Well. I've spent 1 week. Yes, one week. I haven't been productive at all becacuse I've dedicated more than 16 hours per day to find one stupid answer to this question:
Once you dump the rom of your kaiser into the Part00.raw, Part01.raw, Part02.raw and Part03.raw, how can you create an NBH file?
Listen everybody: I've been looking for this site AND OTHERS, and the only gaseous, not so clear at all, lame answers are: "Oh, oh. You need to use Tadzio´s tools".
And that's it. How the f.... do you think that an answer like that is going to work?
Step by Step instructions, people !!!!!
That's what we need to build knowledgebase.
Most people are lazy and want fast answers with out reasearching. That's why they brick their phones. Others, like me, do our their homework but since there isn't anywhere else to ask, so, I have no choice to create a new thread since there isn't NO G.. D..N answer in the forum or in the site !!!!
I have my eyes squared and peeled of looking google's, live search and yahoo results.
Please, people, lets recreate the scenario:
You have a kaiser (TyTN II or what ever you want to call it) phone and you decide that, before bricking, or, even in case of bricking it, you want to copy your original ROM and have a copy of it and also BUILD, for chrisake, a flashable ROM to make the restore procedure easy and dandy.
You download itstools and execute pdocread.exe -l to get the RAW files.
Once you get your 4 RAW files, THEN WHAT????
All what I could find is that you can use some tools from Tadzio called imgfstools but, again, and so nice from you, NO INSTRUCTIONS AT ALL !!!!
So. Any kind soul to give a DETAILED, step-by-step walk through for a Kaiser?
Thanks, community.
http://forum.xda-developers.com/showthread.php?p=1968557
"How to Reconstruct a Dumped ROM & Reconstructed ROMs" by jcespi2005
goye said:
. . . Once you dump the rom of your kaiser into the Part00.raw, Part01.raw, Part02.raw and Part03.raw, how can you create an NBH file?
. . . So. Any kind soul to give a DETAILED, step-by-step walk through for a Kaiser?
Thanks, community.
Click to expand...
Click to collapse
I think this is the thread you want, "How to Reconstruct a Dumped ROM & Reconstructed ROMs" by jcespi2005
Thanks, but no thanks ....
Thanks community for your fast reply.
Well, actually that article "How to Reconstruct a Dumped ROM & Reconstructed ROMs" (http://forum.xda-developers.com/showthread.php?t=337066) from jcespi2005 sucks.
He doesn't give any details of how to do it.
I did learn a lot from doctaJay's videos (http://forum.xda-developers.com/showthread.php?t=372469) on his series "Cooking Guides for the Ultimate Noobs- Screencasts".
Now that's helping the community.
But, no. I need to build FROM SCRATCH my own NBH files using my Part0x.raw files. I don't need to use any one's RUU_Signed.nbh file to cook mine. I need to create FROM SCRATCH the NBH file only from my RAW files, with out using any other NBH file!
I mean ----
0. You tweak your registry IN YOUR PDA, not the computer, to change a Security Policy key:
HKLM\Security\Policies\Policies
valuename '00001001' was set to dword:2, change it to dword:1
YOU NEED TO USE A Registry Tweaker like RegeditSTG. Google it just as I did.
Once you've done all this, then
1. you pdocread.exe -l your ORIGINAL ROM from your kaiser.
So you get an output like this:
210.38M (0xd260000) FLASHDR
| 3.12M (0x31f000) Part00
| 3.63M (0x3a0000) Part01
| 68.50M (0x4480000) Part02
| 135.13M (0x8720000) Part03
STRG handles:
handle a7486c82135.13M (0x8720000)
handle a749618e 68.50M (0x4480000)
handle 074aff52 3.63M (0x3a0000)
handle 074aff76 3.12M (0x31f000)
disk a7486c82
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk a749618e
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 074aff52
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 074aff76
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Cute!
2. Step Two is Supposed to be creating your own, personal NBH installer kit from your original dumped ROM without using any other's ruu_signed.nbh downloaded from some guy's ROM kit.
I've read that you need Tadzio's imgfstools for doing so. See?
Even Tadzio's, the creator of the tool doesn't even explain, men and women !
That's pretty much f...ed up !
3. Open and HardSPL your phone BEFORE doing ANY FLASHING TASKS or you would really end up with a nice paper holder on your desk.
4. You should find a way to back up your RADIO ROM.
That's something completely differerent from the OS ROM. Many people complains that once they use some guy's ROM kit, their phones stop working in their networks.
Me, I live in Japan. I can't just download what ever ROM kit and flash my Kaiser, since in Japan my phone provider, E-Mobile, uses a weird 1700 Mhz W-CDMA frecuency, and most of the ROM kits are flashed for GSM networks and different 800Mhz - 1900 Mhz and 2100 Mhz GSM/GPRS networks.
Many stupidly think that flashing a phone's OS is a matter of downloading a g.. d...ed ROM and "bingo", you got your phone done. Actually, because following this guy jcespi2005's ROM (I can't blame him. You can't blame no one for flashing and messing your own ROM, I want to make that CLEAR), my phone doesn't work.
So .... You have to be careful and teach others to be careful, but the best way is to do a comprehensive, all in one step-by-step guide that will clearify most of the doubts of people.
5. Cook your own ROM's
I think, personally, that following these steps will prevent most people of bugging their phones and, at least, in the worse scenario, be able to some how restore most of the original condition of the kaiser so we can claim service or guarantee.
---------------------------------------
We have our RAW files from scratch, dumped BEFORE DOING anything that potentialy might brick our kaiser.
Now, before cooking and all that (again, thanks doctaJay for your screencasts, you da man !), I need to know:
HOW CAN I BUILD AN IMAGE FILE FROM TOTALLY SCRATCH JUST USING MY OWN RAW FILES !!!
It is said that we can use imgfstools from tadzios, but, as usual, not even a g.. d..med clue here !
Instructions !!
I can commit to post a nice, very in depth screencast for all of the people, but, please, I need to create from scratch, with out using ANYONE's dumped image NBH or ROM, a ROM file.
It's as simple as this: How did the FIRST PERSON IN this community manage to create FROM SCRATCH a NBH from his/her RAW files? And let it be told: FOR A KAISER, for chrisake ! Don't compare apples with oranges, even if they tend to behave alike.
See? That's the nature of the question. I'm not interested in COOKING A ROM, using as a base someone else's ROM.
That's the question, community.
Believe me, once I have all these steps mastered, I will make videocasts (screen casts) in both English and Spanish (Maybe Japanese as well).
So, help me out to help others and in tha way we can help new users in a better way !
Thanks !
i don't know how much reading you did in either post from the other guys but the threads they posted give you a STEP-BY-STEP walkthrough, if you can't read the walkthrough then you're a f*****g idiot and you shouldn't be trying any of the $h1t you are trying to do. READ i read through both of those threads posted and now i can dump a rom and cook one for the hell of it, mine only go to me but whatever. your steps only say "2. Step Two is Supposed to be creating your own, personal NBH installer kit from your original dumped ROM without using any other's ruu_signed.nbh downloaded from some guy's ROM kit.
I've read that you need Tadzio's imgfstools for doing so. See?
Even Tadzio's, the creator of the tool doesn't even explain, men and women !
That's pretty much f...ed up !" well that's not an answer. don't creat a thread just to ***** about how you want an answer, write your own damn program and DIYFS if you want to do everything from scratch.
personally i thank each and every member who has contributed anything, because without the guys here i would still have a stock att rom(minus bloat). thank you chefs and all others that have allowed my phone to be as great as it can be
STEP 1: Extract the RAW (IMGFS) file to a dump directory
imgfstodump part02.raw
fgs......how much more info do you need.
from the rom reconstruction thread.
jcespi2005 said:
2. Download the WWE BaseROM to use in the reconstruction process here http://rapidshare.com/files/5781641...dio_sign_22.45.88.07_1.27.12.11_Ship.rar.html
3. Download the modified version by Alex of Kaiser Kitchen here, that allows to reconstruct the ROM from the dump. Follow the guide included in the Readme using WWE from previous step and to will get you reconstructed ROM from your device.
Click to expand...
Click to collapse
sure i admit, that's not that much info, which is why i gave u the link to doctajay's screencasts, watch all his videos, everything you need is there. what more do you want?
I forgot to mention: My network is not GSM or similiar and I can't smoke my Radio
tubaking182 said:
i don't know how much reading you did in either post from the other guys but the threads they posted give you a STEP-BY-STEP walkthrough, if you can't read the walkthrough then you're a f*****g idiot and you shouldn't be trying any of the $h1t you are trying to do. READ i read through both of those threads posted and now i can dump a rom and cook one for the hell of it, mine only go to me but whatever. your steps only say "2. Step Two is Supposed to be creating your own, personal NBH installer kit from your original dumped ROM without using any other's ruu_signed.nbh downloaded from some guy's ROM kit.
I've read that you need Tadzio's imgfstools for doing so. See?
Even Tadzio's, the creator of the tool doesn't even explain, men and women !
That's pretty much f...ed up !" well that's not an answer. don't creat a thread just to ***** about how you want an answer, write your own damn program and DIYFS if you want to do everything from scratch.
personally i thank each and every member who has contributed anything, because without the guys here i would still have a stock att rom(minus bloat). thank you chefs and all others that have allowed my phone to be as great as it can be
Click to expand...
Click to collapse
Also, I already mentioned this (who's not reading?):
goye said:
4. You should find a way to back up your RADIO ROM.
That's something completely differerent from the OS ROM. Many people complains that once they use some guy's ROM kit, their phones stop working in their networks.
Me, I live in Japan. I can't just download what ever ROM kit and flash my Kaiser, since in Japan my phone provider, E-Mobile, uses a weird 1700 Mhz W-CDMA frecuency, and most of the ROM kits are flashed for GSM networks and different 800Mhz - 1900 Mhz and 2100 Mhz GSM/GPRS networks.
Click to expand...
Click to collapse
That's why I need to create my own ROM from SCRATCH, not taking other ROMs as a base.
Related
After a lengthy discussion with some developers on this board, I'm going to try and see if it is possible to create a Gold Card for the Prophet.
This is a very low level process, so ONLY try to follow along if you really know what you are doing !!!
So, what are we going to do ? well, create an SD image to be able to un-brick a Prophet (hopefully)
As this SD image will try to circumvent the bootloader security it is called a Gold Card.
We will use itsme typhoonnbfdecode.pl to create this image. (Thx to itsme for his great tool set !)
Creating a "normal" SD Image isn't that hard, to trick comes when you need to fool the bootloader and bypass the security.
Steps:
1. Find out what your docuniqueid is (is not be needed, but nice to have anyway)
2. Find out what your cardid is
3. Change the first two digits of the cardid to 00
4. Find out which -p keys to use (my guess is tornado)
5. Extract IPL/SPL/GSM/OS/SPLASH from a original ROM for the correct model (G3 or G4)
6. Use typhoonnbfdecode.pl to create and SD image (gold card)
7. Test the sucker in my bricked G3
So, let's try to get something working:
I will skip step 1 for now as Its not needed.
2. To get the cardit we need to read a memory dump from another Prophet with the sd card inside
pmemmap -s 0x06000000 -w deviceexe.mem -p 0x10000000-0x12000000
we are dumping the section of memory where device.exe is running (you can check this with pps)
In this memory dump we search for the unicode string 'Memory Card'
This is where I am at the moment, as the above was done on another HTC device I think I need to search for a new mem location where the cardid is stored.
So any people reading this that know another way of getting the sd cardid, let me know.
Example cardids:
# 55 4500 accf6300 55 3832314453 4453 03 'UE...c.U821DSDS.' .. my minisd
# 3f 5100 09531f40 03 424d383231 4e49 18 '[email protected]' .. my kingston
# 3f 3c00 65ba4764 07 3832314453 4d54 02 '?<.e.Gd.821DSMT.' .. my daneelec
# 00 4200 0f588942 41 4238323153 4150 01 .... bjorns sdcard
glad to help you
glad to help you un-brick your phone but need more details on these steps.
I am not a programmer so you'll have to explain more.
I do generally pick up these things quick, but will need to point me in the right direction.
AbuYahya said:
glad to help you un-brick your phone but need more details on these steps.
I am not a programmer so you'll have to explain more.
I do generally pick up these things quick, but will need to point me in the right direction.
Click to expand...
Click to collapse
Don't worry, I will update as I find out more
Hi,
Few months back I tried to make one for my Device but was unsuccessfull as I was not able to get DOC uniqueID and finding SD Card's unique ID is hell of a JOB.
So I Quit at that time but after seeing your post, I am again feeling energetic.
However the only method I know is as under.
Dont remember the exact location but will let you know (Taken somwhere from XDA Forum)
Finding out the docuniqueid
it is in memory at 0x8e01509c:
pmemdump 0x8e01509c 0x10
alternatively you can use this:
pdocread -l
Finding out the cardid (this is more difficult)
first find out the section of device.exe with pps usually it is 0x06000000. then save this section to a file using:
pmemmap -s 0x06000000 -w deviceexe.mem -p 0x10000000-0x12000000then in this memory dump, search for the unicode string 'Memory Card':
findstr "Memory Card" deviceexe.memthen dump the memory starting 0x18 bytes before where memory card was found:
dump deviceexe.mem -o 0x90a2a0 -l 0x90this results in something like this:
0090a2a0: 53 42 44 53 ec 00 00 00 f0 6f b7 03 00 00 00 00 SBDS.....o......
0090a2b0: 68 ea 8f 00 00 00 00 00 4d 00 65 00 6d 00 6f 00 h.......M.e.m.o.
0090a2c0: 72 00 79 00 20 00 43 00 61 00 72 00 64 00 00 00 r.y. .C.a.r.d...
0090a2d0: 63 00 65 00 30 00 00 00 00 00 00 00 00 00 00 00 c.e.0...........
0090a2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090a2f0: 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ................
0090a300: 30 b1 90 00 68 bf 90 00 70 12 b5 03 5c a9 00 80 0...h...p...\...
0090a310: ff 00 00 00 00 55 45 00 ac cf 63 00 55 38 32 31 .....UE...c.U821
0090a320: 44 53 44 53 03 ab 40 40 92 ff 4f fa fe c0 83 59 [email protected]@..O....Ynote: that the SBDS signature needs to be there.
the 16 bytes starting at 0x90a315, 55 45 00 ac ... etc are the cardid.
DoCtOr_X said:
Hi,
Few months back I tried to make one for my Device but was unsuccessfull as I was not able to get DOC uniqueID and finding SD Card's unique ID is hell of a JOB.
So I Quit at that time but after seeing your post, I am again feeling energetic.
However the only method I know is as under.
Dont remember the exact location but will let you know (Taken somwhere from XDA Forum)
Finding out the docuniqueid
it is in memory at 0x8e01509c:
pmemdump 0x8e01509c 0x10
alternatively you can use this:
pdocread -l
Click to expand...
Click to collapse
If you look at my post above you can see I'm doing the same
however, pdocread on a bricked phone obviously doesnt work, however the docuniqueid MIGHT not be needed.
for cardid is trickier, as the cardid seems to be hidden on a different memory location then normal (read, older devices)
I'm trying serveral things to get to this
I just bought a new cardreader, so I can continue testing this
Hi,
Wish u best of luck but unfortunately I have no success.
Any Success ????
working on something that might get us a working gold card
stay tuned
Ok, it's possible to create a gold card, meaning, that I can create an SD that will lower the sec level to 0
This is nice, however doesn't help (yet) with the G3/G4 wrong SPL problem.
But it is one step closer as it is now confirmed that you lower the sec level using this method.
Next step will be to see if I can "update" an existing G3 SD Image with the cardid of my card and get it to boot.
I know it might not make sence what I'm saying now, but it's just an update on the progress made so far, and yes I will update the first post with a how to.
more later.
Nice, keep up the good work!
Well Done, I am really amazed.
Thanks & please keep it up.
So am I understanding that right you need another htc which is working to get the cardid? Is it possible to get all that done just with a regular cardreader plugged into the computer?...
cr0ssy said:
So am I understanding that right you need another htc which is working to get the cardid? Is it possible to get all that done just with a regular cardreader plugged into the computer?...
Click to expand...
Click to collapse
It MIGHT be, but I haven't tried that yet
Huh they are very similar
Hi Jesterz so far I have the same problem as you are with my dev g3
with spl from g4
So did you get your device to boot or what ideas do you have
Maybe this will help us Customize_rom_PDAMobiz_Editon_Upgrade_Rom_for_IPLSPL_2.15.0001_v.1.02
Help
Dear Jesterz, could You please help me.I used your RUU-Prophet-g4-AKU2.2-2.20-2.47.21-Jester-r1 to flash my G3 so i did not read carefully your post. It passed but device stills in bootloader mode. Is it possible to solve my problem and how.I have not other prophet to make goldcard. Tnanks in advance
mjankovic said:
Dear Jesterz, could You please help me.I used your RUU-Prophet-g4-AKU2.2-2.20-2.47.21-Jester-r1 to flash my G3 so i did not read carefully your post. It passed but device stills in bootloader mode. Is it possible to solve my problem and how.I have not other prophet to make goldcard. Tnanks in advance
Click to expand...
Click to collapse
Now u must also wait for GoldCrad project....
Yes thank you very much doctor_x so would you please let me know where it is finish and where i can find it
Hi,
If I'm not missing anything, there are actually two types of ID's for SD cards:
1. "Hardware ID", that is truly low-level and is provided by the card manufacturer.
You can use Pocket Mechanic to read it, but I have no idea how you can manage to change it. Please let me know if you have a solution on this one.
2. Let's call it "software id" - an id that you get after your card is formatted (something like a partition id) - you can use a card-reader and some software like Acronis Partition Expert to read and change it.
mjankovic said:
Yes thank you very much doctor_x so would you please let me know where it is finish and where i can find it
Click to expand...
Click to collapse
The main person involved in this project is "Jesterz". I was about to gaveup when jesters started new effort and infused new spirit in the project.
Now lets hope it works but uptill now no breakthrough.
I read somewhere that I dont have to SUPER CID to install a 3rd party ROM, or perhaps our WM6 ROM
"Here is how I got the rom to install without the devauth error.
1) use a hex editor on the rom file and search for the devauth.exe string e.g. 44 00 65 00 76 00 41 00
2) between the "devauth" and the "exe" you will see the hex "00 2e".
3) swap these bytes around so they are "2e 00" instead of "00 2e".
4) This will keep te same checksum but will not allow the devauth.exe to run. well it work in my case at least"
Hope it works
Click to expand...
Click to collapse
Will the above method works? because my phone is still under warranty, and i dont want to void it so early
We are proud to announce that the Sensation is now UNbrickable. Users with the QHSUSB_DLOAD issue can now fully recover their phones and get them fully functional.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Note: This will fix only devices which were bricked by turning S ON. And bricks caused by a damaged hboot via interrupted OTA update/RUU flash on a S-ON device. Any devices bricked with other ways are currently *not* supported. We are working on it
The "core" of the unbricking project dev team:
MOVZX
RussianBear
Fuses
Dexter93
Testing stuff and irc support:
globatron
Deceptivechaos
dburgd84
Snake_skw
Other stuff:
dmcb123
xIndirect
Hawke84
Thanks to trevE, xHausx and the rest of the evo3d team that gave us the basic info to work on and made us curious to see if we could get something out of it. Also thanks to ief and his team @revolutionary for helping us understand the bootloaders better. We should also not forget to thank cxb01 of malshenzu.com and xda members arthurire and untrueparadox who helped in translation.
Prerequisites
a linux box/live cd with automount disabled and without unity
the appropriate package for the device
the latest RUU for your device
a device bricked by writing security flag 3 with an unsigned hboot, or caused by a damaged hboot via interrupted OTA update/RUU flash on a S-ON device
a usb cable
some basic linux experience
patience
DISCLAIMER: We do NOT guarantee that this method will work for you, or that it is flawless. We are also not responsible if your phone is completely dead after the procedure, or your house burns down because your phone exploded. You are doing this in YOUR OWN RISK.
InstructionsDetailed video on the process. Thanks kgs1992
Boot the linux box and download the appropriate package for the device.
WARNING: IT IS DEVICE SPECIFIC. DO NOT USE THE XE VERSION ON A 4G/ORIGINAL SENSATION AND VICE VERSA
Extract the package in the home directory
Open up a terminal
Remove SIM, microSD card and battery and connect the device using the USB cable. This procedure must be done without battery
Detect the device using the script provided. Type this in the terminal
Code:
./brickdetect.sh
You should get something like sdX. We are interested on that "X"
Unplug the usb cable from the device
Backup the hboot currently in the phone by using this command. Plug the device in ONLY when asked to
Code:
sudo ./emmc_recover --backup b_hboot.img --device /dev/sdX12
Replace the "X" with the letter the script gave you
Follow the on-screen instructions from emmc_recover
Hexdump the b_hboot to check the hboot version
Code:
hexdump -C b_hboot.img |less
The output should be like this:
Code:
00000000 05 00 00 00 03 00 00 00 00 00 00 00 00 00 10 40 |[email protected]|
00000010 d8 fc 0f 00 d8 fb 0f 00 d8 fb 1f 40 00 01 00 00 |[email protected]|
00000020 d8 fc 1f 40 00 00 00 00 12 00 00 ea 31 2e 31 37 |[email protected][B]1.17[/B]|
00000030 2e 31 31 31 31 00 00 00 38 32 36 30 20 53 50 4c |.1111...8260 SPL|
00000040 00 00 00 00 00 f0 20 e3 53 48 49 50 00 00 00 00 |...... .SHIP....|
00000050 00 f0 20 e3 00 f0 20 e3 48 42 4f 4f 54 2d 38 32 |.. ... .HBOOT-82|
00000060 36 30 00 00 00 f0 20 e3 39 32 65 35 33 37 31 30 |60.... .92e53710|
This is the typical hex of a hboot. We are interested to check if that is the hboot partition and if it is, to get to know the version. In this case it is 1.17
If in the above step you failed to identify the hboot, unplug all devices connected to that pc, reboot and try again
Unplug the device
Check again it is the right version, because if you do a mistake here, you won't be able to go back
You can only flash the same version as the one in the device.
!!!!!DO NOT ATTEMPT TO FLASH ANOTHER VERSION OR DOWNGRADE!!!IT HAS BEEN PROVEN FATAL!!!!
Flash the hboot on the device. Replace "V.VV" with hboot version (eg. 1.17, 1.18, 1.19, 1.20, 1.23, 1.27) and "X" with the one you got from the detect script. Plug the device in ONLY when asked to
Code:
sudo ./emmc_recover --flash pyrV.VV.nb0 --device /dev/sdX12 --backupafter hboot_f.nb0
Follow the on-screen instructions from emmc_recover. A successful flash should have this output:
Code:
511+1 records in
511+1 records out
1047808 bytes(1.0 MB) copied
Unplug the device, put SIM, microSD card and battery in and power on
Congratulations, the device is unbricked.
FLASH THE RUU IMMEDIATELY AFTER RECOVERING!! The device will be unstable after the recovery if you don't flash it.
Notes on the procedure:
If the device doesn't power on, get a copy of the hboot_f.nb0 and b_hboot.img (should be located in the home directory) and contact us
The connection between the device and the pc will be unstable, and will time out. You have to be quick when doing the above, specially while flashing. If the connection times out don't panic, just unplug and replug the device
Unity and automount are known to cause issues in ubuntu 11.04 and 11.10. We recommend getting rid of both, or use a 12.04, or 10.04/.10 liveCD
USB3 ports do not work properly. Please plug the device in a USB2 port
The liveCD provided has autoount enabled. please disable it
How to disable automount on ubuntu
Code:
gsettings set org.gnome.desktop.media-handling automount false
Downloads
For Sensation and Sensation 4G:
32bit version MD5: 859cf1c8f4cc96a9c911ecf696579e6f
64bit version MD5: d160e90234999a0f8e5ed632d3a2bb4e
For Sensation XE:
32bit version MD5: dec2309cc06dbc01398a4a49f8ae13cf
64bit version MD5: de677136626fe2e096f0a7f48e438978
Don't have a linux distro installed on your pc? We highly recommend this livecd
awesome!
any people that know chinese, we need your help:
a chinese forum where a member posted a guide on how to de-brick a phone (zte u960) from qhsusb_mode:
http://bbs.malshenzu.com/read-htm-tid-38591-page-1.html
http://bbs.malshenzu.com/read-htm-tid-41957-page-1.html ( Sales MultiDL tool guide)
they use an additional tool (Sales MultiDL) that backs up alot of .mbn and .img files that we don't have (yet), so i'm not sure if we can pull those files out of the phone manually, or what?
translation per untrueparadox:
1. choose program mode
2. select the .hex and .mbn files from the included package
3. load the .xml included in the package
____ the path to xml file will show here
4. after selecting everything, click download to revive the brick
the files they used to flash:
anyone knows Chinese (google chrome translator is ok for basic understanding, but nothing more than that)?
i did pm the op of those threads to see what he thinks.
Yes a devs thread
So now we basically just have to wait to find out how to get the mbn files?
Sent from my HTC Sensation Z710e using XDA Premium App
dexter93 said:
----//notes//----
*the phone wont connect in diag mode using custom roms other than stock. certainly not with ics roms
*more pictures are available in the two threads mentioned
Click to expand...
Click to collapse
Dex, i'm on gb build of insert coin and diag works for me
RussianBear said:
Dex, i'm on gb build of insert coin and diag works for me
Click to expand...
Click to collapse
thanks. fixed it
it wouldnt work on ics insertcoin for me. it was missing some files( probably those werent even in the test ruu, or baad removed them)
if somebody doesn't like this thread (the one star rating), then contact a moderator or the op with your concerns. i don't see what is there not to like?
Found this. not sure if it helps but it's worth a look
http://www.scribd.com/doc/19215998/Qualcomm-Qpst-27-Users-Guide-2006
Some stuff about creating an mbn.
dmcb123 said:
Found this. not sure if it helps but it's worth a look
http://www.scribd.com/doc/19215998/Qualcomm-Qpst-27-Users-Guide-2006
Some stuff about creating an mbn.
Click to expand...
Click to collapse
search for "amss" in that pdf- seems like they've already had mentions of dual core msm chips back in 2006 (page 60). this guide is pretty cool! look up page 155-onwards as well.
need to find a newer version of this guide as well.
RussianBear said:
search for "amss" in that pdf- seems like they've already had mentions of dual core msm chips back in 2006 (page 60). this guide is pretty cool! look up page 155-onwards as well.
need to find a newer version of this guide as well.
Click to expand...
Click to collapse
the new version is included in the qpst download. check it
http://tjworld.net/wiki/Android/HTC/Vision
very cool stuff there. the guy dissects everything!
---------- Post added at 04:28 PM ---------- Previous post was at 04:27 PM ----------
dexter93 said:
the new version is included in the qpst download. check it
Click to expand...
Click to collapse
i skimmed thru it last night, will do again tonight
RussianBear said:
http://tjworld.net/wiki/Android/HTC/Vision
very cool stuff there. the guy dissects everything!
---------- Post added at 04:28 PM ---------- Previous post was at 04:27 PM ----------
i skimmed thru it last night, will do again tonight
Click to expand...
Click to collapse
Damn that is pretty comprehensive
another translation request, please.
http://wenku.baidu.com/view/5da95a6ba98271fe910ef9a2.html
---------- Post added at 05:41 PM ---------- Previous post was at 05:34 PM ----------
check this: http://android.modaco.com/topic/351690-zte-firmware-package-for-v11a-aka-vodafone-smarttab10/
i'll try to find a ruu or some kind of firmware for sensation to see if it has anything similar.
i think the phone's partition layout gets erased and we need the xml file to re-map it again. just a guess...
Guys we have to abandon it too... there is no fix with the way we are trying
I finally found IEF on the revolutionary irc and he told me that all these bricks happened because people went s on with modified, unsigned by htc, hboots. He also told me that under s on, we cant try anything, not even via QSPT, cause we would gain nothing. The only way of fixing that is by flashing the eMMC externally, using JTAG.
here is the conversation
[01:06] <@IEF> dexter93: you can't.
[01:06] <@IEF> simply put.
[01:06] <dexter93> not even via qspt?
[01:06] <@IEF> no
[01:06] <@IEF> that is for radio flashing
[01:07] <@IEF> and will get you nowhere under S-ON, even if you had all the other pieces.
[01:07] <dexter93> couldnt we just flash the phone again?
[01:07] <@IEF> that's what I said, not by software
[01:08] <@IEF> unless you consider JTAG sofware.
[01:08] <dexter93> but?
[01:08] <dexter93> by putting the device n download mode, do i gain something?
[01:08] <T-Junk> no butts..
[01:08] <@IEF> QCDL *is* download mode.
[01:08] <dexter93> qcdl?
[01:09] <@IEF> sigh
[01:09] <@IEF> the serial ports you get after bricking hboot.
[01:09] <dexter93> sorry... im a noob on those
[01:09] <@IEF> most people are, because you won't get anywhere without a proper loader
[01:10] <dexter93> and there is no way to bring it back to life?
[01:10] <@IEF> RMA
[01:10] <dexter93> any chance we can get that proper loader?
[01:11] <@IEF> did you honestly expect me to put it in those terms if I already had it?
[01:11] <@IEF> and again, it would gain you very little. QCDL is traditionally for baseband flashing
[01:11] <dexter93> i get it..
[01:12] <@IEF> signed hboots are a *security* measure for a reason.
[01:12] <dexter93> restoring a factory mbn wouldnt do the job?
[01:13] <@IEF> that's the same thing
[01:13] <dexter93> so that means that even htc cant fix that?
[01:14] <@IEF> ofcourse they can
[01:14] <@IEF> they can just flash the eMMC externally
[01:14] <dexter93> and why cant we?
[01:14] <dexter93> externally?
[01:14] <@IEF> ffs
[01:14] <@IEF> JTAG.
[01:14] <@IEF> this is getting pretty tiresome
[01:15] <dexter93> sorry to bother you ief
[01:15] <dexter93> and thanks for your time
[01:15] <dexter93> im just looking for some answers
[01:15] <@IEF> yeah, you could at least read up on some basic recovery procedures
[01:16] <@IEF> this is not exactly secret information
[01:16] <dexter93> i searched, but couldnt find anything
[01:16] <@IEF> if you don't have the skills to understand that or apply them, or do not have the access to it, there's really no point in asking
[01:16] <@IEF> that's what RMA is for
[01:16] <@IEF> and they may charge you for it, well within their rights
[01:17] <sfrost> trying to use revolutionary, I put in the correct info and got a key, but the program is saying its invalid ( thunderbolt with 1.04
[01:17] <dexter93> well, im patient and willing to learn
[01:18] <@IEF> it's not about willing to learn
[01:18] <@IEF> it's about having access to tools that only a chipset manufacturer has.
[01:19] <dexter93> i suppose that jtag development is out of the question without board schematics, right?
[01:22] <@IEF> no idea. you'd ask someone with a lot of JTAG experience.
[01:30] <dexter93> anyway, ill do a small research on that...
[01:30] <dexter93> thanks for the info
Click to expand...
Click to collapse
As you see there is no hope. And from a quick google search, JTAG is not available yet for our devices. That means only HTC RMA can deal with it...
dexter93 said:
Guys we have to abandon it too... there is no fix with the way we are trying
I finally found IEF on the revolutionary irc and he told me that all these bricks happened because people went s on with modified, unsigned by htc, hboots. He also told me that under s on, we cant try anything, not even via QSPT, cause we would gain nothing. The only way of fixing that is by flashing the eMMC externally, using JTAG.
here is the conversation
As you see there is no hope. And from a quick google search, JTAG is not available yet for our devices. That means only HTC RMA can deal with it...
Click to expand...
Click to collapse
i don't know, man. those chinese guys seem to be on it. check this pdf:
http://www.docin.com/p-323426686.html
page 30.
Well fix or not... Thank you for all the efforts you guys put in for the community... You guys are awesome...
Sent from my HTC Sensation 4G with Beats Audio
1、下载售后线刷。http://bbs.malshenzu.com/read-htm-tid-41602-fpage-2.html
download program for flashing here
2、安装SalesMultiDL_U960V1.00.03.exe,到SalesMultiDL安装好的目录(x:\Program Files\ZTE\SalesMultiDL_U960V1.00.03\Win32Driver)找SP驱动(ZTE_SPRD_TD_Handset_USB_DRIVER.exe),双击安装。(win7 32位的机油请右键选定该文件,选“兼容性”设为“XP”)
install sales...1.00.03.exe, go to SalesMultiDL folder (x:\program..\Win32Driver) to find the driver ZTE_SPRD_TD_Handset_USB_DRIVER.exe. install it . for windows 7 32 bit, right click, go to properties, run with xp compatibility.
3、装完驱动后接USB线,手机拨号界面输入 *983*376#,选“SP_download”,系统会进行驱动安装。
(此时装驱动比刷到89%才装会有更高的成功率)
after installing the driver and connecting the usb cable, dial that *983...# and choose SP_download, system will go into download mode.
4、下载setmode,运行setmode,手机重启。
download setmode, run it and reboot phone
5、拨掉USB线,开SalesMultiDL,选好线刷包目录,及SP的bin包。
disconnect usb cable, open salesmultidl, choose package to flash in the menu and sp bin file.
6、接上USB线,手机再次重启。手机重启时拔掉USB线,避免进入充电模式。
connect usb, reboot phone again and disconnect usb to avoid going into usb charging mode
7、手机见到G3首屏后接上USB线,售后官刷将显示“点右键下载”,点右键进行下载。
(点下载之前你怎样拔USB线都无所谓,但点了“下载”之后就不能拔线了。)
after seeing g3 boot screen, connect usb. in the software, right click on the menu that says right click to download. after you click download, do not unplug usb.
Click to expand...
Click to collapse
hope this helps guys. the link above shows similar stuff except if you dont see the setmode command and if you have a virtual cd drive from joinme or any other service, disable it.
不到一个月,已遇上两例“Qhsusb-Dload”的砖机,貌似这种情形还在蔓延,还是写个教程,方便大伙自救
大伙不爱回帖,只好隐一下,有怪莫怪。
after a month, i had two similar bricked phones. this situation is not rare so here's a tutorial. hope it helps.
1、安装Qhsusb-Dload驱动。
download Qh...load driver
装完驱动会有端口出现(由于俺没砖,只能模拟了)
after install, ports will show up. it will be virtual (i have no idea what this means)
【音量加和减同时按着,再点开机,无震动,但插USB有驱动安装,没砖的机油可先用此法装上驱动,以备不时之需】
hold volume up + down, turn on phone, no vibrate. when you insert usb and install driver, the driver will install.
2、QPST添加端口。
add port in QPST
3、打开线刷工具emmc software download。
open flashing tool
4、线刷包中对应的.hex和.mbn文件。
select packages
5、刷机。
flash phone
Click to expand...
Click to collapse
and if you guys need this too
RussianBear said:
hey, man! thanks for the translation!
could you translate this pic, please?
from this guide: http://bbs.malshenzu.com/read-htm-tid-38591-page-1.html
i'm really interested what the whole guide means
p.s. that picture is hidden in step 5. you need to post something on that forum to unlock it, but i guess, you can read Chinese
Thank you!
Click to expand...
Click to collapse
1. choose program mode
2. select the .hex and .mbn files from the included package
3. load the .xml included in the package
____ the path to xml file will show here
4. after selecting everything, click download to revive the brick
i think you're missing ief's point. most if not all sensation bricks aside from failed eMMC, are caused by flashing a non signed hboot during the process of returning to s-ON. Once you are s-ON the eMMC becomes write protected meaning even if you did manage to write anything it wouldn't stick.
cpittman said:
i think you're missing ief's point. most if not all sensation bricks aside from failed eMMC, are caused by flashing a non signed hboot during the process of returning to s-ON. Once you are s-ON the eMMC becomes write protected meaning even if you did manage to write anything it wouldn't stick.
Click to expand...
Click to collapse
appreciate all the constructive criticism.
from here: http://android.modaco.com/topic/335078-retrieving-mbn-files/page__view__findpost__p__1642041
Unfortunately , you can't get a raw nand image dump by just using QPST. You can however get a full RAM dump by putting the phone in download mode (by switching it on while holding the Vol+ and Vol- keys) and using revskills. You can then "cut" the obtained image and extract oemsbl & C.
P.S. Diagnostic (FTM) Mode and Download Mode are not the same. While in Download Mode, you can send the phone a bootloader and have it run on the ARM9 (baseband) processor. With a properly written/patched bootloader you have full access to the phone hardware, including the nand. Phone flasher sends its own bootloader (armprgZTE.bin) to the phone and then use it to flash the images... we could patch it to allow nand reading.
P.P.S. NV items contain values that must be stored in a Non-Volatile way (e.g. IMEI, lock status, ...).
Click to expand...
Click to collapse
and also, how do you explain Chinese guys successfully (allegedly) de-bricking their phones?
either way, once we can get something similar to this (same msm chip as ours):
http://android.modaco.com/topic/351724-flashing-zte-unsigned-roms/page__p__1902193#entry1902193
rawprogram0.xml 7.762 17.11.2011 16:49 -a--c
patch0.xml 1.573 17.11.2011 16:49 -a--c
partition.xml 3.705 02.09.2011 15:38 -a--c
tz.mbn 103.960 17.11.2011 16:00 -a--c
sbl3.mbn 622.592 17.11.2011 16:00 -a--c
sbl2.mbn 108.652 17.11.2011 15:58 -a--c
sbl1.mbn 71.840 17.11.2011 15:56 -a--c
rpm.mbn 116.420 17.11.2011 15:59 -a--c
partition.mbn 9.728 17.11.2011 16:49 -a--c
emmcbld.mbn 167.008 26.10.2011 10:31 -a--c
emmc_appsboot.mbn 72.000 06.12.2011 05:17 -a--c
cefs2.mbn 3.145.728 18.11.2011 15:21 -a--c
cefs1.mbn 3.145.728 18.11.2011 15:21 -a--c
amss.mbn 18.969.240 17.11.2011 16:48 -a--c
8660_msimage.mbn 1.679.872 18.11.2011 15:36 -a--c
recovery.img 5.195.776 06.12.2011 05:17 -a--c
boot.img 4.620.288 06.12.2011 05:17 -a--c
MPRG8660.hex 467.026 18.08.2011 16:02 -a--c
userdata.img.ext4 4.096.000 11.08.2011 05:54 -a--c
system.img.ext4 660.602.880 06.12.2011 05:17 -a--c
persist.img.ext4 4.496.000 06.12.2011 05:17 -a--c
cache.img.ext4 4.096.000 06.12.2011 05:17 -a--c
partition.bin 26.112 17.11.2011 16:49 -a--c
NON-HLOS.bin 25.081.344 17.11.2011 16:49 -a--c
MBR0.bin 512 17.11.2011 16:49 -a--c
EBR0.bin 9.216 17.11.2011 16:49 -a--c
cdrom.bin 10.485.760 16.11.2011 15:09 -a--c
Click to expand...
Click to collapse
or
and have a person with a brick try it out, then i will admit that this either failed or succeeded.
RussianBear said:
appreciate all the constructive criticism.
from here: http://android.modaco.com/topic/335078-retrieving-mbn-files/page__view__findpost__p__1642041
and also, how do you explain Chinese guys successfully (allegedly) de-bricking their phones?
either way, once we can get something similar to this (same msm chip as ours):
http://android.modaco.com/topic/351724-flashing-zte-unsigned-roms/page__p__1902193#entry1902193
or
and have a person with a brick try it out, then i will admit that this either failed or succeeded.
Click to expand...
Click to collapse
As I told you in the pm, we could unbrick that way only S OFF phones -really rare cases to be bricked that way. Also the Chinese guys were messing with ZTE bootloaders, which I doubt that they have the security of HTC's . If you insist and we find a volunteer with a bricked device, I guess we could try it... The worst case scenario is to stay bricked.
Sent from my HTC Sensation XE with Beats Audio Z715e using Tapatalk
I got a new Photon Q from USA
This is my first CDMA phone
I am trying to get it on Reliance CDMA network INDIA.
So, i am trying to edit settings via QPST
Accidently i selected NAM2 which was blank, No settings and phone numbers.
Now phone is trying to start with NAM2 and now it stuck on "Starting Service".
Only phone settings are access able form sliding bar, but IMEI, ESN are blank and baseband is unknown.
Phone is unrooted and running on Stock 4.1.2
Is there any way to get NAM1 back?
will Stock firmware flashing restore it?
This, almost exactly, is happening to me. See thread: forum.xda-developers.com/showthread.php?t=2436869&page=1
Stuck at Starting Services. I don't have a mobile carrier, that is fine, I only use Wifi. But Wifi and BT are both not working. If I hit ON, they turn back off instantly. Cna go to notification bar and settings only, homescreen won't appear, apps won't run. Thanks to anyone for any help!
It is not the same as you didn't use QPST and your phone isn't screwed.
Back to your thread, there you'll get an answer.
@lovepreet39, I'll look into QPST (again, so not my first time) but I won't try anything out, so I will only guess what you could do.
QPST is a powerful tool, trying anything around there might break the phone.
Epicenter714 said:
This, almost exactly, is happening to me. See thread: forum.xda-developers.com/showthread.php?t=2436869&page=1
Stuck at Starting Services. I don't have a mobile carrier, that is fine, I only use Wifi. But Wifi and BT are both not working. If I hit ON, they turn back off instantly. Cna go to notification bar and settings only, homescreen won't appear, apps won't run. Thanks to anyone for any help!
Click to expand...
Click to collapse
Please quit cross-posting. You've already created a thread dedicated to your issue, which is really all you needed - cross-posting dilutes the community effort, and we have quite a small community here.
I just flashed firmware again with RSD lite. Now phone booting properly and all features are available.
But it becomes useless because IMEI and MEID becomes zero.
I tried QPST, CDMA TOOL, CDMA Workshop
But i unable to restore MEID.
Please any body here tell me how to restore MEID/IMEI
What happens if you select NAM1 again?
Have you made a backup of your configurations? (That was the first thing I did.)
Loader009 said:
What happens if you select NAM1 again?
Have you made a backup of your configurations? (That was the first thing I did.)
Click to expand...
Click to collapse
Now NAM1 and NAM2 both are blank, i have a NV item backup but restoring it does not do anything.
Is there any way?
I want my ESN/IMEI/MEID back.
It is a new phone and now it becomes useless.
Update, It is connecting to wifi, but not receiving any data, a mark on wifi is blinking on wifi symbol.
Same wifi is working on my HTC one x
Theoretically you could try to modify the MAC-Adress of wifi and bluetooth etc. (just make sure it begins with the right symbols from the manufacturer).
This is only a temporary solution. (Mine begins with 80:96:B1:XX:XX:XX for both, wifi and bluetooth.)
My IMEI isn't printed anywhere if I remove the backplate. (Also not under the battery and the plastic plate.)
So if nobody knows where it could physically be, then there might be no way to get it. Except if you have the boxing, there is a chance that it's printed somewhere there.
If you have a backup, there may be a way to get it from there, I made both backups, the simple one (49KiB - modified, 48KiB unmodified) and the EFS-backup (496KiB - modified, no unmodified EFS-backup).
I'll test some programs from QPST and post the results.
edit: I might have found "part" of the IMEI.
Using the QCNView program from the QPST software pack I found a partial match to my IMEI.
Load the program, load your backup (make a backup of your backup! Just in case.)
Expand the "NV Items:" and scroll down to item #550 "NV_UE_IMEI_I".
Code:
Adress 0 1 2 3 4 5 6 7 8 9 a b c d e f
NV_UE_IMEI_I 0: ab cd ef gh ij kl mn op qr st uv wx yz AB CD EF
This is a hex-styled code table. The first line "Adress" isn't shown, it's for orientation.
My IMEI is partially build out of this table: _fghijklmnopqr_
Those two underlines "_" are not given in this table.
I think the first number is for the manufacturer and the last for variations. (You might have to research further for this.)
This way you have your IMEI nearly completely. But I'm not sure for MEID and ESN.
First number is 9 (it starts with "99") and last number is checksum (see Wiki), it's present only in IMEI and not MEID.
There is no problem with wifi MAC address, it is connecting without any problem, but not receiving any data.
and i have original box with original MEDI/IMEI on that.
But problem is that CDMA tools are failed to restore that.
Please first tell me what happens to wifi, why it is not receiving data?
and is there any way to restore original MEID/IMEI?
Keep in mind i know original MEID/IMEI
If the MAC address is given correctly you should receive data over Wifi.
I don't know any reason why it shouldn't work since it has nothing to do with the rest.
Maybe the whole SoC is a bit malfunctioning as some data is missing and... I can just guess, I'm not a pro in linux or android.
I'll look into QPST later again, maybe there is a way to type the MEID in somewhere.
(I have to flash between cm10.2 and stock JB, that's why I don't do it right away.)
Yay, double post!
I researched a bit, we need access to the "nvm" folder withing the EFS Explorer.
The "open sesame door" trick does not work, so I have no idea how to get access.
I'm searching for another solution but I think I won't find anything useful.
edit: Maybe this will work -> http://www.letitgrow.co/forum/viewtopic.php?f=40&p=183
Not tested. QXDM -> http://d-h.st/FW5 (Tested it right now, it's really for WinXP >.< Internet Explorer 6 or higher is needed O_O)
edit2: Using QCNView I also find "NV item: 1943" "NV_MEID_I". (Only in full EFS backup!)
The question is, how to get it on the phone. Maybe it will work to make a full EFS backup, modify (somehow, texteditor?) the file and reflash it.
But i do not have a EFS partition backup
I only have NV items backup.
and i already tried QPST on stock 4.0.3, It is not working.
I also tried Bluetooth, It is connecting to other devices, but not receiving any files/data.
This clearly shows there is something corrupted.
may be EFS partition is corrupted.
Any one here please give me a EFS partition backup and guide how to restore it.
For backup and restore you may use QPST Software Download.
Type in the SPC and choose the location for the file.
The program is self explanating, if you don't understand something, just ask.
I agree that something have to be corrupted but for now we should try to get MEID (and maybe ESN) back working.
With some luck the SoC needs these data to function correctly. If not, we may need to dig deeper.
But my knowledge was (at the beginning) only changing the UMTS used frequencies (that's what I used QPST for).
So I'm on explore and try. (And I'm using google to search for ways to restore ESN/MEID.)
Please note, a modification of the full EFS backup may not work, I'm sure there are some checksums somewhere to prevent corruption.
But that's the only way I see, without access to the nvm folder within the EFS Explorer.
As soon as the MEID/ESN/IMEI is working correctly again I recommend to flash the FXZ file, this may be enough to get everything working again.
edit: Please note, any backup withing QPST (especially EFS and NV items) may contain MEID/IMEI/ESN.
You should never share it unless you know what you are doing. That's why I do not share my backups.
I am india, if you are living outside india, then please share ESF with me via email.
Sharing is safe if you are not in india.
and i am on stock refresh rom.
Full name : asanti_c-user-4.0.4-7.7.1Q-6_SPR-125_ASA-10-11-release-keys-Sprint-US.xml
Now Connected to QPST, please tell me how to backup and restore.
Update: 1
i mada a backup
in QCNviewer, first item indicare ESN, but all zeros
Mobile Properties:
ESN: 0x00000000
Phone Model: 255 [Unknown Model]
NV Major: 0
NV Minor: 0
SW Version: M8960A-AAAANAZM-1.0.103205
Client Name: QPST Software Download 2.7.0.264
NV item: 0 [NV_ESN_I], index 0
NV_ESN_I 0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_ESN_I 1: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_ESN_I 2: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_ESN_I 3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_ESN_I 4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_ESN_I 5: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_ESN_I 6: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_ESN_I 7: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
and "NV item: 1943" "NV_MEID_I not found
Update 2
I checked my old original backup which is made by NV-items_reader_writer
NV item: 0, have some values which is non zero.
and NV item: 1943 is also present and have non zero values.
So, i tried to restore with NV item r/w
Complete items - 1922
But after restore it alerts
1915 items has been restored sucussfuly
My phone number and some other settings return to old.
But MEID/IMEI is still zero
Update 3
I tried CDMA tools and also tried to restore NV items.
But Unable to restore MEID/IMEI
I think it is due to Locked nvm folder.
Is there any way to unlock it?
I'm sorry but I won't share my EFS backup.
As I said you could try to modify your EFS backup with a hex editor.
This way you would modify the ESN and MEID and try to flash it back.
Please tell me which hex editor you use so I can give you the exact position of MEID and ESN.
You will modify these and look if the modification is a success.
If it's not, a modified EFS backup won't work.
Theoretically an unmodified backup may work, but I won't give my EFS backup.
I guess (as you too) that the nvm folder is locked and modifications on IMEI/MEID/ESN are not possible at the moment.
The trick (earlier) was to make a folder called "open sesame door" at root and then reboot but I tried this and it don't work.
You are right this trick is a fail for Photon Q.
As, i said i tried to restore my old backup which has IMEI,MEID,ESN.
But failed.
I think some nv items like MEID,IMEI,ESN are only readable, not writable.
The only way is to make them writable.
Only a linux/android can tell how a folder can be unlocked.
Phone is not accepting IMEI/MEID from original backup, so HEX editor is also use less.
Main problem is that NV item 1943 is missing from the phone.
Update 1:
I am not a expert
But this is my imagination
If we can find efs partition via ADB in pc
and then edit and replace it.
I searched google, there are some guides for efs fix via adb for samsung.
We can also chmod folder and files in adb.
So, may we chmod nvm partition in adb?
i think a root is required for that
We can simply use some commands
like cp, pull, push
what do you think?
That is an idea but I doubt that it will work.
Still worth a try.
Maybe this will help you to find out which partition your are looking for
-> http://forum.xda-developers.com/showthread.php?t=1959445
Looking at this tutorial (thx zodiac12345 for posting it) -> http://www.cricketusers.com/sprint-...-q-4g-lte-cricket-talk-text-mms-internet.html
There is a Video under "Send NV Items / QPST" and at 4 minutes he is going to do something I didn't do.
I don't know what for he is doing it but it seems to be necessary.
Maybe this will unlock the nvm folder but I haven't tested it. (Too lazy to flash Stock again.)
This a question/project suggestion for devs. All newest models of most popular mobile CPUs, such as Snapdragon, Exynos, MediaTek and Kirin have onboard LTE modem, which supports worldwide LTE - all 41 frequency bands. It pisses me off to no end that some manufacturers, like Huawei discriminate against North America and release their flagship devices, such as Huawei MediaPad X2, Huawei P8Max everywhere in the world, but US and Canada. They enable 3-4 desired LTE bands in the radio firmware, based on the region, and lock the rest. For a long while now I have been wondering if it would be possible to develop a set of universal tools, one per SoC, which would allow enabling any desired LTE band in the radio firmware?
If it's doable - I think this is a project, which would benefit millions of people, and remove all those stupid regional restrictions phone makers place, when they release devices. I am willing to setup either a Kickstarter or Indiegogo project, or even a simple PayPal account, so people could contribute to this cause, if there are any devs, interested in taking this on.
I found this thread: http://forum.xda-developers.com/galaxy-s5/general/how-to-add-rf-lte-frequency-bands-to-t2886059
It looks like a good start, but it's only for Qualcomm chips and a lot of manual steps. Similar guide for Kirin and MediaTek SoCs will be much appreciated.
@Apo11on I agree it sticks hopefully one of the capable devs could use mtk droid tools or unclemobile to unlock the lte bands.... One could only wish....
Nothing new here? I guess we could ask the mtk droid tools dev if this is something realistic.
I have tried to play arround with nvram but nothing good came from that
I would really love to figure out how to unlock additional LTE bands with MTK. Any updates or progress on this that anyone knows of?
Hello from Turks and Caicos! Any chance to unlock additional LTE bands with Mediatek MTK ? I need to unlock band 17 on my MTK6735 Cubot X17!
Thanks in advance.
I was going to ask the same question. Is that even possible to unlock lte bands on MTK based phones?
I personally would like to do that to my UMI SUPER.
If anyone has been able to do so it would be awesome.
gafty said:
Hello from Turks and Caicos! Any chance to unlock additional LTE bands with Mediatek MTK ? I need to unlock band 17 on my MTK6735 Cubot X17!
Thanks in advance.
Click to expand...
Click to collapse
Any update on that??
I'd be interested also, especially for mediatek processors.
If this was made possible that means any phone the market we be instantly available. That would be too awesome to stand!!!!
Any news ?? I've got an Oukitel U13 and the same problem with the disabled bands.
Any update on this? Need to unlock bands for Doogee Mix 2
ROM work
jason2982 said:
Any update on this? Need to unlock bands for Doogee Mix 2
Click to expand...
Click to collapse
i have a u16 (similar to matip666 u13) that i tried to convert the rom to the one from the BLU life one x as described in this post npcglib.org/~stathis/blog/2016/04/13/turned-blu-life-one-x-wiko-fever-4g/ It bricked the u16 , so i had to reinstall the original rom from the u16 that I luckily found online. Does anyone know of another phone with the same hard, and software as the u16.....or tried anything like that on the Doogee Mix 2 ?
You got a hell of a tutoriel to add lte bands on Qualcomm chip set ! What about MTK chips any chances anyone did the same ? Ive been roaming this forum for days cant find anything that helps :-/. I got a chinese Oukitel K6 and only one LTE band works ... man i wish i could add some more
pleasseeeeeeeeeeeee make this happen , my dumb ass bought s50 and figured i could root it n make work better than 2g but luck so far,,
any info be much appreciated I can only talk text n send pics, i cant even open a web page..
Thanks Crip
Many people would benefit from development like this, especially with regards to mtk chipsets. I have noticed that engineering mode is left out of some newer device's factory ROMs which makes it even more difficult to obtain control of those settings.
Any news??!
news about Hi-Silicon Kirin chipset [Fig-LX1]?
Some progress
Hello everyone, today I discovered a method of unlocking LTE bands on a MT6735M based phone (Alcatel One Touch PIXI 4). This might work on other MTK devices, but I have no way to test.
Everything you do is at your own risk and I'm not responsible if you brick your device! Always have the ROM backed up!
To perform this you need:
MTK EngineerMode access
SP FlashTool
Copy of the phone's stock ROM
A hex editor (I use HxD)
How to change the LTE unlocked bands:
1. In your phone's stock ROM folder, there should be a file called "nvram.bin" open it in a hex editor.
2. In the hex editor, go to offset 00021920 (other SoCs might have a completely different offset for the LTE bands values, some might not even have the NVRAM file!)
That will look something like this:
00021920 FF FF FF FF FF FF FF FF FB FB 01 00 00 00 01 00
00021930 00 00 03 00 00 00 04 00 00 00 07 00 00 0D 00
00021940 00 00 11 00 00 00 14 00 00 00 05 00 00 00 08 00
I made the values for LTE band bold to make it easier to see, however in the hex editor you have to find the start and end yourself depending on the bands your phone has already unlocked.
In my case the unlocked bands are: 01, 03, 04, 07, 0D, 11, 14 or in decimal 1, 3, 4, 7, 13, 17, 20.
All you have to do is change those values. Remember it's in hexadecimal, so if you want to unlock for example band 28, you don't write 28, but 1C. Also don't add any extra to the file, just overwrite values.
After changing the bands, just save the file and flash it with SP FlashTool. (Load scatter file, only select nvram and select the location of the file you edited, then flash.)
Then in MTK Engineer Mode check if you succeeded by going to tab telephony, select BandMode and scroll down to LTE.
This worked for me, however i can't guarantee that it wil work for you as well.
How can you find the right values in the NVRAM file? I personally spent about 40 minutes searching through the file to find these, though there might be a more efficient method.
I hope i can make this into an application which does everything automatically and for as many SoCs as possible, I'll give updates if i make any more progress on this.
Didex65 said:
Hello everyone, today I discovered a method of unlocking LTE bands on a MT6735M based phone (Alcatel One Touch PIXI 4). This might work on other MTK devices, but I have no way to test.
Everything you do is at your own risk and I'm not responsible if you brick your device! Always have the ROM backed up!
To perform this you need:
MTK EngineerMode access
SP FlashTool
Copy of the phone's stock ROM
A hex editor (I use HxD)
How to change the LTE unlocked bands:
1. In your phone's stock ROM folder, there should be a file called "nvram.bin" open it in a hex editor.
2. In the hex editor, go to offset 00021920 (other SoCs might have a completely different offset for the LTE bands values, some might not even have the NVRAM file!)
That will look something like this:
00021920 FF FF FF FF FF FF FF FF FB FB 01 00 00 00 01 00
00021930 00 00 03 00 00 00 04 00 00 00 07 00 00 0D 00
00021940 00 00 11 00 00 00 14 00 00 00 05 00 00 00 08 00
I made the values for LTE band bold to make it easier to see, however in the hex editor you have to find the start and end yourself depending on the bands your phone has already unlocked.
In my case the unlocked bands are: 01, 03, 04, 07, 0D, 11, 14 or in decimal 1, 3, 4, 7, 13, 17, 20.
All you have to do is change those values. Remember it's in hexadecimal, so if you want to unlock for example band 28, you don't write 28, but 1C. Also don't add any extra to the file, just overwrite values.
After changing the bands, just save the file and flash it with SP FlashTool. (Load scatter file, only select nvram and select the location of the file you edited, then flash.)
Then in MTK Engineer Mode check if you succeeded by going to tab telephony, select BandMode and scroll down to LTE.
This worked for me, however i can't guarantee that it wil work for you as well.
How can you find the right values in the NVRAM file? I personally spent about 40 minutes searching through the file to find these, though there might be a more efficient method.
I hope i can make this into an application which does everything automatically and for as many SoCs as possible, I'll give updates if i make any more progress on this.
Click to expand...
Click to collapse
So was there any of the bands that you activated not come with your device? I guess what im trying to figure out is what lte bands can we actually activate that is compatible with our cpus? Thanks.
Didex65 said:
Hello everyone, today I discovered a method of unlocking LTE bands on a MT6735M based phone (Alcatel One Touch PIXI 4). This might work on other MTK devices, but I have no way to test.
Everything you do is at your own risk and I'm not responsible if you brick your device! Always have the ROM backed up!
To perform this you need:
MTK EngineerMode access
SP FlashTool
Copy of the phone's stock ROM
A hex editor (I use HxD)
How to change the LTE unlocked bands:
1. In your phone's stock ROM folder, there should be a file called "nvram.bin" open it in a hex editor.
2. In the hex editor, go to offset 00021920 (other SoCs might have a completely different offset for the LTE bands values, some might not even have the NVRAM file!)
That will look something like this:
00021920 FF FF FF FF FF FF FF FF FB FB 01 00 00 00 01 00
00021930 00 00 03 00 00 00 04 00 00 00 07 00 00 0D 00
00021940 00 00 11 00 00 00 14 00 00 00 05 00 00 00 08 00
I made the values for LTE band bold to make it easier to see, however in the hex editor you have to find the start and end yourself depending on the bands your phone has already unlocked.
In my case the unlocked bands are: 01, 03, 04, 07, 0D, 11, 14 or in decimal 1, 3, 4, 7, 13, 17, 20.
All you have to do is change those values. Remember it's in hexadecimal, so if you want to unlock for example band 28, you don't write 28, but 1C. Also don't add any extra to the file, just overwrite values.
After changing the bands, just save the file and flash it with SP FlashTool. (Load scatter file, only select nvram and select the location of the file you edited, then flash.)
Then in MTK Engineer Mode check if you succeeded by going to tab telephony, select BandMode and scroll down to LTE.
This worked for me, however i can't guarantee that it wil work for you as well.
How can you find the right values in the NVRAM file? I personally spent about 40 minutes searching through the file to find these, though there might be a more efficient method.
I hope i can make this into an application which does everything automatically and for as many SoCs as possible, I'll give updates if i make any more progress on this.
Click to expand...
Click to collapse
So i figured out my devices complete block list. However its telling me that its a read only file system. Stock rom doesnt have this to be flashed. Thanks