Hi everyone,
I chanced upon an exciting discovery today that we can talk to the radio bootloader aka OEMSBL through loading the DREADIAG.NBH image.
Here's how it goes:
1. Load DREADIAG.NBH into your microSD card
2. Boot up your phone by pressing <Camera>+<Power>
3. Connect your phone to your computer by USB
4. Start up MTTY and connect to the USB port
5. Press enter and you should get the DIAG> prompt
Typically, you can type ? and press <enter> for a list of the available functions, which are
RSNOK ->Read SN OK flag
WSN ->Write MB SN
WOK ->Write OK flag
WMID ->Write model ID
RMID ->Read model ID
WHTSN ->Write HTSN
I looked through DREADIAG.NBH (5.04R) and noticed there were some undocumented commands which you could type at the DIAG> prompt:
ATCMD
T1
MB
MC
MS
CS (checksum?)
BB (something to do with bad blocks"
Typing ATCMD and <enter> leads you into the radio bootloader, aka OEMSBL. My T-Mobile G1 was security locked so only the few commands were available:
radata
powerdown
setboot
GO2AMSS
rseed
pmic_vib_off
pmic_vreg
pmic_level
pmic_vib_on
rpass
Hoping to get the phone into download mode, I typed "setboot 1" and rebooted the phone. Typically, that reboots the phone back into the Tricolor Bootloader for the Kaiser, but apparently NOT for the T-Mobile G1. Now all I get is a blank screen with no USB output even when I try the <Camera>+<Power> combination. So darn bricked... unless there's some output through the UART at the ExtUSB for which I don't have the cable for...
Can anyone help?
Btw, I'm on a rooted RC30 with Cmonex's HardSPL.
josh_2n said:
Hi everyone,
I chanced upon an exciting discovery today that we can talk to the radio bootloader aka OEMSBL through loading the DREADIAG.NBH image.
Here's how it goes:
1. Load DREADIAG.NBH into your microSD card
2. Boot up your phone by pressing <Camera>+<Power>
3. Connect your phone to your computer by USB
4. Start up MTTY and connect to the USB port
5. Press enter and you should get the DIAG> prompt
Typically, you can type ? and press <enter> for a list of the available functions, which are
RSNOK ->Read SN OK flag
WSN ->Write MB SN
WOK ->Write OK flag
WMID ->Write model ID
RMID ->Read model ID
WHTSN ->Write HTSN
I looked through DREADIAG.NBH (5.04R) and noticed there were some undocumented commands which you could type at the DIAG> prompt:
ATCMD
T1
MB
MC
MS
CS (checksum?)
BB (something to do with bad blocks"
Typing ATCMD and <enter> leads you into the radio bootloader, aka OEMSBL. My T-Mobile G1 was security locked so only the few commands were available:
radata
powerdown
setboot
GO2AMSS
rseed
pmic_vib_off
pmic_vreg
pmic_level
pmic_vib_on
rpass
Hoping to get the phone into download mode, I typed "setboot 1" and rebooted the phone. Typically, that reboots the phone back into the Tricolor Bootloader for the Kaiser, but apparently NOT for the T-Mobile G1. Now all I get is a blank screen with no USB output even when I try the <Camera>+<Power> combination. So darn bricked... unless there's some output through the UART at the ExtUSB for which I don't have the cable for...
Can anyone help?
Btw, I'm on a rooted RC30 with Cmonex's HardSPL.
Click to expand...
Click to collapse
Hi, I don't know if you already fixed it... but do you get a USB connection on boot?
If you do, maybe you can use qualcomm's drivers (packed from some motorola phones), to get to the oemsbl back on boot (that's what happened to me yesterday on a similar phone)
If you don't, you can also try the oemsbl bootloader key combination: Green+power after inserting the battery. That should also bring up a usb connection where you can connect through mtty/putty and 'setboot' it back...
Any luck here? I just discovered this while playing with the diag image as well. Luckily I found this post before further bricking my "bricked" phone.
Oemsbl is not a program to deal with unless you know exactly what you're doing, mostly because you can erase a lot of data wich is needed for boot, and you might render your phone unusable if you mess it up. Anyway, if your phone is stuck in there and its because of a setboot, you can get "frankenkaiser" package (look for it) and pick the drivers from there, and then connect the phone and fix whatever you did. Don't install the spl wich comes with the package though, because you'll probably brick your phone.
Yeah, dont brick your brick... (sorry, really wanted to say that)
Thanks. My phone's stuck in between a rock and a hard place... (heh, a brick). It's not really bricked, it just won't boot any available official images. I need to find an RC33/RC9 or newer nbh file to load.
Related
All,
Somehow my bootloader got trashed while swapping memory cards and I'd like to easiest fix to get it going again. (At Tri-Color screen) If I plug it in and run RUU_Kaiser_Cingular_WWE.exe (I'm running nonbloat Tilt rom) it'll start the upgrade, stop at about 1%, but the phone will boot and everything is there. So I'm just looking for a quick way to make it stick so I don't have to do that anymore..
I'll play with cooked ROMs soon, everything is working GREAT for the time being and I don't wanna reinstall!
Thanks all!
-RT
Doesn't sound like you have HardSPL installed but this should fix your problem (at least your issue sounds very similar) ... after you get it fixed you should consider installing HardSPL.
Credit to pof for the instructions below which were part of his now dead SSPL thread for Kaiser:
For those of you had the phone stuck in bootloader mode after flash with SSPL stopping at 16%, follow these instructions to unbrick your phone:
1. Download mtty.exe
2. Disable activesync (connection settings -> uncheck "allow usb connections")
3. Connect your Kaiser to PC using USB cable.
4. Open mtty, select USB port and click OK.
5. Hit ENTER twice, you should see the "Cmd>" prompt.
6. Type the command "boot", you should see something like this:
Code:
Cmd> boot
InitDisplay: Display_Chip=1
No card inserted
OSSIReadBack ++
Read SI data from flash success
tail signature match
Checksum match
UserStorageSIPreload ++
After that device should boot WM6 again, you can now re-enable USB connections in activesync and flash HardSPL
Click to expand...
Click to collapse
Good Luck
Ahhh!
I didn't find it in the Kaiser forum, but in the Hermes wiki!
Seems that I just had to connect via mtty (to USB, not a COM port! ) then just issue a: set 14 0
Then did a soft reset and all was well!
Back in business!
Now, maybe I'll start playing with some ROMS!
Thanks again!
-RT
hello i have the same problem after i tried to sim unlock my mda vario iii i tried to do what you proposed but didn't work this is what i get when i tried to boot from mtty
Fill RSVD information for block 288 to 309
TAG NOT FOUND !!! NOT CLEAR STORAGE !!!
No card inserted
OEMIPLInit clear 10MB ext RAM
OEMGetUpdateMode
FMD_ReadSector+, bad block no=0x15440, status:0x0
FMD_ReadSector+, bad block no=0x15440, status:0x0
FMD_ReadSector+, bad block no=0x15440, status:0x0
IPLMSG:0x2:ERROR: Failed to open storage partition.
i would apreciate if you can help me
Stuck in Bootloader
Hi everyone,
I tried using MTTY.exe on a XP machine. The option for USB shows up but when i type the command "boot" i get command error. Please help!
KAIS130
SPL-1.93.0000
CPLD-8
on the right top corner the tri-color screen displays RUUNBH
I tried HARD-SPL / gets stuck on 0% and the RUU goes into recovery mode later. Tried stock ROM (Invalid ID).
eddiesantiago said:
Hi everyone,
I tried using MTTY.exe on a XP machine. The option for USB shows up but when i type the command "boot" i get command error. Please help!
KAIS130
SPL-1.93.0000
CPLD-8
on the right top corner the tri-color screen displays RUUNBH
I tried HARD-SPL / gets stuck on 0% and the RUU goes into recovery mode later. Tried stock ROM (Invalid ID).
Click to expand...
Click to collapse
should've read further. You'd of seen my post on Different SPL's & their different command capabilities.
For 1.93 SPL you can issue cmd>task 8
You need to install hardSPL once you get it going, because you DON'T have it know.
GSLEON3 said:
should've read further. You'd of seen my post on Different SPL's & their different command capabilities.
For 1.93 SPL you can issue cmd>task 8
You need to install hardSPL once you get it going, because you DON'T have it know.
Click to expand...
Click to collapse
Thanks for your response GSLEON3
I followed your instructions and used the Task 8 command for the 1.93 SPL
The device turn off and comes back to the same Tri - color screen with RUUNBH on top right. Tried flashing Hard-SPL stuck on 0%. Please help
Anything you found eddiesantiago ?
Hi eddiesantiago,
did you find any solution to your problem, i have a similar issue.
My Tilt Shows :
KAIS1*0
SPL-1.93.0000
CPLD-8
on the right top corner the tri-color screen displays RUUNBH
Please reply if you got it fixed.
TIA,
Dhaval.
same issue
My tilt shows the same info here, is this normal? I need to verify this before I send my TILT back to ATT...
Thanks
None of the HTC SPLs for Kaiser (and other MSM7x00 models sich as Wings, Niki, Polaris etc.) support the AT command interpreter mode. I have patched the olipro HardSPL and added support for AT command mode.
To install it you must run the SSPL (e.g. this one here).
If it installed correctly you will see "SPL-1.1.JockyW" in the top left corner of the tri-color bootloader screen.
Use it as follows:
- enter bootloader (press and hold camera and then press power on)
- type "rtask 4"
- type "rtask 7"
- type "ATE" (turn on screen echo)
- type "ATV1" (verbosity 1)
- type "ATI" (information and IMEI)
- type "retuoR" (return to SPL interactive command mode)
- type "ResetDevice"
There are many interesting GSM AT command interface commands described in the Hermes Wiki. If you installed my SuperCID and Security Unlocker you can set/reset simlocks, and much more
Have fun!
Thanks again jocky! Very nice patch indeed
thanks a lot. I'm gonna try it now.
hm, the only thing that doesn't want to work is the command to reset the timer.
Code:
[email protected]?0
@TALK: 000000D6
OK
[email protected]?1
@TALK: 00000C12
OK
[email protected]=270F,270F
ERROR
You can only reset talk time if your device is security unlocked.
I get this:
Code:
[email protected]=270f,270f
OK
@jockyw:
Altough I've already done with all instructions (SSPL, 1.1 jockyw), I have the same error in mtty when try to use [email protected]= command...
Do you have any idea why? I have a nonbranded HTC device.
As said before, your device isn't security unlocked yet ...
Check this
I tried At command with no luck.
this is what I get after type in rtask b:
Cmd> rtask b
Enter Radio Image
POWER OFF PMIC VREG_USB : SUCCESS!
C VREG_USB : SUCCESS!
never get the 0, all I get is couple of new hardware found message from Window, MTTy just hangs and do nothing, what did I do wrong I have 1.1 JockyW SPL and have security unlocked message on bootloader screen, appreciate any help or hints. thanks in advance.
P.S. i am use XP64, could this be the problem
can anyone offer any help, thanks
ron freeman said:
can anyone offer any help, thanks
Click to expand...
Click to collapse
I have the same problem. As a matter of fact, I get command error with most AT commands entered. Anyone know how to fix this?
Also, how can we verify if the phone is SuperCID and security unlocked?
Same Thing Here
I Have The Same Error Message and it tells me that it found new hardware, actually 3 "Data Interface" and it's Stuck...
The Message
Cmd>rtask 4
Cmd>rtask 7
Enter Radio Image
POWER OFF PMIC VREG_USB : SUCCESS!
C VREG_USB : SUCCESS!
and after that, nothing... another thing, the bootloader it shows on the top
Security Unlocked
KAIS1*0 MFG
SPL-1.0.OliPof
CPLD-8
And in the bottom it shows
USB
i already put the kaiser_hardSPL_1.1_AT-support.zip and still nothing...
What can i do?? i want to reset the Timer because i bought it on eBay and it shows me 45 hours of use, i only called like 7 times and i don't have that much time... thanks
I tried it also to flash to another rom. But at 16% it stops and i dont now why but i cant repair the rom. When i reboot the kaiser phone he comes directly in bootloader mode.
The do nothing anymore, i tried to flash from sd or mtty. Nothing works.
By mtty, i get the error that the command boot is a false command.
So i think my phone is really ****t up. this is really the firt time in 3 years my phone stops and i cant find solutions on XDA.
I can found only this tread with :
For those of you had the phone stuck in bootloader mode after flash with SSPL stopping at 16%, follow these instructions to unbrick your phone:
1. Download mtty.exe
2. Disable activesync (connection settings -> uncheck "allow usb connections")
3. Connect your Kaiser to PC using USB cable.
4. Open mtty, select USB port and click OK.
5. Hit ENTER twice, you should see the "Cmd>" prompt.
6. Type the command "boot", you should see something like this:
Code:
Cmd> boot
InitDisplay: Display_Chip=1
No card inserted
OSSIReadBack ++
Read SI data from flash success
tail signature match
Checksum match
UserStorageSIPreload ++After that device should boot WM6 again, you can now re-enable USB connections in activesync and flash HardSPL
But it won't work.
I hope somebody can help me a litlle.
Greeting Thetmar.
are you trying to flash a rom using sspl-kais.exe?? and then it got stuck at 16%??
Why you dont use hard spl??
have you read the wiki first before flashing your device??
carefull with mtty...can brick your phone forever
cheers
I'v used mtty ande the command set 16 0.
And my phone is working again perfectly, only i can't get another rom on it!! I't stuck on 0% with all the spl versions. And the computer says 260 communication error.
I think i go back to the shop and ask for another phone.
My buddy has no problem to flash it. And i had the same phone and have bseveral problems.
Many many downloads and software on this site but i think i tryed almost everything.
Already thanks for saving my phone
error 260 is an open port error, you can try changing usb ports, rebooting your pc, turning off firewalls/antivirus
and you still did not answer me, are you using sspl to flash your phone??? i seriously doubt there is anything wrong with the phone.
May 24th, 2008
FrankenKaiser SPL Loader
This is a fast application image downloader which can download e.g. spl or android to the phone when the phone is in dload mode. This can for example be useful for developers to test a SPL from another device w/o the need to flash them
======================================================
DISCLAIMER: This method involves erasing SPL & OS and requires correct data entry by the user. I will not take any responsibility for any malfunctions and or damages caused by using this method and software.
======================================================
Prerequisites:
- a *security unlocked* HTC MSM7x00 device
- QC diag drivers installed (e.g. MotoQ)
This was tested with a Kaiser, Niki and Wings
Steps are:
1 power down
2 hold green send key and power on, the phone will enter radio bootloader (oemsbl)
3 connect with MTTY (COMn) and type "dload" to put phone in dload mode
4 close MTTY, reconnect USB, run my new downloader in a CMD box, e.g. "./FrankenKaiser-SPL-Loader.exe /dev/com4 SPL1.56-KAIS-unbricker.nb (substitute com4 by the com port of your qc diag driver)
5 hold send key and press soft reset with stylus (on phones like Nike this is not possible, in that case you must add "setboot 1" to step 3 before typing "dload" and in step 7 add "setboot 0" before typing "dload")
6 connect with MTTY (COMn) and type "mw 901708 1 e1a00000"
7 type "cego" (press and hold camera to enter tricolor bootloader mode)
Have fun!
may i be one of the first to say Thank you.
jumpspl, supercid and security unlocker, frankenkaiser .. man you are owesome.
A truly gifted individual and thank you for all your hardwork.
Thanks, Jockyw2000, your work really rocks, but...
OEMSPL did not work for me (HTC Wings)
Ive hold down the green button and tapped the PowerButton=>Boots normal.
Offtopic;
My Question is; Is it possible to "Switch" the GPIO 0x5c (Kaiser SimDoor) from 0 to 1 manually?
Because i want to "port" a KaiserRom over to my Wings, but ive getting trouble with this annoying "Sim Door Open, please close it.Phone shuts down in 10 seconds..." warning.
arpy said:
Thanks, Jockyw2000, your work really rocks, but...
OEMSPL did not work for me (HTC Wings)
Ive hold down the green button and tapped the PowerButton=>Boots normal.
Click to expand...
Click to collapse
Your Wings is not security unlocked, so you can't enter oemsbl that way.
Offtopic;
My Question is; Is it possible to "Switch" the GPIO 0x5c (Kaiser SimDoor) from 0 to 1 manually?
Because i want to "port" a KaiserRom over to my Wings, but ive getting trouble with this annoying "Sim Door Open, please close it.Phone shuts down in 10 seconds..." warning.
Click to expand...
Click to collapse
Afaik that's possible.
Security Unlocked?!?
Ähh...ok...isnt enought to flash your HardSPL?
...but youll give me some hope...now i digg deeper into this phantastic Forum...
Just a quick question Jocky....
How does this differ from using MTTY to upload SPL to our Kaiser?
kyphur said:
How does this differ from using MTTY to upload SPL to our Kaiser?
Click to expand...
Click to collapse
How do you use MTTY to upload a SPL then ?
jockyw2001 said:
How do you use MTTY to upload a SPL then ?
Click to expand...
Click to collapse
I'm asking with all due respect. I haven't done it. To be honest I haven't flashed anything with MTTY since I had my Hermes last year but I was under the impression that we could.
If we can't then you have answered my question as the difference is exactly that!
In the quest for knowledge we all sometimes ask apparently dumb questions...
So with this thing I can make my deviece look as a MSM7500. To boot up HaReT all the time???
kyphur said:
I'm asking with all due respect. I haven't done it. To be honest I haven't flashed anything with MTTY since I had my Hermes last year but I was under the impression that we could.
If we can't then you have answered my question as the difference is exactly that!
In the quest for knowledge we all sometimes ask apparently dumb questions...
Click to expand...
Click to collapse
obviously you can, the RUU uses mtty commands to download the images.
When I run FrankenKaiser-SPL-Loader.exe , WindowsXP closed DOS window with error.
What is wrong ?
WBR !
Sorry, duble.
"mw 901708 1 e1a00000"
what's at address 901708 and why change it to E1 A0?
ma kaiser dead or not please help will donate with paypal 50pounds if you can help
wait ....to resolve this .
gsmhackerns said:
I use hard spl and install radio to unlock my htc tytn bat after this i flash with this rom :RUU_Kaiser_HTC_WWE_1.25.405.0_22.39.82.00.b_1.27.04.15_Test
My phone complete all proces 100% bat after this can not boot or charge no ligh no bootloader as i can see now it have only radio bootloader (oemsbl) and i found and install driver and see in device menager com ports quacom diagnostic interface 6000 and qualcom nmea device...Can you help me to unbrick my kaiser with frankenkaiser spl loader i will donate with paypal you please...pm fuull instuction or can you create for me exe file with all .thanks.wait you.
Click to expand...
Click to collapse
Did you security unlock your device before this happened?
Ta
Dave
DaveShaw said:
Did you security unlock your device before this happened?
Ta
Dave
Click to expand...
Click to collapse
i install hard spl unlock device bat after flash complete 100% my phone always go in oemspl can not go in normal bootloader or power on.
Since it doesnt seem as though you unlocked the phone, just download an oem rom/radio combo for the phone from the operator it belongs on ( IE , if it is an ATT TILT, download from HTC the latest rom off their website JUST for the att tilt )
This should fix you up
DaveShaw said:
Did you security unlock your device before this happened?
Ta
Dave
Click to expand...
Click to collapse
Dave i have same prob...device allready unlocked before flash... no power on, no bootloader mode... on pc recognized like diagnostic.... what can i do?
Frankenkaiser error
I managed to brick my device real good. When I start the device, holding down green send, and run mtty to run the dload command, I get Invalid command : dload. Im in deeper than I bargained for. Whats next?
the0ne.john said:
I managed to brick my device real good. When I start the device, holding down green send, and run mtty to run the dload command, I get Invalid command : dload. Im in deeper than I bargained for. Whats next?
Click to expand...
Click to collapse
What did you do? task 2a?
Are you security unlocked? What SPL do you have?
Thanks
Dave
Hi
I have problem with my HTC TYTN II phone.
I probably erase, by mistake, the boot loader in my PDA using MTTY program.
Now I can’t load my boot loader (by pressing the Camera and Soft Reset buttons).
While pressing the Power button only the Green LED is working.
I successes communicate with my PDA using hyper terminal but I don’t have the Boot loader files to upload into my device.
Where can I find those files?
Is there other way to solve this problem?
Need an urgent help, before sending it back to HTC Lab.
thanks
search for the frankenkaiser thread....
**edit**
http://forum.xda-developers.com/showthread.php?t=394584&highlight=frankenkaiser
Let me know your last ROM & radio Version. I have a set for two different ones right now. Beyond that it will take Jocky making a few changes. I have now though one two or three versions, but I need to know your radio & rom version at the time when you bricked it.
Thanks i will try this link.
My situation is as follows.
I'm able to communicate with the device using the terminal connected to the COM port with the motoQ drivers. I'm able to get response to the simple commands like RADATA RSEED etc. I'm unable to get response to commands like DLOAD MW CEGO etc. I deduct from this that I'm in locked mode so I can't use the frankenKaiser-spl-loader to upload the "unbrick" image to the device. Is there a way to unlock the device in this mode as I can't use the SPL to do it?
Thanks.