ESN/IMEI/MEID back.
It is a new phone and now it becomes useless.
Update, It is connecting to wifi, but not receiving any data, a mark on wifi is blinking on wifi symbol.
Same wifi is working on my HTC one x
Theoretically you could try to modify the MAC-Adress of wifi and bluetooth etc. (just make sure it begins with the right symbols from the manufacturer).
This is only a temporary solution. (Mine begins with 80:96:B1:XX:XX:XX for both, wifi and bluetooth.)
My IMEI isn't printed anywhere if I remove the backplate. (Also not under the battery and the plastic plate.)
So if nobody knows where it could physically be, then there might be no way to get it. Except if you have the boxing, there is a chance that it's printed somewhere there.
If you have a backup, there may be a way to get it from there, I made both backups, the simple one (49KiB - modified, 48KiB unmodified) and the EFS-backup (496KiB - modified, no unmodified EFS-backup).
I'll test some programs from QPST and post the results.
edit: I might have found "part" of the IMEI.
Using the QCNView program from the QPST software pack I found a partial match to my IMEI.
Load the program, load your backup (make a backup of your backup! Just in case.)
Expand the "NV Items:" and scroll down to item #550 "NV_UE_IMEI_I".
Code:
Adress 0 1 2 3 4 5 6 7 8 9 a b c d e f
NV_UE_IMEI_I 0: ab cd ef gh ij kl mn op qr st uv wx yz AB CD EF
This is a hex-styled code table. The first line "Adress" isn't shown, it's for orientation.
My IMEI is partially build out of this table: _fghijklmnopqr_
Those two underlines "_" are not given in this table.
I think the first number is for the manufacturer and the last for variations. (You might have to research further for this.)
This way you have your IMEI nearly completely. But I'm not sure for MEID and ESN.
First number is 9 (it starts with "99") and last number is checksum (see Wiki), it's present only in IMEI and not MEID.
There is no problem with wifi MAC address, it is connecting without any problem, but not receiving any data.
and i have original box with original MEDI/IMEI on that.
But problem is that CDMA tools are failed to restore that.
Please first tell me what happens to wifi, why it is not receiving data?
and is there any way to restore original MEID/IMEI?
Keep in mind i know original MEID/IMEI
If the MAC address is given correctly you should receive data over Wifi.
I don't know any reason why it shouldn't work since it has nothing to do with the rest.
Maybe the whole SoC is a bit malfunctioning as some data is missing and... I can just guess, I'm not a pro in linux or android.
I'll look into QPST later again, maybe there is a way to type the MEID in somewhere.
(I have to flash between cm10.2 and stock JB, that's why I don't do it right away.)
Yay, double post!
I researched a bit, we need access to the "nvm" folder withing the EFS Explorer.
The "open sesame door" trick does not work, so I have no idea how to get access.
I'm searching for another solution but I think I won't find anything useful.
edit: Maybe this will work -> http://www.letitgrow.co/forum/viewtopic.php?f=40&p=183
Not tested. QXDM -> http://d-h.st/FW5 (Tested it right now, it's really for WinXP >.< Internet Explorer 6 or higher is needed O_O)
edit2: Using QCNView I also find "NV item: 1943" "NV_MEID_I". (Only in full EFS backup!)
The question is, how to get it on the phone. Maybe it will work to make a full EFS backup, modify (somehow, texteditor?) the file and reflash it.
But i do not have a EFS partition backup
I only have NV items backup.
and i already tried QPST on stock 4.0.3, It is not working.
I also tried Bluetooth, It is connecting to other devices, but not receiving any files/data.
This clearly shows there is something corrupted.
may be EFS partition is corrupted.
Any one here please give me a EFS partition backup and guide how to restore it.
For backup and restore you may use QPST Software Download.
Type in the SPC and choose the location for the file.
The program is self explanating, if you don't understand something, just ask.
I agree that something have to be corrupted but for now we should try to get MEID (and maybe ESN) back working.
With some luck the SoC needs these data to function correctly. If not, we may need to dig deeper.
But my knowledge was (at the beginning) only changing the UMTS used frequencies (that's what I used QPST for).
So I'm on explore and try. (And I'm using google to search for ways to restore ESN/MEID.)
Please note, a modification of the full EFS backup may not work, I'm sure there are some checksums somewhere to prevent corruption.
But that's the only way I see, without access to the nvm folder within the EFS Explorer.
As soon as the MEID/ESN/IMEI is working correctly again I recommend to flash the FXZ file, this may be enough to get everything working again.
edit: Please note, any backup withing QPST (especially EFS and NV items) may contain MEID/IMEI/ESN.
You should never share it unless you know what you are doing. That's why I do not share my backups.
I am india, if you are living outside india, then please share ESF with me via email.
Sharing is safe if you are not in india.
and i am on stock refresh rom.
Full name : asanti_c-user-4.0.4-7.7.1Q-6_SPR-125_ASA-10-11-release-keys-Sprint-US.xml
Now Connected to QPST, please tell me how to backup and restore.
Update: 1
i mada a backup
in QCNviewer, first item indicare ESN, but all zeros
Mobile Properties:
ESN: 0x00000000
Phone Model: 255 [Unknown Model]
NV Major: 0
NV Minor: 0
SW Version: M8960A-AAAANAZM-1.0.103205
Client Name: QPST Software Download 2.7.0.264
NV item: 0 [NV_ESN_I], index 0
NV_ESN_I 0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_ESN_I 1: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_ESN_I 2: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_ESN_I 3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_ESN_I 4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_ESN_I 5: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_ESN_I 6: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_ESN_I 7: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
and "NV item: 1943" "NV_MEID_I not found
Update 2
I checked my old original backup which is made by NV-items_reader_writer
NV item: 0, have some values which is non zero.
and NV item: 1943 is also present and have non zero values.
So, i tried to restore with NV item r/w
Complete items - 1922
But after restore it alerts
1915 items has been restored sucussfuly
My phone number and some other settings return to old.
But MEID/IMEI is still zero
Update 3
I tried CDMA tools and also tried to restore NV items.
But Unable to restore MEID/IMEI
I think it is due to Locked nvm folder.
Is there any way to unlock it?
I'm sorry but I won't share my EFS backup.
As I said you could try to modify your EFS backup with a hex editor.
This way you would modify the ESN and MEID and try to flash it back.
Please tell me which hex editor you use so I can give you the exact position of MEID and ESN.
You will modify these and look if the modification is a success.
If it's not, a modified EFS backup won't work.
Theoretically an unmodified backup may work, but I won't give my EFS backup.
I guess (as you too) that the nvm folder is locked and modifications on IMEI/MEID/ESN are not possible at the moment.
The trick (earlier) was to make a folder called "open sesame door" at root and then reboot but I tried this and it don't work.
You are right this trick is a fail for Photon Q.
As, i said i tried to restore my old backup which has IMEI,MEID,ESN.
But failed.
I think some nv items like MEID,IMEI,ESN are only readable, not writable.
The only way is to make them writable.
Only a linux/android can tell how a folder can be unlocked.
Phone is not accepting IMEI/MEID from original backup, so HEX editor is also use less.
Main problem is that NV item 1943 is missing from the phone.
Update 1:
I am not a expert
But this is my imagination
If we can find efs partition via ADB in pc
and then edit and replace it.
I searched google, there are some guides for efs fix via adb for samsung.
We can also chmod folder and files in adb.
So, may we chmod nvm partition in adb?
i think a root is required for that
We can simply use some commands
like cp, pull, push
what do you think?
That is an idea but I doubt that it will work.
Still worth a try.
Maybe this will help you to find out which partition your are looking for
-> http://forum.xda-developers.com/showthread.php?t=1959445
Looking at this tutorial (thx zodiac12345 for posting it) -> http://www.cricketusers.com/sprint-...-q-4g-lte-cricket-talk-text-mms-internet.html
There is a Video under "Send NV Items / QPST" and at 4 minutes he is going to do something I didn't do.
I don't know what for he is doing it but it seems to be necessary.
Maybe this will unlock the nvm folder but I haven't tested it. (Too lazy to flash Stock again.)

[Q] SoC based Universal Tool to unlock LTE bands

This a question/project suggestion for devs. All newest models of most popular mobile CPUs, such as Snapdragon, Exynos, MediaTek and Kirin have onboard LTE modem, which supports worldwide LTE - all 41 frequency bands. It pisses me off to no end that some manufacturers, like Huawei discriminate against North America and release their flagship devices, such as Huawei MediaPad X2, Huawei P8Max everywhere in the world, but US and Canada. They enable 3-4 desired LTE bands in the radio firmware, based on the region, and lock the rest. For a long while now I have been wondering if it would be possible to develop a set of universal tools, one per SoC, which would allow enabling any desired LTE band in the radio firmware?
If it's doable - I think this is a project, which would benefit millions of people, and remove all those stupid regional restrictions phone makers place, when they release devices. I am willing to setup either a Kickstarter or Indiegogo project, or even a simple PayPal account, so people could contribute to this cause, if there are any devs, interested in taking this on.
I found this thread: http://forum.xda-developers.com/galaxy-s5/general/how-to-add-rf-lte-frequency-bands-to-t2886059
It looks like a good start, but it's only for Qualcomm chips and a lot of manual steps. Similar guide for Kirin and MediaTek SoCs will be much appreciated.
@Apo11on I agree it sticks hopefully one of the capable devs could use mtk droid tools or unclemobile to unlock the lte bands.... One could only wish....
Nothing new here? I guess we could ask the mtk droid tools dev if this is something realistic.
I have tried to play arround with nvram but nothing good came from that
I would really love to figure out how to unlock additional LTE bands with MTK. Any updates or progress on this that anyone knows of?
Hello from Turks and Caicos! Any chance to unlock additional LTE bands with Mediatek MTK ? I need to unlock band 17 on my MTK6735 Cubot X17!
Thanks in advance.
I was going to ask the same question. Is that even possible to unlock lte bands on MTK based phones?
I personally would like to do that to my UMI SUPER.
If anyone has been able to do so it would be awesome.
gafty said:
Hello from Turks and Caicos! Any chance to unlock additional LTE bands with Mediatek MTK ? I need to unlock band 17 on my MTK6735 Cubot X17!
Thanks in advance.
Click to expand...
Click to collapse
Any update on that??
I'd be interested also, especially for mediatek processors.
If this was made possible that means any phone the market we be instantly available. That would be too awesome to stand!!!!
Any news ?? I've got an Oukitel U13 and the same problem with the disabled bands.
Any update on this? Need to unlock bands for Doogee Mix 2
ROM work
jason2982 said:
Any update on this? Need to unlock bands for Doogee Mix 2
Click to expand...
Click to collapse
i have a u16 (similar to matip666 u13) that i tried to convert the rom to the one from the BLU life one x as described in this post npcglib.org/~stathis/blog/2016/04/13/turned-blu-life-one-x-wiko-fever-4g/ It bricked the u16 , so i had to reinstall the original rom from the u16 that I luckily found online. Does anyone know of another phone with the same hard, and software as the u16.....or tried anything like that on the Doogee Mix 2 ?
You got a hell of a tutoriel to add lte bands on Qualcomm chip set ! What about MTK chips any chances anyone did the same ? Ive been roaming this forum for days cant find anything that helps :-/. I got a chinese Oukitel K6 and only one LTE band works ... man i wish i could add some more
pleasseeeeeeeeeeeee make this happen , my dumb ass bought s50 and figured i could root it n make work better than 2g but luck so far,,
any info be much appreciated I can only talk text n send pics, i cant even open a web page..
Thanks Crip
Many people would benefit from development like this, especially with regards to mtk chipsets. I have noticed that engineering mode is left out of some newer device's factory ROMs which makes it even more difficult to obtain control of those settings.
Any news??!
news about Hi-Silicon Kirin chipset [Fig-LX1]?
Some progress
Hello everyone, today I discovered a method of unlocking LTE bands on a MT6735M based phone (Alcatel One Touch PIXI 4). This might work on other MTK devices, but I have no way to test.
Everything you do is at your own risk and I'm not responsible if you brick your device! Always have the ROM backed up!
To perform this you need:
MTK EngineerMode access
SP FlashTool
Copy of the phone's stock ROM
A hex editor (I use HxD)
How to change the LTE unlocked bands:
1. In your phone's stock ROM folder, there should be a file called "nvram.bin" open it in a hex editor.
2. In the hex editor, go to offset 00021920 (other SoCs might have a completely different offset for the LTE bands values, some might not even have the NVRAM file!)
That will look something like this:
00021920 FF FF FF FF FF FF FF FF FB FB 01 00 00 00 01 00
00021930 00 00 03 00 00 00 04 00 00 00 07 00 00 0D 00
00021940 00 00 11 00 00 00 14 00 00 00 05 00 00 00 08 00
I made the values for LTE band bold to make it easier to see, however in the hex editor you have to find the start and end yourself depending on the bands your phone has already unlocked.
In my case the unlocked bands are: 01, 03, 04, 07, 0D, 11, 14 or in decimal 1, 3, 4, 7, 13, 17, 20.
All you have to do is change those values. Remember it's in hexadecimal, so if you want to unlock for example band 28, you don't write 28, but 1C. Also don't add any extra to the file, just overwrite values.
After changing the bands, just save the file and flash it with SP FlashTool. (Load scatter file, only select nvram and select the location of the file you edited, then flash.)
Then in MTK Engineer Mode check if you succeeded by going to tab telephony, select BandMode and scroll down to LTE.
This worked for me, however i can't guarantee that it wil work for you as well.
How can you find the right values in the NVRAM file? I personally spent about 40 minutes searching through the file to find these, though there might be a more efficient method.
I hope i can make this into an application which does everything automatically and for as many SoCs as possible, I'll give updates if i make any more progress on this.
Didex65 said:
Hello everyone, today I discovered a method of unlocking LTE bands on a MT6735M based phone (Alcatel One Touch PIXI 4). This might work on other MTK devices, but I have no way to test.
Everything you do is at your own risk and I'm not responsible if you brick your device! Always have the ROM backed up!
To perform this you need:
MTK EngineerMode access
SP FlashTool
Copy of the phone's stock ROM
A hex editor (I use HxD)
How to change the LTE unlocked bands:
1. In your phone's stock ROM folder, there should be a file called "nvram.bin" open it in a hex editor.
2. In the hex editor, go to offset 00021920 (other SoCs might have a completely different offset for the LTE bands values, some might not even have the NVRAM file!)
That will look something like this:
00021920 FF FF FF FF FF FF FF FF FB FB 01 00 00 00 01 00
00021930 00 00 03 00 00 00 04 00 00 00 07 00 00 0D 00
00021940 00 00 11 00 00 00 14 00 00 00 05 00 00 00 08 00
I made the values for LTE band bold to make it easier to see, however in the hex editor you have to find the start and end yourself depending on the bands your phone has already unlocked.
In my case the unlocked bands are: 01, 03, 04, 07, 0D, 11, 14 or in decimal 1, 3, 4, 7, 13, 17, 20.
All you have to do is change those values. Remember it's in hexadecimal, so if you want to unlock for example band 28, you don't write 28, but 1C. Also don't add any extra to the file, just overwrite values.
After changing the bands, just save the file and flash it with SP FlashTool. (Load scatter file, only select nvram and select the location of the file you edited, then flash.)
Then in MTK Engineer Mode check if you succeeded by going to tab telephony, select BandMode and scroll down to LTE.
This worked for me, however i can't guarantee that it wil work for you as well.
How can you find the right values in the NVRAM file? I personally spent about 40 minutes searching through the file to find these, though there might be a more efficient method.
I hope i can make this into an application which does everything automatically and for as many SoCs as possible, I'll give updates if i make any more progress on this.
Click to expand...
Click to collapse
So was there any of the bands that you activated not come with your device? I guess what im trying to figure out is what lte bands can we actually activate that is compatible with our cpus? Thanks.
Didex65 said:
Hello everyone, today I discovered a method of unlocking LTE bands on a MT6735M based phone (Alcatel One Touch PIXI 4). This might work on other MTK devices, but I have no way to test.
Everything you do is at your own risk and I'm not responsible if you brick your device! Always have the ROM backed up!
To perform this you need:
MTK EngineerMode access
SP FlashTool
Copy of the phone's stock ROM
A hex editor (I use HxD)
How to change the LTE unlocked bands:
1. In your phone's stock ROM folder, there should be a file called "nvram.bin" open it in a hex editor.
2. In the hex editor, go to offset 00021920 (other SoCs might have a completely different offset for the LTE bands values, some might not even have the NVRAM file!)
That will look something like this:
00021920 FF FF FF FF FF FF FF FF FB FB 01 00 00 00 01 00
00021930 00 00 03 00 00 00 04 00 00 00 07 00 00 0D 00
00021940 00 00 11 00 00 00 14 00 00 00 05 00 00 00 08 00
I made the values for LTE band bold to make it easier to see, however in the hex editor you have to find the start and end yourself depending on the bands your phone has already unlocked.
In my case the unlocked bands are: 01, 03, 04, 07, 0D, 11, 14 or in decimal 1, 3, 4, 7, 13, 17, 20.
All you have to do is change those values. Remember it's in hexadecimal, so if you want to unlock for example band 28, you don't write 28, but 1C. Also don't add any extra to the file, just overwrite values.
After changing the bands, just save the file and flash it with SP FlashTool. (Load scatter file, only select nvram and select the location of the file you edited, then flash.)
Then in MTK Engineer Mode check if you succeeded by going to tab telephony, select BandMode and scroll down to LTE.
This worked for me, however i can't guarantee that it wil work for you as well.
How can you find the right values in the NVRAM file? I personally spent about 40 minutes searching through the file to find these, though there might be a more efficient method.
I hope i can make this into an application which does everything automatically and for as many SoCs as possible, I'll give updates if i make any more progress on this.
Click to expand...
Click to collapse
So i figured out my devices complete block list. However its telling me that its a read only file system. Stock rom doesnt have this to be flashed. Thanks

[GUIDE] How to change SKUID to Worldwide or China (Root required)

FIH made Android Phones with Android 8.0 out of factory installed can't switch SKUID by OST LA without service permission.
Changing SKUID will allow you pass SafetyNet, especially for the Nokia 7 plus converted from TA-1062 China Variant.
如果你来自中国,请看下面翻译成中文的教程:
If you're from China, Chinese translation of this guide:
https://dospy.wang/forum.php?mod=viewthread&tid=154&extra=page=1
Click to expand...
Click to collapse
Here's the procedure:
1. Bootloader must be unlocked and you must get your phone rooted.
2. Use a terminal emulator or adb shell to execute these commands:
Code:
$ su
(Accept root permission on your phone)
# dd if=/dev/block/bootdevice/by-name/deviceinfo of=/storage/emulated/0/deviceinfo.img
WARNING: YOU MUST USE YOUR OWN DEVICEINFO, DO NOT ASK ANY OTHERS FOR THIS DUMP.
THIS PARTITION CONTAINS YOUR IMEI AND SERIAL, AND CRUCIAL DRM KEY, SERVICE KEY THAT ALLOWS YOU TO FLASH PARTITION.
Click to expand...
Click to collapse
3. Use a Hex Editor to open deviceinfo.img placed at root directory of internal storage.
4. Goto offset 0x13B0, you should see data look like this:
Code:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00001380 53 4B 55 49 44 00 00 00 00 00 00 00 00 00 00 00 SKUID
00001390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000013A0 53 4B 55 63 68 61 6E 67 65 00 00 00 00 00 00 00 SKUchange
000013B0 36 30 30 43 4E 00 00 00 00 00 00 00 00 00 00 00 600CN
On Nokia 6 (TA-1000) or any other variants, you may not see string "SKUchange" from offset 0x13A0 to 0x13A8, which is normal.
Click to expand...
Click to collapse
5. Modify the value of 0x13B3 and 0x13B4 to 57 which is ASCII "W".
Code:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00001380 53 4B 55 49 44 00 00 00 00 00 00 00 00 00 00 00 SKUID
00001390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000013A0 53 4B 55 63 68 61 6E 67 65 00 00 00 00 00 00 00 SKUchange
000013B0 36 30 30 57 57 00 00 00 00 00 00 00 00 00 00 00 600WW
5. Save it as deviceinfo_mod.img.
6. Copy it to internal storage if you modify it on a PC, then execute these commands with a terminal emulator or adb shell:
Code:
$ su
# dd if=/storage/emulated/0/deviceinfo_mod.img of=/dev/block/bootdevice/by-name/deviceinfo
7. Reboot your phone, reflash global firmware and relock your phone if you wish:
Code:
fastboot flashing lock_critical
(Confirm on your phone)
fastboot oem lock-go
(Confirm on your phone again)
8. Now your phone is completely converted to global version which can pass SafetyNet - you can use Google Pay normally now.
good job
It works~
After doing this and converting from CN version to Android One, the first splash is changed to Android One , not Powered By Android.
Thank you, I have used your method to successfully modify my SKUID to 600WW.
hikari_calyx said:
FIH made Android Phones with Android 8.0 out of factory installed can't switch SKUID by OST LA without service permission.
Changing SKUID will allow you pass SafetyNet, especially for the Nokia 7 plus converted from TA-1062 China Variant.
Here's the procedure:
1. Bootloader must be unlocked and you must get your phone rooted.
2. Use a terminal emulator or adb shell to execute these commands:
3. Use a Hex Editor to open deviceinfo.img placed at root directory of internal storage.
4. Goto offset 0x13B0, you should see data look like this:
5. Modify the value of 0x13B3 and 0x13B4 to 57 which is ASCII "W".
5. Save it as deviceinfo_mod.img.
6. Copy it to internal storage if you modify it on a PC, then execute these commands with a terminal emulator or adb shell:
7. Reboot your phone, reflash global firmware and relock your phone if you wish:
8. Now your phone is completely converted to global version which can pass SafetyNet - you can use Google Pay normally now.
Click to expand...
Click to collapse
can use china sim card?
hackjackyer said:
can use china sim card?
Click to expand...
Click to collapse
Can use China SIM card, mine is China Mobile and China Telecom, dual 4G online
hi everyone, before editing the hex and everything, can you tell me how to unlock the bootloader of nokia 7 plus?(ta-1062)
I succeed and change my boot UI to Android One,then I flashed my phone to 213E by OST and got june patch ,but it still shows uncertified in playstore,will it effect OTA? (T1046 unlocked)
MUGIW said:
I succeed and change my boot UI to Android One,then I flashed my phone to 213E by OST and got june patch ,but it still shows uncertified in playstore,will it effect OTA? (T1046 unlocked)
Click to expand...
Click to collapse
It won't affect OTA. If you wanna make it certified, you need relock bootloader. Just the same methods as unlock bl.
fastboot flash unlock unlock.bin
fastboot oem lock
fastboot flash unlock unlock.bin
fastboot flashing lock_critical
SUN Huayan said:
It works~
After doing this and converting from CN version to Android One, the first splash is changed to Android One , not Powered By Android.
Click to expand...
Click to collapse
which device u use?
juwelrana091 said:
which device u use?
Click to expand...
Click to collapse
Nokia 7 Plus TA-1062 Chinese Version
SUN Huayan said:
Nokia 7 Plus TA-1062 Chinese Version
Click to expand...
Click to collapse
What firmware version was you on and how did you root?
It worked! This needs to be added to the china conversion thread.
Thanks so much
I broke it
Actually, I really stuffed up.
My TA-1062 was rooted and unlocked bootloader, went to follow the guide.
Updated and copied over the device_info.img
Then I did the steps out of order and my device is stuck in download mode.
I relocked my bootloader, which wiped the device, and I though this was reflashing global firmware, which is wasnt.
After the device had wiped itself, I then used magisk manager to remove root, which then caused the phone to only boot to download mode.
I then re-unlocked my bootloader, then I used the deprecated instructions here to try and reflash my device, but the vendor, e2p_script and formatuserdata commands failed. My phone is now still stuck in download mode.
I also tried to reflash using OST 6.1.2 patched, but it seems to get stuck on Reflash Service Bootloader (900sec)
Any tips on how to fix this?
Thanks,
Tom
Thanks!
Getting root took me a while, but with this guide and some others I finally pass SafetyNet.
tomascivinod said:
Actually, I really stuffed up.
My TA-1062 was rooted and unlocked bootloader, went to follow the guide.
Updated and copied over the device_info.img
Then I did the steps out of order and my device is stuck in download mode.
I relocked my bootloader, which wiped the device, and I though this was reflashing global firmware, which is wasnt.
After the device had wiped itself, I then used magisk manager to remove root, which then caused the phone to only boot to download mode.
I then re-unlocked my bootloader, then I used the deprecated instructions here to try and reflash my device, but the vendor, e2p_script and formatuserdata commands failed. My phone is now still stuck in download mode.
I also tried to reflash using OST 6.1.2 patched, but it seems to get stuck on Reflash Service Bootloader (900sec)
Any tips on how to fix this?
Thanks,
Tom
Click to expand...
Click to collapse
Can you get into recovery mode? (Volume UP and Power until it buzzes, then Vol Up and power again to bring up the abd screen). If so you should be able to adb sideload from there.
I cant seem to get this to stick. My about phone still shows TA-1062.
How would i know if this worked?
Should i then flash the worldwide TWRP over the 1062 flash as well?
Surgent said:
I cant seem to get this to stick. My about phone still shows TA-1062.
How would i know if this worked?
Should i then flash the worldwide TWRP over the 1062 flash as well?
Click to expand...
Click to collapse
Yeah it will still show TA-1062. The difference is that it will show the 'WW' model instead of 'CN'. I knew mine had stuck when the play SafetyNet checker showed a pass.
Here's what I did:
1. Unlocked bootloader and critical bootloader
2. Rooted.
3. Followed this guide to make the change.
4. Uninstalled Magisk (basically unrooting)
5. Relock bootloader and critical bootloader
6. Sideloaded the stock Oreo image
And everything is hunky dory. You could also sideload the P beta image from Nokia as well.
shiftybugger said:
Yeah it will still show TA-1062. The difference is that it will show the 'WW' model instead of 'CN'. I knew mine had stuck when the play SafetyNet checker showed a pass.
Here's what I did:
1. Unlocked bootloader and critical bootloader
2. Rooted.
3. Followed this guide to make the change.
4. Uninstalled Magisk (basically unrooting)
5. Relock bootloader and critical bootloader
6. Sideloaded the stock Oreo image
And everything is hunky dory. You could also sideload the P beta image from Nokia as well.
Click to expand...
Click to collapse
Have you received the August ota since doing this?
Yep, got August the day before yesterday.

Categories

Resources