Hi All,
Just a few days ago i managed to flash the ARA Rom onto my Vox. My earlier OS (1.22) had stopped booting. With help from MoRkusReX i was able to flash the new ROM.
After 2 days of working fine, it has again stopped booting. It went off on its own and now is not booting into the OS. It gets stuck on the Windows Mobile Screen.
Can any one point out the problem? Is it a hardware issue or sumthing coz even after flashing the phone, it seems to be giving the same problem.
Somebody please provide a solution to this as repeated problems are encouraging me to shift to a P1i or some other phone.
Thanks,
Prateek
Try first to boot w/o sd card, if it doesn't help boot w/o sim card. If that doesn't help try hard reset, and if nothing helps flash another rom.
which programs have you installed?
When I installed Hebrew pack I didn't have any problems until two days later when I reset the phone. Then it wouldn't boot. after few tries I figured it's the Hebrew pack doing it. so could be something you've installed.
so:
1. try to remember what's installed.
2. try Hard Reset\ Flash again and give it few days without installing any program just to see if it happens by itself.
Have tried ...
Have tried hard reset and it functioned okay for 5 mins or so...after that it just hung! Repeated rebooting attempts just reach the Windows Mobile Screen.
Tried reflashing my ROM..says invalid vendor ID...so will need to boot it to flash it like the last time .....
Should i do another hard reset....
Sometimes when it boots (even in hard reset) it does not recognize my SIM..."phone off" mode...even though the SIM is there...
Dont know what to do now...
And did u try booting *without* both SD and SIM?
Booting without SIM and SD...
Yes...i have tried booting without SD and SIM and even tried Hard reset without them....even the hard reset does not boot into the OS...i have tried about 20 times to boot with interval of 5 times for hard reset...no luck....
Can't even flash a new ROM because of Invalid Vendor ID....
Any suggestions?
prateekswarup said:
Can't even flash a new ROM because of Invalid Vendor ID....
Any suggestions?
Click to expand...
Click to collapse
You can flash with my uspl (see sticky)
Invalid Vendor ID
Hi jockyw2001,
I have already downloaded ur UPSL....but to run the UPSL i need to have the phone booted....as first I need to SDA unlock...that only works if my phone is booted to the OS right? From the bootloader the UPSL or the SDA unlock just dont work...so how do i do it from the bootloader...??
I faced the same problem when flashing my phone the 1st time...luckily i was able to boot to the OS once...where i UPSL and flashed the device....looks like my luck has run out this time
Thanks,
Prateek
From the bootloader you can flash a rom with matching CID and ModelID.
matching CID & Model ID?
How do i get the matching CID and Model ID...
Model ID=HTC S710 (sim unlocked)
CID?
I think i can get the model id and cid from the mtty tool that lets me talk to the phone from the bootloader...but where can i get a corresponding ROM matching my phone ?
Sorry if its a dumb question...
Prateek
He already tried from the bootloader.
For some reason even from there he doesn't have a connection, but It does say "USB" on the Voxs screen.
I thought maybe it has to do with the computer but he tried on an XP computer as well.
prateekswarup said:
How do i get the matching CID and Model ID...
Model ID=HTC S710 (sim unlocked)
CID?
I think i can get the model id and cid from the mtty tool that lets me talk to the phone from the bootloader...but where can i get a corresponding ROM matching my phone ?
Sorry if its a dumb question...
Prateek
Click to expand...
Click to collapse
Did u flash my uspl? If not you will have to find out cid by sniffing the RUU update process with a USB sniffer such as USB Monitor or Bus Hound.
Once you know these, you can compare CID and ModelID by opening various official ROM update files (RUU-xxxx files on the XDA ftp site, do a search) in a hexeditor.
Yeah I know, life is a *****
Yes i did flash using ur USPL...then the phone conked out again and since then i cannot boot into the OS...i guess i'll have to try using MTTY tool to sniff out the CID and then search for the corresponding ROM...
ya i know....this sux..
Prateek
prateekswarup said:
...i guess i'll have to try using MTTY tool to sniff out the CID and then search for the corresponding ROM...
Click to expand...
Click to collapse
Yes exactly. In bootloader mode connect with MTTY.
First type: "password BsaD5SeoA"
Now start your sniffer and type "getdevinfo" in MTTY. You will get both model and vendor ID (CID).
After that you can stop sniffing and type:
ruurun 0
ResetDevice
My trace looks like this:
Code:
Bus Hound 5.00 capture. Complements of www.perisoft.net
cid.txt
Data - Hex dump of the data transferred
Descr - Description of the phase
Phase - Phase Type
DI Data in
DO Data out
Data Description Phase
-------------------------------------------------- ---------------- -----
0d . DO
0d 0a .. DI
0d 0a .. DI
43 6d 64 3e Cmd> DI
0d . DO
0d 0a .. DI
0d 0a .. DI
43 6d 64 3e Cmd> DI
67 g DO
67 g DI
65 e DO
65 e DI
74 t DO
74 t DI
64 d DO
64 d DI
65 e DO
65 e DI
76 v DO
76 v DI
69 i DO
69 i DI
6e n DO
6e n DI
66 f DO
66 f DI
6f o DO
6f o DI
0d . DO
0d 0a .. DI
44 65 76 69 63 65 20 4d 6f 64 65 6c 20 49 44 20 Device Model ID DI
3d 20 56 20 4f 20 58 20 30 20 31 20 30 20 31 20 = V O X 0 1 0 1
30 20 30 20 00 20 00 20 00 20 00 20 00 20 00 20 0 0 . . . . . .
00 20 00 20 00 20 00 20 00 20 00 20 00 20 . . . . . . .
00 20 . DI
00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 . . . . . . . . DI
00 20 0d 0d 0a . ...
48 54 43 53 HTCS DI
56 4f 58 30 31 30 31 30 30 00 00 00 00 00 00 00 VOX010100....... DI
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
48 54 43 5f 5f 31 30 32 00 00 00 00 00 00 00 00 HTC__102........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
00 00 .. DI
0b df a7 6a ...j DI
48 54 43 45 HTCE DI
0d 0a .. DI
43 6d 64 3e Cmd> DI
ROM!
Well sniffed out the CID but cannot find the 1.22 ROM that I need....How is it that i have already installed a new ROM that i still have to CID unlock it...?
Also, since my original ROM was 1.22 i think flashing with the same ROM might get me back the phone....
As of now i cannot even boot into the OS and even hard reset does not boot ....any suggestions....??
The bootloader can be accessed from Mtty through the USB...
Plz help!
Prateek
prateekswarup said:
Well sniffed out the CID but cannot find the 1.22 ROM that I need....How is it that i have already installed a new ROM that i still have to CID unlock it...?
Also, since my original ROM was 1.22 i think flashing with the same ROM might get me back the phone....
As of now i cannot even boot into the OS and even hard reset does not boot ....any suggestions....??
The bootloader can be accessed from Mtty through the USB...
Plz help!
Prateek
Click to expand...
Click to collapse
What is your CID and ModelID?
Model ID and CID..
I used bus hound and mmty and here is the result...
mtty> getdevinfo
Device Model ID = V O X 0 1 0 1 0 0 HTCSVOX010100pÑXHTCE
bushound>
Vox
Device - Device ID (followed by the endpoint for USB devices)
(23) SmartPhone USB Sync
Phase - Phase Type
DI Data in
DO Data out
Data - Hex dump of the data transferred
Descr - Description of the phase
Cmd... - Position in the captured data
Device Phase Data Description Cmd.Phase.Ofs(rep)
------ ----- ------------------------ ---------------- ------------------
23.3 DO 67 g 1.1.0
23.2 DI 67 g 2.1.0
23.3 DO 65 e 3.1.0
23.2 DI 65 e 4.1.0
23.3 DO 74 t 5.1.0
23.2 DI 74 t 6.1.0
23.3 DO 64 d 7.1.0
23.2 DI 64 d 8.1.0
23.3 DO 65 e 9.1.0
23.2 DI 65 e 10.1.0
23.3 DO 76 v 11.1.0
23.2 DI 76 v 12.1.0
23.3 DO 69 i 13.1.0
23.2 DI 69 i 14.1.0
23.3 DO 6e n 15.1.0
23.2 DI 6e n 16.1.0
23.3 DO 66 f 17.1.0
23.2 DI 66 f 18.1.0
23.3 DO 6f o 19.1.0
23.2 DI 6f o 20.1.0
23.3 DO 0d . 21.1.0
23.2 DI 0d 0a .. 22.1.0
23.2 DI 44 65 76 69 63 65 20 4d Device M 23.1.0
23.2 DI 00 20 . 24.1.0
23.2 DI 00 20 00 20 00 20 00 20 . . . . 25.1.0
23.2 DI 48 54 43 53 HTCS 26.1.0
23.2 DI 56 4f 58 30 31 30 31 30 VOX01010 27.1.0
23.2 DI 00 00 .. 28.1.0
23.2 DI 70 02 d1 58 p..X 29.1.0
23.2 DI 48 54 43 45 HTCE 30.1.0
23.2 DI 0d 0a .. 31.1.0
23.2 DI 43 6d 64 3e Cmd> 32.1.0
Is this okay?
Make following settings in Bus Hound and do it again.
In phases to capture check only:
CTL USB Control
DI Data in
DO Data out
In columns to display only check first 3 checkboxes (Data, Descr and Phase)
Do not check "Merge repeated commands"
In Stop when ... only check Buffer Full
Set Buffer size to 60000 Kbytes
Set Max Phase to 10000 bytes
PS: I'm using Bus Hound 5.0
Bus Hound 5.0
I'm using the freeware version of Bus Hound 5.0 so cannot change the buffer or the cycle size...however..doing everying thing else..i got the following output...
Bus Hound 5.00 capture. Complements of www.perisoft.net
Vox
Phase - Phase Type
DI Data in
DO Data out
Data - Hex dump of the data transferred
Descr - Description of the phase
Phase Data Description
----- -------------------------------------------------- ----------------
DO 67 g
DI 67 g
DO 65 e
DI 65 e
DO 74 t
DI 74 t
DO 64 d
DI 64 d
DO 65 e
DI 65 e
DO 76 v
DI 76 v
DO 69 i
DI 69 i
DO 6e n
DI 6e n
DO 66 f
DI 66 f
DO 6f o
DI 6f o
DO 0d .
DI 0d 0a ..
DI 44 65 76 69 63 65 20 4d Device M
DI 00 20 .
DI 00 20 00 20 00 20 00 20 . . . .
DI 48 54 43 53 HTCS
DI 56 4f 58 30 31 30 31 30 VOX01010
DI 00 00 ..
DI 70 02 d1 58 p..X
DI 48 54 43 45 HTCE
DI 0d 0a ..
DI 43 6d 64 3e Cmd>
Is this sufficient?
Also have attached the file...
Prateek
You forgot this:
Code:
Do *not* check "Merge repeated commands"
uncheck that option!
Related
cross posting from universal upgrading ... can someone kill the other thread ?
can someone assist me in changing the nk.exe in a way that allows me to change the deviceid from PU10 to HERM100
i succeded in hexediting the hk.nba from PU10 to HERM with the confirmation that Getdevice data recognize it as HERM
http://wiki.xda-developers.com/index...=GetDeviceData
there are 2 places in the nk.nba where the device type is found
00007074h: 48 00 45 00 52 00 4D ; H.E.R.M
00316c74h: 48 00 45 00 52 00 4D ; H.E.R.M
i need to get H.E.R.M.1.0.0 instead (6 bytes to insert)
00007050h: 2C 00 25 00 64 00 2C 00 20 00 4E 00 61 00 6D 00 ; ,.%.d.,. .N.a.m.
00007060h: 65 00 20 00 69 00 73 00 20 00 25 00 73 00 0D 00 ; e. .i.s. .%.s...
00007070h: 0A 00 00 00 48 00 45 00 52 00 4D 00 00 00 00 00 ; ....H.E.R.M.....
00007080h: 4F 45 4D 47 65 74 43 50 4C 44 5F 47 50 49 4F 28 ; OEMGetCPLD_GPIO(
after dumping the rom including the boot XIP i found that the nk.exe contains this data.
the reason to do it is to "help" bbconnect to recognize it as a hermes
anyone can assist me ?
Hi,
Just a thought - wouldn't it be easier to patch BB Connect to recognise the PU10. I would have thought it tricky to "insert" any bytes, and for nk.exe to work, but to shorten a string in a file might work by either terminating the shorter string with a 00 null byte, leaving it's full length intact, or if it's got a preceeding length attribute, then simply amend that to the shorter value, i.e. from 7 to 4?
Cheers,
Steve.
Hi Friends,
Sincere apologies for not being able to reply your posts & PM's as I have been keeping very busy for the past 3 months.
Since I was on my 1-week vacation, I thought of working on your problems, and have come up with the updated version of this tool. Hope it resolves all your issues.
You would not get any annoying pop-up with this tool now, only the one that has your unlock code...
Steps :
1. Copy 'Cert_SPCS.cab' on your phone & install(run).
2. Copy 'EnableRapi.cab' on your phone & install(run).
3. Establish an Activesync connection with your phone.
4. Unzip the zip file & Run 'Unlock_Touch.exe' on your PC. ( New Unlocker)
5. File 'unlock_code.txt' thus generated will have your unlock code( Eight-digit number).Ignore any other digits if generated.
I HAVE BROKEN THE LCD OF MY HTC TOUCH SO HAVE COME DOWN TO MY NOKIA 6600. INCONVENEINCE, IF ANY; IS REGRETTED.
Cheers,
rishi2504.
You could sponsor me a beer( LCD Screen for my broken Touch) by donating to my Paypal ID - [email protected], if you like this solution...
great. thanks for sharing specially coming from the author itself.
doesnt work
MEBSY said:
doesnt work
Click to expand...
Click to collapse
... why? ...
Do you also have a solution for the herald ? also cid unlocking?
Congrats rishi2504!
Just a few comments about your unlocker:
1) Unlocker needs itsutils.dll and pdocread.exe in folder c:\unlocker otherwise it doesn't work
2) device needs to be RAPI unlocked first
3) unlocker reads 8 bytes starting at offset 0xfc of BK1C, this will work on most touch devices, but not on all, see example output:
Here it will work:
Code:
000000d0 33 37 32 33 30 30 34 30 34 00 00 00 33 35 35 31 |372300404...3551|
000000e0 31 31 31 31 31 31 31 31 31 31 31 00 00 00 00 00 |11111111111.....|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 37 32 31 32 |............7212|
00000100 36 31 33 32 00 00 00 00 00 00 00 00 32 34 00 00 |6132........24..|
00000110 00 00 00 00 00 00 00 00 00 00 00 00 30 30 31 30 |............0010|
Here it will not work, the unlock code is at a different offset:
Code:
000000d0 00 00 00 00 34 30 42 46 42 37 32 34 30 35 35 35 |....40BFB7240555|
000000e0 36 00 00 00 33 35 35 30 30 30 30 30 30 30 30 30 |6...355000000000|
000000f0 30 30 30 00 00 00 00 0f 00 00 00 00 00 00 00 00 |000.............|
00000100 00 00 00 00 34 30 35 34 31 37 31 34 00 00 00 00 |....40541714....|
00000110 00 00 00 00 32 34 00 00 00 00 00 00 00 00 00 00 |....24..........|
To fix this I suggest dumping 20 bytes starting at offset 0xf8
pof said:
Congrats rishi2504!
Just a few comments about your unlocker:
1) Unlocker needs itsutils.dll and pdocread.exe in folder c:\unlocker otherwise it doesn't work
It should'nt really happen coz I have attached these two with the utility...lemme check that...
2) device needs to be RAPI unlocked first
Correct...I forgot to mention about that....
3) unlocker reads 8 bytes starting at offset 0xfc of BK1C, this will work on most touch devices, but not on all, see example output:
Here it will work:
Code:
000000d0 33 37 32 33 30 30 34 30 34 00 00 00 33 35 35 31 |372300404...3551|
000000e0 31 31 31 31 31 31 31 31 31 31 31 00 00 00 00 00 |11111111111.....|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 37 32 31 32 |............7212|
00000100 36 31 33 32 00 00 00 00 00 00 00 00 32 34 00 00 |6132........24..|
00000110 00 00 00 00 00 00 00 00 00 00 00 00 30 30 31 30 |............0010|
Here it will not work, the unlock code is at a different offset:
Code:
000000d0 00 00 00 00 34 30 42 46 42 37 32 34 30 35 35 35 |....40BFB7240555|
000000e0 36 00 00 00 33 35 35 30 30 30 30 30 30 30 30 30 |6...355000000000|
000000f0 30 30 30 00 00 00 00 0f 00 00 00 00 00 00 00 00 |000.............|
00000100 00 00 00 00 34 30 35 34 31 37 31 34 00 00 00 00 |....40541714....|
00000110 00 00 00 00 32 34 00 00 00 00 00 00 00 00 00 00 |....24..........|
To fix this I suggest dumping 20 bytes starting at offset 0xf8
Click to expand...
Click to collapse
Correct again...but I tested it on the Indian ones, and found no reason why it shud'nt work on other versions...thanks for the suggestion...appreciated....!! This forum thrives on experts like you !! )
Will update the instructions and post the updated unlocker..
cheers,
rishi2504
Update : Corrected version is posted now along with RAPI Unlocking files.
i am going to give it a try
after putting itsutils.dll in windows(mobile) dir and pdocread.exe in the C:/unlocker folder it worked just fine
http://wiki.xda-developers.com/index.php?pagename=XdaUtils
Thanks Thanks Thanks
Special thanks to rishi2504 and pof
Works perfect on my MDA Touch
Thanks a lot...
Worked fine for me. Cheers.
Thanks, finally using my Vodafone simcard on my MDA Touch
worked like a freeking charm!
if i'd were gay (or you a women) i'd give you a thousand kisses!
hey rishi.. ur my hero
i followed the instructions but the notepad generated contains nothing...
just blank file....i have the itsutils.dll file needed and the pcdocread.exe..
whats do you think is wrong?.... i dont know what network it is locked to....
any suggestions???
i am getting an error message as follows
"Application created with unregistered version of Quick Batch File Compiler."
The note pad generated is blank.
please help
rgds
SS
same here with orange fr as network... Any ideas ?
Hey Rishi. I guess I am in a fix now. The notepad file created named code contains nothing.
AL also tried the other method, the one given earlier but the unlock code did not chage. I mean it is the same as it was before me running the process.
Please dear help me out
Rajeev
rajismine said:
Hey Rishi. I guess I am in a fix now. The notepad file created named code contains nothing.
AL also tried the other method, the one given earlier but the unlock code did not chage. I mean it is the same as it was before me running the process.
Please dear help me out
Rajeev
Click to expand...
Click to collapse
i had the same but after coppy itsutils.dll ( http://wiki.xda-developers.com/index...ename=XdaUtilsin ) to your windows dir on your mobile phone and pdocread.exe in the C:/unlocker folder (where you extracted Elf_Unlocker.zip ) on your pc it worked just fine
with the earlyer unlocker i had the same problem as you did. The imei en unlock code did not change.
Dont forget to run Cert_SPCS.cab (1ST) and then EnableRapi.cab (2end)
good luck
Hey Dear
which is the windows mobile directory. PLease help yaar
Dont forget to run Cert_SPCS.cab (1ST) and then EnableRapi.cab (2end)
good luck[/QUOTE]
Hey How to run these files. I just copied them to "Mobile Device" folder in my computer and it extracted something. Is it what you mean by running???
hi,
i've bought a Utano Barrier T180 outdoor android phone and i want to root it. it has android 2.3.5.1 installed and i tried already:
universalAndroot app
z4root app
the zergRush exploid
everything isn't working. zergRush means:
Code:
[-] Hellions with BLUE flames !
any idea what that mean and if there is still a chance to do it over the exploit.
another way would be to modify the recovery image. if I look a little closer it seams to be an unencrypted image in some container format:
hd /tmp/a/image/factory.mbn
Code:
00000000 80 10 00 00 00 10 02 00 49 6d 61 67 65 20 66 69 |........Image fi|
00000010 6c 65 20 77 69 74 68 20 68 65 61 64 65 72 00 00 |le with header..|
00000020 01 02 00 00 62 61 64 5f 62 6c 6f 63 6b 5f 62 79 |....bad_block_by|
00000030 74 65 5f 61 64 64 72 65 73 73 20 3d 20 32 30 30 |te_address = 200|
00000040 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |0...............|
00000050 70 61 67 65 5f 62 79 74 65 73 5f 75 73 65 72 20 |page_bytes_user |
00000060 20 20 20 20 20 20 20 3d 20 32 30 34 38 00 00 00 | = 2048...|
00000070 62 6c 6f 63 6b 5f 70 61 67 65 73 20 20 20 20 20 |block_pages |
00000080 20 20 20 20 20 20 20 3d 20 36 34 00 00 00 00 00 | = 64.....|
00000090 64 65 76 69 63 65 5f 62 6c 6f 63 6b 73 20 20 20 |device_blocks |
000000a0 20 20 20 20 20 20 20 3d 20 34 30 39 36 00 00 00 | = 4096...|
000000b0 64 61 74 61 5f 77 69 64 74 68 20 20 20 20 20 20 |data_width |
000000c0 20 20 20 20 20 20 20 3d 20 31 36 00 00 00 00 00 | = 16.....|
000000d0 64 65 76 69 63 65 5f 4d 42 79 74 65 20 20 20 20 |device_MByte |
000000e0 20 20 20 20 20 20 20 3d 20 35 31 32 00 00 00 00 | = 512....|
000000f0 64 65 76 69 63 65 5f 74 79 70 65 20 20 20 20 20 |device_type |
00000100 20 20 20 20 20 20 20 3d 20 53 4c 43 00 00 00 00 | = SLC....|
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000120 66 6c 61 73 68 5f 64 65 76 69 63 65 20 20 20 20 |flash_device |
00000130 20 20 20 20 20 20 20 3d 20 30 78 30 30 30 30 3d | = 0x0000=|
00000140 43 55 53 54 4f 4d 5f 53 45 54 54 49 4e 47 00 00 |CUSTOM_SETTING..|
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000160 66 6c 61 73 68 5f 69 64 20 20 20 20 20 20 20 20 |flash_id |
00000170 20 20 20 20 20 20 20 3d 20 30 78 30 30 30 30 00 | = 0x0000.|
00000180 71 75 61 6c 63 6f 6d 6d 5f 64 65 76 69 63 65 20 |qualcomm_device |
00000190 20 20 20 20 20 20 20 3d 20 4d 53 4d 37 32 78 78 | = MSM72xx|
000001a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001b0 70 61 67 65 5f 6c 61 79 6f 75 74 5f 73 74 72 69 |page_layout_stri|
000001c0 6e 67 20 20 20 20 20 3d 20 28 64 61 74 61 5f 34 |ng = (data_4|
000001d0 36 34 5f 73 70 61 72 65 5f 32 5f 64 61 74 61 5f |64_spare_2_data_|
000001e0 34 38 5f 73 70 61 72 65 5f 31 34 29 78 34 00 00 |48_spare_14)x4..|
000001f0 71 66 69 74 5f 76 65 72 73 69 6f 6e 20 20 20 20 |qfit_version |
00000200 20 20 20 20 20 20 20 3d 20 31 2e 36 2e 31 30 00 | = 1.6.10.|
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000220 6c 6f 67 5f 66 69 6c 65 20 20 20 20 20 20 20 20 |log_file |
00000230 20 20 20 20 20 20 20 3d 20 4d 61 72 32 33 2d 32 | = Mar23-2|
00000240 30 31 32 2d 31 31 32 32 2d 31 37 2e 6c 6f 67 00 |012-1122-17.log.|
00000250 66 69 6c 65 5f 63 72 65 61 74 65 5f 70 61 74 68 |file_create_path|
00000260 20 20 20 20 20 20 20 3d 20 0a 20 20 64 3a 2f 54 | = . d:/T|
strings /tmp/a/image/factory.mbn
Code:
Image file with header
bad_block_byte_address = 2000
page_bytes_user = 2048
block_pages = 64
device_blocks = 4096
data_width = 16
device_MByte = 512
device_type = SLC
flash_device = 0x0000=CUSTOM_SETTING
flash_id = 0x0000
qualcomm_device = MSM72xx
page_layout_string = (data_464_spare_2_data_48_spare_14)x4
qfit_version = 1.6.10
log_file = Mar23-2012-1122-17.log
file_create_path =
d:/T18/0322/AMSS/products/76XX/tools/qfit/Local/FactoryImage2.mbn
end_of_header
Start End Actual
0 0:MIBIB 0x0000 0x0009 0x0004 main_ecc_10 1x_pages
D:\T18\0322\AMSS\products\76XX\build\ms\bin\TSNCJOLYMT18/mibib.mbn
1 0:SIM_SECURE 0x000A 0x000D 0x0000 main_ecc_10 1x_pages
2 0:QCSBL 0x000E 0x000F 0x0001 main_ecc_10 1x_pages
D:\T18\0322\AMSS\products\76XX\build\ms\bin\TSNCJOLYMT18/qcsbl.mbn
3 0:OEMSBL1 0x0010 0x0014 0x0005 main_ecc_10 1x_pages
D:\T18\0322\AMSS\products\76XX\build\ms\bin\TSNCJOLYMT18/oemsbl.mbn
4 0:OEMSBL2 0x0015 0x0019 0x0000 main_ecc_10 1x_pages
5 0:AMSS 0x001A 0x00ED 0x0091 main_ecc_10 1x_pages
D:\T18\0322\AMSS\products\76XX\build\ms\bin\TSNCJOLYMT18/amss.mbn
6 0:EFS2 0x00EE 0x014D 0x0005 main_ecc_10 1x_pages
D:/T18/0322/AMSS/products/76XX/tools/qfit/cefs.mbn
7 0:FOTA 0x014E 0x014F 0x0000 main_ecc_10 1x_pages
8 0:NV 0x0150 0x0160 0x0000 main_ecc_10 1x_pages
9 0:APPSBL 0x0161 0x0163 0x0001 main_ecc_10 1x_pages
D:\T18\0322\AMSS\products\76XX\build\ms\bin\TSNCJOLYMT18/appsboot.mbn
10 0:BOOT 0x0164 0x018B 0x0021 main_and_spare_ecc_10 1x_pages
D:\T18\0322\AMSS\products\76XX\build\ms\bin\TSNCJOLYMT18/boot.img
11 0:SYSTEM 0x018C 0x086B 0x0421 main_and_spare_ecc_10 1x_pages
D:\T18\0322\AMSS\products\76XX\build\ms\bin\TSNCJOLYMT18/system.img
12 0:SPLASH 0x086C 0x0873 0x0003 main_and_spare_ecc_10 1x_pages
but my linux knowledge isn't big enough to extract the system partition from this container, mount the yaffs2 file system, add an su programm and an superuser.apk and pack it all together again.
what do you think, could this way work??
could someone help me please to do so?
the imagefile is available at h t t p : / / share.branddistribution.de/utano_outdoor/sw/utano_BARRIER_T180_ANDROID_2_3_5_1.rar
thanks treaki
On your phone, go to Settings, About phone, Model number and verify it says HW-T18. If so go to google and do a search for "HW-T18 root" without the quotes. Should be the website android-hilfe. If you use chrome, when on the site you can translate. Sorry I cant post the link, but have to wait for 10 posts.
Tommy Top Drive said:
On your phone, go to Settings, About phone, Model number and verify it says HW-T18. If so go to google and do a search for "HW-T18 root" without the quotes. Should be the website android-hilfe. If you use chrome, when on the site you can translate. Sorry I cant post the link, but have to wait for 10 posts.
Click to expand...
Click to collapse
I have this same phone, branded "insmat rock v5". This is same as Utano barrier t180, agm rock v5, caterpillar b10, texet tm-3200r, hw-t18 etc.
But seems to be near impossible to root. Tried to load "update.zip" (also tried different versions of this superuser) via sd-card as instructions for those mentioned phones say. Managed to hard-boot phone by pressing vol-down and pwr. Phone gives red screen with text "welcome update" with white letters, and that's it.. Nothing happens then. Doesn't take key presses after that. But when i take battery out and back, then boots normally, but still without superuser.
from phone:
model info: hw-t18
android version: 2.3.5.
kernel: 2.6.35.11-perf
software version:QC_7x27_T18I_VERI_03011_120918
BASEBAND version:QC_7x27_T18I_VERI_03005_120918
What to try next to root this?
e: managed to install and reboot superuser update.zip via "droid explorer"
rooting
Hello,
Do you allready manage to root the Utano?
If not there is a succesfull description on a german site.
Boomkweker said:
Hello,
Do you allready manage to root the Utano?
If not there is a succesfull description on a german site.
Click to expand...
Click to collapse
Can you pls give the link to this site?
wookario said:
Can you pls give the link to this site?
Click to expand...
Click to collapse
The post is on a site android-hilfe with the extension de. I'm not allowed to post outgoing links. You can search for Utano barrier root zugriff. It's in a post of 29-06-2012 by Wolk. When you have problems with the translations I can help.
This build is for
development purposes only
Do not distribute outside of HTC
without HTC's written permission.
Failure to comply may
lead to legal action.
Ok friends, as we all know, it is very possible to modify the HBoot and this isn't the first time it has been done before. @old.splatterhand has loaded and shared such HBoots for the K2_UL and K2_U variants. @russellvone has as well loaded and shared such HBoot for the K2_CL variant and currently has made one for Cricket users too.
What this tutorial will do for this community is explain how it is done so that we all as a family can learn and grow together. I am a hands on type of guy and one of my pep peeves is being left in the dark so I am taking the time to explain some things. So let's get started.
Requirements for this TUTORIAL:
- A good hex editor is needed so click and download HxD
- I also use IDA (but that is me and for other purposes mainly - so stick with HxD)
- HBoot.img - I won't be supplying this so, sorry everyone. You will need to grab it elswhere :good:
Please keep in mind that if you install a custom HBoot and your device receives an OTA you may be required to flash back the stock HBoot just like you would with your stock recovery.
STEPS
Go ahead and open up HxD. Drag & drop the HBoot image file into the HxD Window.
Note - no matter if its a raw, dd, dumped, piece, or an .img or an .nb0 file - the edit will take place all the same.
I will be using HBoot 2.21 from the original 4.2.2 OTA during this tutorial. Now go ahead and hit CTRL+F or go to the Search tab then click Find. Search for "This build is" - without quotations...
You will then see this in HxD:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0013C7F0 4F 2D 00 00 4F 70 65 6E 44 53 50 2D 00 00 00 00 O-..OpenDSP-....
0013C800 20 28 00 00 65 4D 4D 43 2D 62 6F 6F 74 00 00 00 (..eMMC-boot...
0013C810 25 73 20 25 64 4D 42 00 4F 63 74 20 32 38 20 32 %s %dMB.Oct 28 2
0013C820 30 31 33 2C 32 32 3A 30 39 3A 31 36 2E 25 64 00 013,22:09:16.%d.
0013C830 4F 63 74 20 32 38 20 32 30 31 33 2C 32 32 3A 30 Oct 28 2013,22:0
0013C840 39 3A 31 36 00 00 00 00 45 6E 74 65 72 69 6E 67 9:16....Entering
0013C850 20 52 65 63 6F 76 65 72 79 2E 2E 2E 00 00 00 00 Recovery.......
0013C860 45 6E 74 65 72 69 6E 67 20 4D 46 47 20 4B 65 72 Entering MFG Ker
0013C870 6E 65 6C 2E 2E 2E 00 00 45 6E 74 65 72 69 6E 67 nel.....Entering
0013C880 20 4D 44 4D 20 52 61 6D 64 75 6D 70 20 6D 6F 64 MDM Ramdump mod
0013C890 65 2E 2E 2E 00 00 00 00 [COLOR="red"]54 68 69 73 20 62 75 69[/COLOR] e.......[COLOR="red"]This bui
0013C8A0 6C 64 20 69 73 20 66 6F 72 [COLOR="black"]00 00 00[/COLOR] 64 65 76 65 ld is for[COLOR="black"]...[/COLOR]deve
0013C8B0 6C 6F 70 6D 65 6E 74 20 70 75 72 70 6F 73 65 73 lopment purposes
0013C8C0 20 6F 6E 6C 79 [COLOR="black"]00 00 00[/COLOR] 44 6F 20 6E 6F 74 20 64 only[COLOR="black"].[/COLOR][COLOR="black"]..[/COLOR]Do not d
0013C8D0 69 73 74 72 69 62 75 74 65 20 6F 75 74 73 69 64 istribute outsid
0013C8E0 65 20 6F 66 20 48 54 43 [COLOR="black"]00 00 00 00[/COLOR] 77 69 74 68 e of HTC[COLOR="black"]....[/COLOR]with
0013C8F0 6F 75 74 20 48 54 43 27 73 20 77 72 69 74 74 65 out HTC's writte
0013C900 6E 20 70 65 72 6D 69 73 73 69 6F 6E 2E [COLOR="black"]00 00 00[/COLOR] n permission.[COLOR="black"]...[/COLOR]
0013C910 46 61 69 6C 75 72 65 20 74 6F 20 63 6F 6D 70 6C Failure to compl
0013C920 79 20 6D 61 79 [COLOR="black"]00 00 00[/COLOR] 6C 65 61 64 20 74 6F 20 y may[COLOR="black"]...[/COLOR]lead to
0013C930 6C 65 67 61 6C 20 61 63 74 69 6F 6E 2E [COLOR="black"]00 00 00[/COLOR] legal action.[/COLOR]...
0013C940 5B 44 49 53 50 4C 41 59 5F 45 52 52 5D 20 61 6C [DISPLAY_ERR] al
0013C950 6C 6F 63 61 74 65 20 68 65 61 70 20 66 6F 72 20 locate heap for
0013C960 73 70 6C 61 73 68 20 69 6D 61 67 65 20 66 61 69 splash image fai
Please take note of what is written in red. This is that little pesky warning label that pops up when running a custom kernel and/or custom recovery.
I look forward to this part as I will be showing how to remove it - and any of you can too (manually of course).
Now, in this particular HBoot (2.21) you find that the text begins at Offset 0013C890
Code:
0013C890 65 2E 2E 2E 00 00 00 00 [COLOR="red"]54 68 69 73 20 62 75 69[/COLOR] e.......[COLOR="red"]This bui[/COLOR]
The beginning of the warning from HTC starts with the letter T from the word This. Remember how I said to take notice of the highlighted red? If you look at number 54 you notice it is the beginning of this warning. Don't worry, HxD will show you where it begins. Just use the mouse to click where that letter or symbol is and it will show a dotted line box around that number as being the reference point from there forward (or backwards lol).
To edit and remove this warning label is very simple. You will be hex editing this image file needless to say - if you haven't realized it yet. YOU WILL NOT BE MAKING ANY CHANGES ON THE RIGHT OF HxD!!!!
We will be replacing ALL of the letters with text by spacing it. To do so we must first find out what number represents a 'space'. This is simple, as you only need to hover your mouse over a space in between two letters in which it will highlight its number with a dotted line box. In this case a space would be the number 20. So what we are going to do is remove every text of that warning label with a space by implementing the number 20 in the proper places to each of the given text letter.
PLEASE NOTE!! ---- It is HIGHLY recommended that you DO NOT replace each text letter in the left panel with the number 00.
- The reason for this is because 00 stands for blank which in the Hex world is not consider a 'text'. Where as a space is considered a text and since we are replacing text it would be best to do so with other text so the HBoot will still see text even though the warning label will no longer show up anymore. It just would seem to be of best interests and just overall safer.
This is what you will see after you replace all the text letters with the number 20:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0013C7F0 4F 2D 00 00 4F 70 65 6E 44 53 50 2D 00 00 00 00 O-..OpenDSP-....
0013C800 20 28 00 00 65 4D 4D 43 2D 62 6F 6F 74 00 00 00 (..eMMC-boot...
0013C810 25 73 20 25 64 4D 42 00 4F 63 74 20 32 38 20 32 %s %dMB.Oct 28 2
0013C820 30 31 33 2C 32 32 3A 30 39 3A 31 36 2E 25 64 00 013,22:09:16.%d.
0013C830 4F 63 74 20 32 38 20 32 30 31 33 2C 32 32 3A 30 Oct 28 2013,22:0
0013C840 39 3A 31 36 00 00 00 00 45 6E 74 65 72 69 6E 67 9:16....Entering
0013C850 20 52 65 63 6F 76 65 72 79 2E 2E 2E 00 00 00 00 Recovery.......
0013C860 45 6E 74 65 72 69 6E 67 20 4D 46 47 20 4B 65 72 Entering MFG Ker
0013C870 6E 65 6C 2E 2E 2E 00 00 45 6E 74 65 72 69 6E 67 nel.....Entering
0013C880 20 4D 44 4D 20 52 61 6D 64 75 6D 70 20 6D 6F 64 MDM Ramdump mod
[COLOR="red"]0013C890 [COLOR="black"]65 2E 2E 2E 00 00 00 00[/COLOR] 20 20 20 20 20 20 20 20 [COLOR="black"]e.......[/COLOR]
0013C8A0 20 20 20 20 20 20 20 20 20 [COLOR="black"]00 00 00[/COLOR] 20 20 20 20 [COLOR="black"]...[/COLOR]
0013C8B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0013C8C0 20 20 20 20 20 [COLOR="black"]00 00 00[/COLOR] 20 20 20 20 20 20 20 20 [COLOR="black"]...[/COLOR]
0013C8D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0013C8E0 20 20 20 20 20 20 20 20 [COLOR="black"]00 00 00 00[/COLOR] 20 20 20 20 [COLOR="black"]....[/COLOR]
0013C8F0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0013C900 20 20 20 20 20 20 20 20 20 20 20 20 20 [COLOR="black"]00 00 00[/COLOR] [COLOR="black"]...[/COLOR]
0013C910 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0013C920 20 20 20 20 20 [COLOR="black"]00 00 00[/COLOR] 20 20 20 20 20 20 20 20 [COLOR="black"]...[/COLOR]
0013C930 20 20 20 20 20 20 20 20 20 20 20 20 20 [COLOR="black"]00 00 00[/COLOR] [COLOR="black"]...[/COLOR][/COLOR]
0013C940 5B 44 49 53 50 4C 41 59 5F 45 52 52 5D 20 61 6C [DISPLAY_ERR] al
0013C950 6C 6F 63 61 74 65 20 68 65 61 70 20 66 6F 72 20 locate heap for
0013C960 73 70 6C 61 73 68 20 69 6D 61 67 65 20 66 61 69 splash image fai
Once you have completed the task of overwriting the bytes then go ahead and save your work. Now comes the MOST IMPORTANT PART EVER!!!
- Compare both the original and modified HBoot.img file and MAKE SURE that the modified image is reading the exact same bytes in size as the original!
- If the modified file is just ONE byte to large or to small when compared to the original file then you better delete that file and try the whole process over again!! DO NOT FLASH THAT MODIFIED FILE IF THE BYTES SIZE IS NOT THE SAME AS THE ORIGINAL FILE OR YOU WILL BRICK YOUR DEVICE!.
- If both files are the exact same sizes then you are clear to flash the new modified HBoot image which will remove that pesky red text. There is much more that can be done with the HBoot, but for starters this tutorial will suffice for now.
If this tutorial was helpful to you then please click on thanks :good:
---- Happy hunting.
Thank You for the tut. I only have a few questions.
1) Is there anyway through adb or otherwise to 'pull' the original hboot file from the phone ?
2) Does the newly created hboot file need to be zipped or flashed in fstboot the way it is?
Thank You for your time =)
extracting your hboot.img
rb2tfm said:
1) Is there anyway through adb or otherwise to 'pull' the original hboot file from the phone ?
Click to expand...
Click to collapse
I think this might work:
$ adb shell
shell:/ $ su
shell:/ # dd if=/dev/block/mmcblk0p12 of=/sdcard/hboot.img
shell:/ # exit
shell:/ $ exit
$ adb pull /sdcard/hboot.img
gepr said:
I think this might work:
$ adb shell
shell:/ $ su
shell:/ # dd if=/dev/block/mmcblk0p12 of=/sdcard/hboot.img
shell:/ # exit
shell:/ $ exit
$ adb pull /sdcard/hboot.img
Click to expand...
Click to collapse
hi. i copied hboot.img from my phone but when i want to open it with HxD, it shows just 0 but no number or red note
SidRobo said:
hi. i copied hboot.img from my phone but when i want to open it with HxD, it shows just 0 but no number or red note
Click to expand...
Click to collapse
Hello, I am the original member that made this thread a while back. Grab the hboot.img from the OTA and you will find what you are looking for.
But do know that the following command will properly dump your hboot.img:
Code:
dd if=/dev/block/mmcblk0p12 of=/sdcard/hboot.img
As you can see in the picture below, I could easily modify this right on my phone and not even touch a computer , but of course at the time that I wrote this thread I did not know the potentials for being able to conduct "development" projects without the use of a pc and simply right on the device.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Sent from my C525c using Tapatalk
SHM said:
Hello, I am the original member that made this thread a while back. Grab the hboot.img from the OTA and you will find what you are looking for.
But do know that the following command will properly dump your hboot.img:
Code:
dd if=/dev/block/mmcblk0p12 of=/sdcard/hboot.img
As you can see in the picture below, I could easily modify this right on my phone and not even touch a computer , but of course at the time that I wrote this thread I did not know the potentials for being able to conduct "development" projects without the use of a pc and simply right on the device.
Sent from my C525c using Tapatalk
Click to expand...
Click to collapse
hi. thank you for the answer but could you pls explain more, I'm noob:good:
how is it possible without pc?????!!!
SidRobo said:
hi. thank you for the answer but could you pls explain more, I'm noob:good:
how is it possible without pc?????!!!
Click to expand...
Click to collapse
Using a hex editor such as what you saw in the picture would suffice. Then, comparing the size of the non modified hboot.img with the modified hboot.img as I mentioned in the instructions. Then, when all is good, I use the following command to write the modified hboot.img to my partition.
Code:
dd if=/sdcard/modified_hboot.img of=/dev/block/mmcblk0p12
But be careful when doing all of this. You mess up on the hboot and you will find yourself with a hard bricked device.
Sent from my C525c using Tapatalk
SHM said:
Using a hex editor such as what you saw in the picture would suffice. Then, comparing the size of the non modified hboot.img with the modified hboot.img as I mentioned in the instructions. Then, when all is good, I use the following command to write the modified hboot.img to my partition.
Code:
dd if=/sdcard/modified_hboot.img of=/dev/block/mmcblk0p12
But be careful when doing all of this. You mess up on the hboot and you will find yourself with a hard bricked device.
Sent from my C525c using Tapatalk
Click to expand...
Click to collapse
Sorry man because i'm noob
My problem is with this part ***Grab the hboot.img from the OTA and you will find what you are looking for.***
I don't know exactly what ota is and how to get hboot
Could u plz explain more about it or but a link?
Again Sorry for disturbing u
And sorry for my bad english
Sent from my Desire 300 X515e using XDA Forums
SidRobo said:
Sorry man because i'm noob
My problem is with this part ***Grab the hboot.img from the OTA and you will find what you are looking for.***
I don't know exactly what ota is and how to get hboot
Could u plz explain more about it or but a link?
Again Sorry for disturbing u
And sorry for my bad english
Sent from my Desire 300 X515e using XDA Forums
Click to expand...
Click to collapse
I just noticed your signature shows you using a Desire phone. Do you own an HTC One SV? This thread is based on the HTC One SV so I want to verify before I continue.
Sent from my C525c using Tapatalk
SHM said:
I just noticed your signature shows you using a Desire phone. Do you own an HTC One SV? This thread is based on the HTC One SV so I want to verify before I continue.
Sent from my C525c using Tapatalk
Click to expand...
Click to collapse
i have a htc desire 300
INFOversion: 0.5
INFOversion-bootloader: 1.18.0002
INFOversion-baseband: 14.11.36Q4.21
INFOversion-cpld: None
INFOversion-microp: None
INFOversion-main:
INFOversion-misc: PVT SHIP S-OFF
INFOserialno: ----------------
INFOimei: ----------------
INFOmeid:
INFOproduct: g3u
INFOplatform: HBOOT-8225
INFOmodelid: 0P6A10000
INFOcidnum: 11111111
INFObattery-status: good
INFObattery-voltage: 4340mV
INFOpartition-layout: HTC
INFOsecurity: off
INFObuild-mode: SHIP
INFOboot-mode: FASTBOOT
INFOcommitno-bootloader: dirty-e1c32097
INFOhbootpreupdate: 12
INFOgencheckpt: 0
Then mmcblk0p12 probably isn't the partition that holds the hboot on your device. You need to go to your device forum and request a link for the most recent OTA made available. Should be compress as a zip. When you extract there will be another compressed zip typically called, firmware.zip. Extract and you should hopefully find your signed hboot.img.
Sent from my C525c using Tapatalk
SHM said:
Then mmcblk0p12 probably isn't the partition that holds the hboot on your device. You need to go to your device forum and request a link for the most recent OTA made available. Should be compress as a zip. When you extract there will be another compressed zip typically called, firmware.zip. Extract and you should hopefully find your signed hboot.img.
Sent from my C525c using Tapatalk
Click to expand...
Click to collapse
what if no OTA is available???
SidRobo said:
what if no OTA is available???
Click to expand...
Click to collapse
Then you will need to find the partition that holds your hboot.img. Even if that means dumping every unknown partition your device has and reviewing each one with a hex editor until you find it.
Sent from my C525c using Tapatalk
SHM said:
Then you will need to find the partition that holds your hboot.img. Even if that means dumping every unknown partition your device has and reviewing each one with a hex editor until you find it.
Sent from my C525c using Tapatalk
Click to expand...
Click to collapse
hi i found two files boot_init.img and boot_stock.img form this link https://drive.google.com/folderview?id=0B6WBFlAKqe30cGp3WkFRSjRaMjQ&&tid=0B6WBFlAKqe30TjRLa2Qxa0toYlU#list
is rhis what i look for it?
if yes so how should i flash it?
SidRobo said:
hi i found two files boot_init.img and boot_stock.img form this link https://drive.google.com/folderview...jRaMjQ&&tid=0B6WBFlAKqe30TjRLa2Qxa0toYlU#list
is rhis what i look for it?
if yes so how should i flash it?
Click to expand...
Click to collapse
Those are not the hboot. The hboot is your bootloader. Completely different.
Sent from my C525c using Tapatalk
This is a continuation of a previous thread which diverted from it's original topic (see here @CryptMan @MrCrayon). Making the tablet work with Android 11 again was done successfully by flashing persist.img but the widewine l3 status didn't change even after re-locking the bootloader und the stock ROW firmware.
Stuff I/we know:
Flashing a different persist.img can apparently cause the level to drop to L3 (see here)
In my case it presumably was caused by unlocking but not fixed by relocking the bootloader.
Another user got L3 on the J716F model but without unlocking the bootloader. Commenters suggest using the QCN file from a l1 certified tablet (see here)
I flashed persist.img from the latest 62X firmware and upgraded via OTA to 63X (not hosted yet) (see here)
I once selected "erase all before download" (attempt to fix bootloop, stupid for sure!) which probably wiped important parts of my QCN file.
The QCN file seems to hold the devices fingerprint.
L1 can be achieved using Magisk and certain module(s) but I haven't tried this since that's not for everyone.
Stuff I don't know:
does the loss of SN, MAC, BT, PN cause widewine L3 or do you have already recovered it as described by another thread? (see here)
Does L1 work if downgrade to 62X - the ROM I extracted the persist.img from and don't do the OTA?
L1 can be achieved using Magisk which might be a lot easier. Is this solution "stable" and can't be broken by Google snapping their fingers?
is it possible to have widewine L1 but safetynet not passing (regarding Magisk)?
Note: the category is neither question nor development, but dev seems a better fit as this will drive less people here who confuse this as a howtoguide and don't have anything to contribute.
The thread will be changed to a howtoguide once we found a solution.
MateUserHHTT said:
I once selected "erase all before download" (attempt to fix bootloop, stupid for sure!) which probably wiped important parts of my QCN file.
Click to expand...
Click to collapse
Yeah, I also did this. And then my SN, PN, MAC etc. where gone. Also the device certification!
I'm very sure that this option in QFIL causes damage to QCN and (!) wipe some important data(partition).
I have compared some partitions from J606F (working, L1) with my J706F (damaged QCN, L3) and I found a partition named "secdata" which is empty on the J706F.
I made a copy of this from the 606 and it looks like this partition stores certificates (SSL/TLS).
Then I tried to write this to the 706, but this results in soft-brick. The 706 only boots to 9008 mode. And it stays there even if I delete the secdata partition again, very strange.
CryptMan said:
And it stays there even if I delete the secdata partition again
Click to expand...
Click to collapse
Damn, that's bad. In Germany we have a saying that translates to "No Backup, no pity" but I wouldn't think about backing up empty partitions either. Did you erase it or format it afterwards? Maybe you could create an empty image of fitting size with dd filled with zeros? Also: did you check that the secdata partition actually existed on the J706F? If so, was it empty or could it be that you had no read permissions? And was the file size of the image you flashed fitting? I think it doesn't matter because fastboot doesn't overwrite other partitions (has a failsafe) but I'm not sure of that.
I have access to a J706L (model with sim-slot) but I can only access it in a "reading" way (tablet of a friend...).
I put it into FFBM but it didn't show up in QFIL at the same machine I used for my J706F. I'll check the drivers and attempt again. I guess that's our best bet on restoring L1 without rooting it.
My J606F (the working one) in FFBM is also NOT visible to QFIL.
BUT if it is fully booted to system (and USB debug is anabled) THEN it is seen as "901D" device and I was able to read QCN.
This secdata partition is presend on J706F but filled with 0x00.
Size is 28.672 bytes, on both devices.
I used QFIL "Partition Manager" for reading and writing, And wiped the whole GPT there as last restort to restore function after flash of secdata soft-bricked the J706F.
The thing is, while "persist" is part of the ZIP file the secdata is NOT.
The secdata of J606F (the working one) looks like a linux binary/executable:
Code:
00000000h: 7F 45 4C 46 02 01 01 00 00 00 00 00 00 00 00 00 ; ELF............
00000010h: 00 00 28 00 01 00 00 00 00 F0 FF 45 00 00 00 00 ; ..(......ðÿE....
Later in the file/partition you can find this, please pay attention to the strings "Attestation", "Root CA" and "General Use Root Key":
Code:
000012a0h: 02 42 4A 31 11 30 0F 06 03 55 04 07 13 08 42 65 ; .BJ1.0...U....Be
000012b0h: 69 20 4A 69 6E 67 31 0F 30 0D 06 03 55 04 0B 13 ; i Jing1.0...U...
000012c0h: 06 4C 45 4E 4F 56 4F 31 0F 30 0D 06 03 55 04 0A ; .LENOVO1.0...U..
000012d0h: 13 06 4C 45 4E 4F 56 4F 31 1E 30 1C 06 03 55 04 ; ..LENOVO1.0...U.
000012e0h: 03 13 15 4C 45 4E 4F 56 4F 20 41 74 74 65 73 74 ; ...LENOVO Attest
000012f0h: 61 74 69 6F 6E 20 43 41 30 1E 17 0D 32 30 30 38 ; ation CA0...2008
00001300h: 32 31 30 39 30 33 33 33 5A 17 0D 58 58 58 58 58 ; 21090333Z..XXXXX
00001310h: 58 58 58 58 58 58 58 58 30 5D 31 0B 30 09 06 03 ; XXXXXXXX0]1.0...
00001320h: 55 04 06 13 02 43 4E 31 0B 30 09 06 03 55 04 08 ; U....CN1.0...U..
00001330h: 13 02 42 4A 31 1D 30 1B 06 03 55 04 03 13 14 53 ; ..BJ1.0...U....S
00001340h: 65 63 54 6F 6F 6C 73 20 41 74 74 65 73 74 20 55 ; ecTools Attest U
00001350h: 73 65 72 31 0F 30 0D 06 03 55 04 0A 13 06 4C 45 ; ser1.0...U....LE
00001360h: 4E 4F 56 4F 31 11 30 0F 06 03 55 04 07 13 08 42 ; NOVO1.0...U....B
00001370h: 65 69 20 4A 69 6E 67 30 82 01 22 30 0D 06 09 2A ; ei Jing0‚."0...*
Code:
000016a0h: 42 4A 31 11 30 0F 06 03 55 04 07 13 08 42 65 69 ; BJ1.0...U....Bei
000016b0h: 20 4A 69 6E 67 31 1D 30 1B 06 03 55 04 0B 13 14 ; Jing1.0...U....
000016c0h: 47 65 6E 65 72 61 6C 20 55 73 65 20 52 6F 6F 74 ; General Use Root
000016d0h: 20 4B 65 79 31 0F 30 0D 06 03 55 04 0B 13 06 4C ; Key1.0...U....L
000016e0h: 45 4E 4F 56 4F 31 0F 30 0D 06 03 55 04 0A 13 06 ; ENOVO1.0...U....
000016f0h: 4C 45 4E 4F 56 4F 31 19 30 17 06 03 55 04 03 13 ; LENOVO1.0...U...
00001700h: 10 4C 45 4E 4F 56 4F 20 52 6F 6F 74 20 43 41 20 ; .LENOVO Root CA
00001710h: 31 30 1E 17 0D 32 30 30 34 30 39 30 36 31 38 35 ; 10...20040906185
00001720h: 36 5A 17 0D 58 58 58 58 58 58 58 58 58 58 58 58 ; 6Z..XXXXXXXXXXXX
00001730h: 58 30 6F 31 0B 30 09 06 03 55 04 06 13 02 43 4E ; X0o1.0...U....CN
00001740h: 31 0B 30 09 06 03 55 04 08 13 02 42 4A 31 11 30 ; 1.0...U....BJ1.0
00001750h: 0F 06 03 55 04 07 13 08 42 65 69 20 4A 69 6E 67 ; ...U....Bei Jing
00001760h: 31 0F 30 0D 06 03 55 04 0B 13 06 4C 45 4E 4F 56 ; 1.0...U....LENOV
00001770h: 4F 31 0F 30 0D 06 03 55 04 0A 13 06 4C 45 4E 4F ; O1.0...U....LENO
00001780h: 56 4F 31 1E 30 1C 06 03 55 04 03 13 15 4C 45 4E ; VO1.0...U....LEN
00001790h: 4F 56 4F 20 41 74 74 65 73 74 61 74 69 6F 6E 20 ; OVO Attestation
000017a0h: 43 41 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D ; CA0‚."0...*†H†÷.
Code:
00001af0h: 1B 06 03 55 04 0B 13 14 47 65 6E 65 72 61 6C 20 ; ...U....General
00001b00h: 55 73 65 20 52 6F 6F 74 20 4B 65 79 31 0F 30 0D ; Use Root Key1.0.
00001b10h: 06 03 55 04 0B 13 06 4C 45 4E 4F 56 4F 31 0F 30 ; ..U....LENOVO1.0
00001b20h: 0D 06 03 55 04 0A 13 06 4C 45 4E 4F 56 4F 31 19 ; ...U....LENOVO1.
00001b30h: 30 17 06 03 55 04 03 13 10 4C 45 4E 4F 56 4F 20 ; 0...U....LENOVO
00001b40h: 52 6F 6F 74 20 43 41 20 31 30 1E 17 0D 32 30 30 ; Root CA 10...200
00001b50h: 34 30 39 30 36 31 37 34 38 5A 17 0D 58 58 58 58 ; 409061748Z..XXXX
00001b60h: 58 58 58 58 58 58 58 58 5A 30 81 89 31 0B 30 09 ; XXXXXXXXZ0‰1.0.
00001b70h: 06 03 55 04 06 13 02 43 4E 31 0B 30 09 06 03 55 ; ..U....CN1.0...U
00001b80h: 04 08 13 02 42 4A 31 11 30 0F 06 03 55 04 07 13 ; ....BJ1.0...U...
00001b90h: 08 42 65 69 20 4A 69 6E 67 31 1D 30 1B 06 03 55 ; .Bei Jing1.0...U
00001ba0h: 04 0B 13 14 47 65 6E 65 72 61 6C 20 55 73 65 20 ; ....General Use
00001bb0h: 52 6F 6F 74 20 4B 65 79 31 0F 30 0D 06 03 55 04 ; Root Key1.0...U.
00001bc0h: 0B 13 06 4C 45 4E 4F 56 4F 31 0F 30 0D 06 03 55 ; ...LENOVO1.0...U
00001bd0h: 04 0A 13 06 4C 45 4E 4F 56 4F 31 19 30 17 06 03 ; ....LENOVO1.0...
00001be0h: 55 04 03 13 10 4C 45 4E 4F 56 4F 20 52 6F 6F 74 ; U....LENOVO Root
00001bf0h: 20 43 41 20 31 30 82 01 22 30 0D 06 09 2A 86 48 ; CA 10‚."0...*†H
The strings "Attestation", "Root CA" and "General Use Root Key": make me think two things.
First this cloud be the device certification.
Second this looks like a "normal" SSL/TLS certification process.
But what I do NOT understand is why does the flashing of this partions soft-bricks the device?
Security behavior?
CA of J606F does NOT match J706F?
In the first case, we need to know HOW to write this.
In the second case, we need a backup of this from a J706F.
Also in second case, we need to know if this partition is device specific!
Because if Lenovo run's the ROOT-CA it is no big deal for them to chain this secdata to the device serial while generation this specific for any device they make.
In this case, we are lost ... very lost ...
My j716f has screwed up serial and widevine is L3..I deleted all in qfil..the Chinese guys didn't sort it out..maybe restoring serial number will restore widevine..
CryptMan said:
Also in second case, we need to know if this partition is device specific!
Because if Lenovo run's the ROOT-CA it is no big deal for them to chain this secdata to the device serial while generation this specific for any device they make.
In this case, we are lost ... very lost ...
Click to expand...
Click to collapse
Since I have two working J706F I'm probably in the best position to check this.
I can also do some other checking but I'll have to wait the weekend.
{Mod edit: Quoted post deleted}
I just skimmed it quickly but it looks like that's only to restore L1 in Netflix when you still have L1 in the device, is that right?
The problem here is for those people that lost L1 in the device (not only Netflix)
MrCrayon said:
I just skimmed it quickly but it looks like that's only to restore L1 in Netflix when you still have L1 in the device, is that right?
The problem here is for those people that lost L1 in the device (not only Netflix)
Click to expand...
Click to collapse
No, it was L3 before, checked by DRM info app.
{Mod edit: Quoted post deleted}
If I understand this correct, then changed just to "GB" instead of there real region, logged in in Google and then the device was L1 again?!
That sounds a bit too simple, but yeah I could try that.
May on weekend, for now I have seen all the install, configuration and import/export data options a but too often ...
MrCrayon said:
Since I have two working J706F I'm probably in the best position to check this.
I can also do some other checking but I'll have to wait the weekend.
Click to expand...
Click to collapse
That would be great if you can compare the partitions, thank you.
One other thing, I found was a file called "factory rescue zip" for the P11, sadly not for free download but free for an different Lenovo device.
So I downloaded that one to have look inside. And in that Zip file I found a file called "sec.dat". Which looks differend, but hey it's from different device.
If that "factory rescue zip" for the P11 also contains this "sec.dat", may this could be another route to go?
f1tm0t said:
No, it was L3 before, checked by DRM info app.
Click to expand...
Click to collapse
What was the cause of L1 loss?
In my and CryptMan's case it's most likely due to the fact we checked "erase all before download" in QFIL.
CryptMan said:
If I understand this correct, then changed just to "GB" instead of there real region, logged in in Google and then the device was L1 again?!
Click to expand...
Click to collapse
Just now I flashed clean ZUI with GB region and I have L1
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
MateUserHHTT said:
What was the cause of L1 loss?
In my and CryptMan's case it's most likely due to the fact we checked "erase all before download" in QFIL.
Click to expand...
Click to collapse
I never checked "erase all before download". L3 and "device not certified by Google" came after unlocking bootloader in my cases (rich expirience)
f1tm0t said:
I never checked "erase all before download". L3 and "device not certified by Google" came after unlocking bootloader in my cases (rich expirience)
Click to expand...
Click to collapse
Sadly losing L1 when you unlock bootloader is normal.
Relocking bootloader should bring back L1 unless something else has been erased/changed.
f1tm0t said:
I never checked "erase all before download"
Click to expand...
Click to collapse
Then the way you restored your L1 will most likely not help us. But thank you anyways.
@CryptMan
I tried Partition Manager but it's giving me Sahara error, can't read packet header.
It's probably because I'm using VirtualBox on Linux but before I try in a Windows machine I wanted to clarify something.
When I clcik on Partition Manager it asks me to verify if the correct firehose file is selected (or something like that), do I need to select prog_firehose_ddr.elf from the current ROM installed in the device or any ROM is OK?
MateUserHHTT said:
I flashed persist.img from the latest 62X firmware and upgraded via OTA to 63X (not hosted yet) (see here)
Click to expand...
Click to collapse
I never had a 63x ota, what's the full version?
P.S.
I noticed prog_firehose_ddr is slightly differente between last global and CN, so I guess current ROM would be better
@MrCrayon
I have always used the latest version of prog_firehose_ddr from the latest firmware ZIP.
As far as I understand this concept, firehose will be loaded to the SoC and must "only" match to it because it is executed there. After successfully loading/running firehose on the SoC the whole communication between PC and SoC/Flash uses Qualcomm sahara protocol to transfer data.
I have a Z3X box, and was successfull in using the firehose from the firmware ZIP. Official Z3X does NOT support the P11, but firehose/sahara is generic communication with Qualcomm devices so it was possible to read partitions with this tool too.
Running QFIL in VMware (or some other virtual machine) is always a very bad idea. I was never successful while doing this.
Best way is to always connect the device directly.
@MrCrayon
Oh, one more very very important thing!
Be very very careful when using the partition manager!
Do NEVER click on "erase" or "load" there is no "Are you sure what you are doing?" the tool just to the job!
Using "Read" is no problem.
To get to this dialog, you have to right click on the partition you want to work with and select the first option "manage partition data".
MrCrayon said:
I never had a 63x ota, what's the full version?
Click to expand...
Click to collapse
Build number: TB-J706F_630185_220128_ROW
Kernel ver.: 4.14.190-perf+
Android ver.: 11.
This version came with WeChat and GG (some chinese app) preinstalled. Including a "Tablet Center" with options like "protect your devices from accidetnal damage", "ADP One" or "Depot Support". Usually each points results in "No Internet connection" (which ain't true) or some other error message.
The title at the top-left corner says "Tablet Center{Test Only}" so I kinda feel like I received an update I wasn't supposed to receive
Good news for Linux users I used https://github.com/bkerler/edl and it worked perfectly.
To print partitions I used:
Bash:
edl printgpt --memory=ufs
and to back them up I used:
(--skip did not work so make sure you have 130GB of free space and 50 minutes)
Bash:
edl rl dump_folder --memory=ufs --genxml --skip=super,userdata
I was not expecting it but secdata is the same
fpinfo.bin contains selected region, SN and PN.
Anything else I can check?
@MrCrayon
Cool. Thank you very much.
I have flashed your file to my J706F, the good news is ... it still boots up (unlike my try with the secdata from J606, which resultet in soft-brick).
The bad news is ... it does not change anything for Widevine .
May you could post your QCN but with overwritte SN and 2nd part of all MAC adresses?
Or can I send you mine to compare if some options my missing?
Best regards