Related
Hi Everyone
I'm posting this to help out CyZeek.
To capture ELF/ELFIN Device ID and CID ID using MTTY and USB Monitor Lite on XP SP2 and Vista x64
You will need:
1. A demo copy of USB Monitor Lite
http://www.hhdsoftware.com (the demo is fully functional for 14 days).2. A Copy of MTTY (and you need to be basically familiar with it)
Put your Device into Boot Loader
Assuming your device is not already at the TSoD (Tricolour Screen of Death) - if it is skip this instruction and move on to the next section.
1. Press and hold your camera button
2. Press reset with stylus
3. Wait 5 seconds and release the camera button
Kill ActiveSync USB Connections - XP
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted Right Click the Active sync Icon in the system tray and select "Connection Settings"
3. Turn off USB
-or-
Kill ActiveSync USB Connections - Vista
Download and install MS Windows Mobile Device Centre from here: http://www.microsoft.com/windowsmobile/devicecenter.mspx
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted click Start -> All Programs -> Windows Mobile Device Centre
3. Hover over Mobile Device Settings and Click on Connection Settings.
4. Turn off Allow USB Connections
Connect Your Device to USB
1. Plug in the USB cable
Turn On Spoofing / packet capture
1. Install the demo version of USB Monitor Lite (DMS) and Start Device Monitoring Studio.
2. Connect your device which should be in TSoD (Tricolour Screen of Death) boot loader.
3. Click the item entitled "Pocket PC USB Sync" which activates the main screen
4. Double-Click the item entitled "Packet View" in the Session Configuration Screen.
5. Click the Start button in the selected processing region
You'll know you got this right because you will see two packets displayed:
PnP: Device Connected
Internal: Pipe Info Transfer6. Leave the USB Monitor running
Run up MTTY, Log In and Issue “getdevinfo” Command
For details on downloading MTTY and recovering from the TSoD see this thread: http://forum.xda-developers.com/showthread.php?t=347700
1. In "Open Port Setting" Dialog Set to Port = USB
2. Flow Cont = RTC/CTS
3. Click OK
4. When a new communication page opens press Enter and the Cmd> prompt will be displayed
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID LockedCheck that USB Monitor is running (you may need to press the "continue 14 day trial" button to get the capture to continue)6. Type getdevinfo and press <enter>
These commands are case sensitive!
Cmd>getdevinfo
HTCSELF030050œ=Ó HTCE7. Leave MTTY running
Swap Back to USB Monitor
1. Starting at the last packet in the list, double click each row whose Direction is "Up"
2. The 12th packet from the end of the list when I did mine had the device ID and CID packet shown below.
45 4C 46 30 33 30 30 35 30 00 00 00 00 00 00 00 ELF030050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 2D 4D 4F 42 30 30 35 00 00 00 00 00 00 00 00 T-MOB005........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- -- ..............
Copy and paste the text into a text file and keep for future reference as the Device ID and CID ID are useful in determining the right ROM files to use as well as the wrong ones.
To Re-Enable Boot on a Good Device
Unless you tell the device where to boot from it will go back to boot loader every time so you need to re-enable boot from ROM.
These commands are case sensitive!1. Swap back to MTTY session
2. Type ruurun 0 <enter>
3. Type ResetDevice <enter>
Hope this helps.
Yours
Leon
Thank you Leon, im gonna post a link to this post a the rom compilation thread ( Elf/Elfin Original Roms Model Id & Cid Id List ), for the people who wants to make a request.
Any time, CyZeek
The work you're doing on ROMs DevIDs and CIDs is very important indeed, glad to help.
Yours
Leon
Thank you
After a long tima trying i managed to get the CID!
It worked fine!
Thank you
Question:
Any one knows if a non original rom ends the warranty if the device is malfunctioning?
filiperod said:
After a long tima trying i managed to get the CID!
It worked fine!
Thank you
Question:
Any one knows if a non original rom ends the warranty if the device is malfunctioning?
Click to expand...
Click to collapse
Yes it's against warranty terms. But, if your are using a cooked rom, and need service from HTC, just reflash with your original rom and no prob.
g_cKeyCardSecurityLevel = o
what does it mean?
...
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID LockedCheck that USB Monitor is running (you may need to press the "continue 14 day trial" button to get the capture to continue)...
no - in that case nothing happens, when I try to type in "getdevinfo" and execute - system tells me - "wrong password".
what can I try to do?
Just in case you misunderstood...
5.Type:> password BsaD5SeoA <=Don't copy/paste from here!
Press:> [ENTER]
...
...
&go on with Leon's process.
Regards!
did everything as stated however no success....each UP line basically has stuff similar this written only in it....
000079: Bulk or Interrupt Transfer (UP), 04.06.2008 18:34:21.699 +0.001. Status: 0x00000000
Pipe Handle: 0x846006ec (Endpoint Address: 0x82)
Get 0x1 bytes from the device
Dude you Rock
leondaphillips
you rock so hard that i feel the love here in Dunedin New Zealand
after harting round for days with vista drivers and all the random **** life(and computers) and now my phone hits me with i have acheaved CID nowing niss thanks to this thread here the sweet code:
45 4C 46 30 31 30 30 30 30 00 00 00 00 00 00 00 ELF010000.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
44 4F 50 4F 44 30 30 31 00 00 00 00 00 00 00 00 DOPOD001........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
phone is GSM vodafone Touch from singapore.thanks mate keep the howtos comeing.
Thankyou verymuch its a goodway
leondaphillips said:
Hi Everyone
I'm posting this to help out CyZeek.
4. When a new communication page opens press Enter and the Cmd> prompt will be displayed
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID Locked
Click to expand...
Click to collapse
Mine is FF, CID locked?
These commands are case sensitive!
Cmd>getdevinfo
HTCSELF030050œ=Ó HTCE
Click to expand...
Click to collapse
Cmd>getdevinfo
HTCSELF010050gUH¥HTCE
Cmd>
2. The 12th packet from the end of the list when I did mine had the device ID and CID packet shown below.
45 4C 46 30 33 30 30 35 30 00 00 00 00 00 00 00 ELF030050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 2D 4D 4F 42 30 30 35 00 00 00 00 00 00 00 00 T-MOB005........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- -- ..............
Copy and paste the text into a text file and keep for future reference as the Device ID and CID ID are useful in determining the right ROM files to use as well as the wrong ones.
Click to expand...
Click to collapse
Mine at the 12th packet too
45 4C 46 30 31 30 30 35 30 00 00 00 00 00 00 00 ELF010050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
48 54 43 5F 5F 45 31 31 00 00 00 00 00 00 00 00 HTC__E11........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
leondaphillips
you are a genius, it worked, a million thanks. I tried other way with MTTY, snoopypro & Hexer loads of times without success & I'd given up hope!
thanks .....
good gob
elf0100050
bstar502
any one have it
where can I find rom
Where can i find rom for htc p3450 elfin
ELF010050
HTC__001
leondaphillips said:
Hi Everyone
I'm posting this to help out CyZeek.
To capture ELF/ELFIN Device ID and CID ID using MTTY and USB Monitor Lite on XP SP2 and Vista x64
You will need:
1. A demo copy of USB Monitor Lite
http://www.hhdsoftware.com (the demo is fully functional for 14 days).2. A Copy of MTTY (and you need to be basically familiar with it)
Put your Device into Boot Loader
Assuming your device is not already at the TSoD (Tricolour Screen of Death) - if it is skip this instruction and move on to the next section.
1. Press and hold your camera button
2. Press reset with stylus
3. Wait 5 seconds and release the camera button
Kill ActiveSync USB Connections - XP
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted Right Click the Active sync Icon in the system tray and select "Connection Settings"
3. Turn off USB
-or-
Kill ActiveSync USB Connections - Vista
Download and install MS Windows Mobile Device Centre from here: http://www.microsoft.com/windowsmobile/devicecenter.mspx
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted click Start -> All Programs -> Windows Mobile Device Centre
3. Hover over Mobile Device Settings and Click on Connection Settings.
4. Turn off Allow USB Connections
Connect Your Device to USB
1. Plug in the USB cable
Turn On Spoofing / packet capture
1. Install the demo version of USB Monitor Lite (DMS) and Start Device Monitoring Studio.
2. Connect your device which should be in TSoD (Tricolour Screen of Death) boot loader.
3. Click the item entitled "Pocket PC USB Sync" which activates the main screen
4. Double-Click the item entitled "Packet View" in the Session Configuration Screen.
5. Click the Start button in the selected processing region
You'll know you got this right because you will see two packets displayed:
PnP: Device Connected
Internal: Pipe Info Transfer6. Leave the USB Monitor running
Run up MTTY, Log In and Issue “getdevinfo” Command
For details on downloading MTTY and recovering from the TSoD see this thread: http://forum.xda-developers.com/showthread.php?t=347700
1. In "Open Port Setting" Dialog Set to Port = USB
2. Flow Cont = RTC/CTS
3. Click OK
4. When a new communication page opens press Enter and the Cmd> prompt will be displayed
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID LockedCheck that USB Monitor is running (you may need to press the "continue 14 day trial" button to get the capture to continue)6. Type getdevinfo and press <enter>
These commands are case sensitive!
Cmd>getdevinfo
HTCSELF030050œ=Ó HTCE7. Leave MTTY running
Swap Back to USB Monitor
1. Starting at the last packet in the list, double click each row whose Direction is "Up"
2. The 12th packet from the end of the list when I did mine had the device ID and CID packet shown below.
45 4C 46 30 33 30 30 35 30 00 00 00 00 00 00 00 ELF030050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 2D 4D 4F 42 30 30 35 00 00 00 00 00 00 00 00 T-MOB005........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- -- ..............
Copy and paste the text into a text file and keep for future reference as the Device ID and CID ID are useful in determining the right ROM files to use as well as the wrong ones.
To Re-Enable Boot on a Good Device
Unless you tell the device where to boot from it will go back to boot loader every time so you need to re-enable boot from ROM.
These commands are case sensitive!1. Swap back to MTTY session
2. Type ruurun 0 <enter>
3. Type ResetDevice <enter>
Hope this helps.
Yours
Leon
Click to expand...
Click to collapse
ive followed your instruction and got the ff-cid locked data.
ive tried everything but cannot make the gold card.with or without usb.
Hi
I have s621 in 3 color mode not eset and open with cid lock.
I have done all but I can not see my cid and Id.
My mtty like that what is wrong. ?
Thank you.
Code:
Cmd>password BsaD5SeoA
Pass.
+ SD Controller init
- SD Controller init
+StorageInit
SDInit+++
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
CMD55 failed
+ SD Controller init
- SD Controller init
+StorageInit
SDInit+++
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
CMD55 failed
g_cKeyCardSecurityLevel = FF
Type (0x1)(Operation mode flag): cOpModeFlag=(0x0).
Type (0x2)(Back color flag): cBackColorShowFlag=(0x1).
Type (0x5)(Background color value): g_wBColor=(0xC618) (0xC0C0C0).
HTCST
Thank you OP. I used your method and found the Device ID and CID of Telus HTC Touch Dual (Neon400, Canada). See below:
4E 45 4F 4E 34 30 30 30 00 00 00 00 00 00 00 00 NEON4000........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 4C 53 30 00 00 00 00 00 00 00 00 00 00 00 00 TLS0............
00 00 00 00 ....
Hello i have cant find device id and cid can any one help me see log and also Device Monitoring give cid 000000000............
HTCST
Cmd>getdevinfo
GetDeviceCID: Error - InitDecoder
HTCSXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXh{Â&HTCE
Cmd>
leondaphillips said:
Hi Everyone
I'm posting this to help out CyZeek.
To capture ELF/ELFIN Device ID and CID ID using MTTY and USB Monitor Lite on XP SP2 and Vista x64
You will need:
1. A demo copy of USB Monitor Lite
http://www.hhdsoftware.com (the demo is fully functional for 14 days).2. A Copy of MTTY (and you need to be basically familiar with it)
Put your Device into Boot Loader
Assuming your device is not already at the TSoD (Tricolour Screen of Death) - if it is skip this instruction and move on to the next section.
1. Press and hold your camera button
2. Press reset with stylus
3. Wait 5 seconds and release the camera button
Kill ActiveSync USB Connections - XP
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted Right Click the Active sync Icon in the system tray and select "Connection Settings"
3. Turn off USB
-or-
Kill ActiveSync USB Connections - Vista
Download and install MS Windows Mobile Device Centre from here: http://www.microsoft.com/windowsmobile/devicecenter.mspx
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted click Start -> All Programs -> Windows Mobile Device Centre
3. Hover over Mobile Device Settings and Click on Connection Settings.
4. Turn off Allow USB Connections
Connect Your Device to USB
1. Plug in the USB cable
Turn On Spoofing / packet capture
1. Install the demo version of USB Monitor Lite (DMS) and Start Device Monitoring Studio.
2. Connect your device which should be in TSoD (Tricolour Screen of Death) boot loader.
3. Click the item entitled "Pocket PC USB Sync" which activates the main screen
4. Double-Click the item entitled "Packet View" in the Session Configuration Screen.
5. Click the Start button in the selected processing region
You'll know you got this right because you will see two packets displayed:
PnP: Device Connected
Internal: Pipe Info Transfer6. Leave the USB Monitor running
Run up MTTY, Log In and Issue “getdevinfo” Command
For details on downloading MTTY and recovering from the TSoD see this thread: http://forum.xda-developers.com/showthread.php?t=347700
1. In "Open Port Setting" Dialog Set to Port = USB
2. Flow Cont = RTC/CTS
3. Click OK
4. When a new communication page opens press Enter and the Cmd> prompt will be displayed
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID LockedCheck that USB Monitor is running (you may need to press the "continue 14 day trial" button to get the capture to continue)6. Type getdevinfo and press <enter>
These commands are case sensitive!
Cmd>getdevinfo
HTCSELF030050œ=Ó HTCE7. Leave MTTY running
Swap Back to USB Monitor
1. Starting at the last packet in the list, double click each row whose Direction is "Up"
2. The 12th packet from the end of the list when I did mine had the device ID and CID packet shown below.
45 4C 46 30 33 30 30 35 30 00 00 00 00 00 00 00 ELF030050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 2D 4D 4F 42 30 30 35 00 00 00 00 00 00 00 00 T-MOB005........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- -- ..............
Copy and paste the text into a text file and keep for future reference as the Device ID and CID ID are useful in determining the right ROM files to use as well as the wrong ones.
To Re-Enable Boot on a Good Device
Unless you tell the device where to boot from it will go back to boot loader every time so you need to re-enable boot from ROM.
These commands are case sensitive!1. Swap back to MTTY session
2. Type ruurun 0 <enter>
3. Type ResetDevice <enter>
Hope this helps.
Yours
Leon
Click to expand...
Click to collapse
Hi
I have created the attachd word document with images on how to change page pool alongwith tools required
None of these tools are created by me and due respect and thanks to the creators of these tools.
Hope this is useful and request someone to upload to wiki site in html format
I am a newbie any modifications, suggestions let me know
Regards
rbalu72 said:
Hi
I have created the attachd word document with images on how to change page pool alongwith tools required
None of these tools are created by me and due respect and thanks to the creators of these tools.
Hope this is useful and request someone to upload to wiki site in html format
I am a newbie any modifications, suggestions let me know
Regards
Click to expand...
Click to collapse
NOPE!!!
The value must be reversed!
Example:
0x223500 - FF FF FF FF 00 00 00 00
Thanks Master Tomal for correction.
If I modify the document as below, would it convey the correct message?
In attached screen the values changed in blue rectangle should be changed as below
00 00 60 00 00 00 00 00 For 6MB Pagepool
00 00 56 00 00 00 00 00 For 5.6MB Pagepool
00 00 80 00 00 00 00 00 For 8MB Pagepool
FF FF FF FF 00 00 00 00 for 128MB devices
Attached is the revised document.
Let me know if there are any further modifications/suggestions..
Many thanks for your guidance.
why cannot download it??
PagePool changer
Thanks for the instructions!
I writed a little utility which are help to modify the NK.FAT file.
Place the PPSET.EXE with same directory with the NK.FAT file, and just run it. When the 64B0... signature found the can be selected the new settings.
Original NK.FAT saved as NK.BAK.
So guys in this post i'll show you how to remove ULDR partition from out ROMs to gain 3 MBs of space that was wasted in all of our earlier ROMs. But first, *SPECIAL* thanks to cmonex for helping me with this
Requirements:
1. A HEX editor
2. os.nb.payload (the one inside \ROM folder)
I've used the payload from our latest WM 6.1 ROM, so my base payload over here is 3.07.720.3 ROM. The removal of ULDR requires you to edit the MBR (master boot record) and MSFLSH50 regions in the payload. So be careful while editing otherwise there would problems in cooking or the deivce won't boot.
So, take HEX editor of your choice and open the payload. The MBR starts at offset 0x0 and ends at 0x1FF. You don't need to worry about whole of the MBR, just take a look at the following HEX strings:
Code:
[size="3"]
000001b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [COLOR="DarkRed"][b]00 02 [/b][/COLOR]
000001c0h: [COLOR="darkred"][b]01 00 20 7F 01 30 02 00 00 00 7E 18 00 00 [/b][/COLOR][COLOR="Red"][b]00 00 [/b][/COLOR]
000001d0h: [COLOR="red"][b]01 31 23 7F 01 65 80 18 00 00 80 1A 00 00 [/b][/COLOR][COLOR="Blue"][b]00 00 [/b][/COLOR]
000001e0h: [COLOR="blue"][b]01 66 25 7F 81 DF 00 33 00 00 00 3D 03 00[/b] [/COLOR]00 00
000001f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA[/size]
These 3 strings are actually 3 partitions, the first one is ULDR, 2nd one is XIP and 3rd one IMGFS. Now take a look at the following:
Code:
[SIZE="3"]00000200h: 4D 53 46 4C 53 48 35 30 00 00 00 00 38 00 00 00
00000210h: 00 00 00 00 00 00 00 00 00 00 00 00 [COLOR="DarkGreen"][b]66[/b][/COLOR] 00 00 00
00000220h: 80 00 00 00 00 00 01 00 00 00 00 00 01 00 00 00
00000230h: 00 00 00 00 00 00 00 00 7A 06 00 00 80 00 00 00
00000240h: 00 00 01 00 00 00 00 00 FF FF FF FF FF FF FF FF [/SIZE]
This is the MSFLSH50 region and the marked offset shows the logical block of IMGFS start. So, in order to remove the ULDR, we have to edit the MBR and MSLFSH50 regions in the marked areas.
The ULDR partition starts at 0x400 offset and ends at 0x30FFFF (XIP starts at 0x310000 in the shipped ROM for Elfins). Delete all the HEX bytes from 0x400 upto 0x30FFFF. Deletion of ULDR means start of logical blocks of XIP and IMGFS will go up. So the XIP will start at 0x400 instead of ULDR and IMGFS will start at 0x350000. Now you need to edit the MBR and MSFLSH50 regions to adjust for the new XIP and IMGFS start offsets. So using your HEX editor, change the MBR and FSFLSH50 regions as shown below:
Code:
[SIZE="3"]000001b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [COLOR="Red"][B]00 02 [/B][/COLOR]
000001c0h: [COLOR="red"][B]01 31 23 7F 01 65 02 00 00 00 7E 1A 00 00 [/B][/COLOR][B][COLOR="Blue"]00 00 [/COLOR][/B]
000001d0h: [COLOR="blue"][B]01 66 25 7F 81 DF 80 1A 00 00 00 3D 03 00 [/B][/COLOR][COLOR="DarkRed"][B]00 00 [/B][/COLOR]
000001e0h: [COLOR="darkred"][B]00 00 00 00 00 00 00 00 00 00 00 00 00 00 [/B][/COLOR]00 00
000001f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA [/size]
Code:
[SIZE="3"]
00000200h: 4D 53 46 4C 53 48 35 30 00 00 00 00 38 00 00 00
00000210h: 00 00 00 00 00 00 00 00 00 00 00 00 [B][COLOR="DarkGreen"]35[/COLOR][/B] 00 00 00
00000220h: 80 00 00 00 00 00 01 00 00 00 00 00 01 00 00 00
00000230h: 00 00 00 00 00 00 00 00 7A 06 00 00 80 00 00 00
00000240h: 00 00 01 00 00 00 00 00 FF FF FF FF FF FF FF FF [/SIZE]
Save the new os.nb.payload and copy into the \ROM folder of your kitchen replacing the original os.nb.payload. From now on use this payload as your template for cooking ROMs. Since, the XIP and IMGFS start offsets have changed, we need to make a few adjustments to the kitchen (Hybrid, Ervius' or bepe's kitchen) also. Note the following command in CreateROM.bat file inside the \Tools folder:
Code:
..\TOOLS\insert -i ..\ROM\out.bin -o OS.nb.payload -d 0x00310000 -s 0x00350000
This command inserts the new XIP (named out.bin) into the payload. Add REM before this command because insert.exe can't insert the xip at 0x400 for some reason. So there are 2 workarounds for this problem:
1. Use XIPPort.exe to insert the out.bin (created inside ROM folder) at 0x400
OR2. Use msflshtool.exe to insert the out.bin. For using this method, copy the msflshtool.exe to your \Tools folder and add the following command in your CreateROM.bat file in place of "insert.exe ..." command.
Code:
..\TOOLS\msflshtool OS.nb.payload -r ..\ROM\out.bin -p 0
After this step, you are ready to cook your new ROM with extra space of 3 MBs . Happy cooking
Hex Screenshots
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
This is like a scratch note - an easy accessed "guide".
Its purpose is to help everyone understand what are the numbers - bytes - that we are editing according to AMAN's guide for ULDR Removal.
As the title says it is a "hex view" at the latest Official Elfin 3.10.710.00 ROM
to figure out how all those hex-strings are related
and
to be able to change them, knowing what is going on!
Regards!
ababrekar said:
Awesome job brother . Hoping to see this kind of documentation for Diamonds too very soon
Click to expand...
Click to collapse
i would love to, but then u need to send me your Diamond for testing purposes
htctouchp said:
i would love to, but then u need to send me your Diamond for testing purposes
Click to expand...
Click to collapse
Promise me you will also tell me about those imgfs values for the xip playing guide and i'll send it right now
ababrekar said:
Promise me you will also tell me about those imgfs values for the xip playing guide and i'll send it right now
Click to expand...
Click to collapse
yeah i promise once i get the ULDR removed from ur diamond , i'll tell u about the imgfs values also
Yes! ULDR Removal for Elf/Elfins - Work!!!
htctouchp,
Thank you very much!!!
vadyarik said:
Yes! ULDR Removal for Elf/Elfins - Work!!!
htctouchp,
Thank you very much!!!
Click to expand...
Click to collapse
welcome
Good work!!
htctouchp said:
After this step, you are ready to cook your new ROM with extra space of 3 MBs . Happy cooking
Click to expand...
Click to collapse
Whaaaou!
GOOD WORK.
htctouchp said:
After this step, you are ready to cook your new ROM with extra space of 3 MBs . Happy cooking
Click to expand...
Click to collapse
Thanks for this, that's so great! I managed to get 74.9 Mb free storage on my Elf with a cleaned ROM.
A little addon to your great tutorial: If you have the last hybrid with the pagepool patch at the end, comment it or modify the offsets to match the new ones. My first flash was stuck on mobility screen because of this (or was it bad luck ?).
letama said:
A little addon to your great tutorial: If you have the last hybrid with the pagepool patch at the end, comment it or modify the offsets to match the new ones.
Click to expand...
Click to collapse
sorry, i didn't get it
Thanx for this new finding Aman!
It's great!
I noticed that after this ULDR removal, there is only one address that we find the pp pattern(03 15 A0 ...)!
Is it normal or did I mess it up?
htctouchp said:
sorry, i didn't get it
Click to expand...
Click to collapse
The offsets for the pp have been changed, so the script I wrote for the 2.2 Rom was aiming(&hexediting) the wrong offsets, resulting in a non-bootable rom..
Regards!
kokotas said:
Thanx for this new finding Aman!
It's great!
I noticed that after this ULDR removal, there is only one address that we find the pp pattern(03 15 A0 ...)!
Is it normal or did I mess it up?
Click to expand...
Click to collapse
yes, its perfectly normal. if u check the PP offsets of the original payload of any ROM, the first HEX string is in the region of ULDR and the 2nd in the region of the XIP. So obviously u can see only one HEX string now. And as i said in PP changer thread a few days ago that only 2nd HEX string is responsible for the PP change, so even if u don't remove the ULDR, u don't have to edit the 1st HEX string.
The offsets for the pp have been changed, so the script I wrote for the 2.2 Rom was aiming(&hexediting) the wrong offsets, resulting in a non-bootable rom..
Click to expand...
Click to collapse
ok, now i get it.
htctouchp said:
yes, its perfectly normal. if u check the PP offsets of the original payload of any ROM, the first HEX string is in the region of ULDR and the 2nd in the region of the XIP. So obviously u can see only one HEX string now. And as i said in PP changer thread a few days ago that only 2nd HEX string is responsible for the PP change, so even if u don't remove the ULDR, u don't have to edit the 1st HEX string.
ok, now i get it.
Click to expand...
Click to collapse
Can you guys give the PP offset for a 2.2 ULDR ROM, as wel as a 3.xx ULDR ROM? I'll need to add more checks for the Universal PP changer
htctouchp said:
yes, its perfectly normal. if u check the PP offsets of the original payload of any ROM, the first HEX string is in the region of ULDR and the 2nd in the region of the XIP. So obviously u can see only one HEX string now. And as i said in PP changer thread a few days ago that only 2nd HEX string is responsible for the PP change, so even if u don't remove the ULDR, u don't have to edit the 1st HEX string.
Click to expand...
Click to collapse
Found it:
htctouchp said:
will have to change again, coz the 1st HEX string is going to disappear forever
Click to expand...
Click to collapse
lol
It sounds like you did some magic...hehe
Question:
When I followed your instructions and reached to the point of deleting ULDR section, imgfs start offset was 0x350400
and I had to delete some "FF" above to make that 0x350000.
Have you any idea about what went wrong?
kokotas said:
Question:
When I followed your instructions and reached to the point of deleting ULDR section, imgfs start offset was 0x350400
and I had to delete some "FF" above to make that 0x350000.
Have you any idea about what went wrong?
Click to expand...
Click to collapse
0x350400 ? impossible....u must have missed something...try again.
dsixda said:
Can you guys give the PP offset for a 2.2 ULDR ROM, as wel as a 3.xx ULDR ROM? I'll need to add more checks for the Universal PP changer
Click to expand...
Click to collapse
for the 3.XX based nk.exe ULDR removed ROM, the offset is 0x45210. didn't check the 2.XX ROM though.
htctouchp said:
for the 3.XX based nk.exe ULDR removed ROM, the offset is 0x45210. didn't check the 2.XX ROM though.
Click to expand...
Click to collapse
Ok, the Universal PP Changer has been updated and tested with your ULDR hack. All 3.xx ROMs are now supported. I haven't been able to check on 2.xx ROMs without ULDR, however.
Thanks htctouchp!!!!
dsixda said:
Ok, the Universal PP Changer has been updated and tested with your ULDR hack. All 3.xx ROMs are now supported. I haven't been able to check on 2.xx ROMs without ULDR, however.
Thanks htctouchp!!!!
Click to expand...
Click to collapse
welcome!!
i think we don't need to work with 2.2X ROMs now. all the ROMs from now onwards are going to be based on 3.3X ROMs anyway.
All i'm hoping at the moment is that i removed the Bytes correctly .
"Delete all the HEX bytes from 0x400 upto 0x30FFFF"
I took that as a Starting from the beginning of 400 to the end of 30ffff.
Not directly my favourite stuff to do but what is there to loose
Well IF It Boots It Works. (Should have noted storage before, but looks better)
On page 67 of the Service Manual, it mentions "Turn the device power off and insert Diagnostic SD card. Press and hold Capture button, then press Power button to enter Diagnostic mode."
I'm thinking that the camera + power button will make the G1 boot off the SD Card.. this may be a way to run a hacked rev 30 on a locked rev 30 phone...
I will try some stuff tonight...
-Nikropht
that does seem interesting... im going to try to flash JF's img after in finishes downloading... i'll post results... along with my attempt to flash a signed rc29 update... cross your fingers i dont brick the damned phone
The Artemis device had this so-called "Diagnostic SD" mentioned. Im asuming therefore we could dossibly create one and flash our device with whatever firmware, akin to the "Pandora Battery" for PSP.
Worth exploring, but difficult to pull of without bricking... If it is possibly to flash a signed RC30 at any point using the current SD method, then at least we know we cannot brick the phone
the SPL bootloader (engineering and original) look for NBH files on the SD card.
DREADIAG.nbh
and
DREAIMG.nbh
As you can see, their purpose is clear. One is for booting diagnostics and the other is for flashing the firmware.
^^^so are you saying flashing DREAIMG.nbh is possible with this method?
damien667 said:
the SPL bootloader (engineering and original) look for NBH files on the SD card.
DREADIAG.nbh
and
DREAIMG.nbh
As you can see, their purpose is clear. One is for booting diagnostics and the other is for flashing the firmware.
Click to expand...
Click to collapse
So could we create a dreadiag.nbh from RC29?
Yes indeedy. However, we don't know the format of said nbh files. We're working on it still.
richbayliss said:
The Artemis device had this so-called "Diagnostic SD" mentioned. Im asuming therefore we could dossibly create one and flash our device with whatever firmware, akin to the "Pandora Battery" for PSP.
Worth exploring, but difficult to pull of without bricking... If it is possibly to flash a signed RC30 at any point using the current SD method, then at least we know we cannot brick the phone
Click to expand...
Click to collapse
its possible to flash update.zip so we won't brick the phone... the issue is that each update checks for something on the one previously installed... like mentioned in one of my other posts its a endless loop... we can change whatit looks for but then loose the signature...
Can we not use the info here
http://wiki.xda-developers.com/index.php?pagename=Hermes_NBH
To go the other way!?
richbayliss said:
Can we not use the info here
http://wiki.xda-developers.com/index.php?pagename=Hermes_NBH
To go the other way!?
Click to expand...
Click to collapse
ok... HAs anyone tried to extract DREAIMG.NBH just to see how its formated or structured??? If so we could compare it to the data listed for the hermes nbh format just to compare differences(if any) to see how closely they match... just a thought
If I could get a copy of the file I would give it a whirl... but cannot find it anywhere.
Guys,
NBH files are a proprietary format. They are like the update.zip, but different. We don't know how, as this is embedded into the SPL code that is all in binary format at the time (it's not been disassembled). No one except HTC and/or T-Mo will have these original files anyway. This means we're going to have to build one from scratch with reverse engineering of the spl (at least that's what it looks like as of now). That being said, there is no NBH file that is "found" on any file system of the G1. The NBH file contains files within itself that are flashed onto the NAND flash of the phone, like update.zip. The difference is that NBH files are not signed (that we know of yet), and the format in which they have to be assembled.
richbayliss said:
If I could get a copy of the file I would give it a whirl... but cannot find it anywhere.
Click to expand...
Click to collapse
I cant find it either.... its out there though... too many people have posted their experiments with it... if any has it or know where it is is located please post... thank...
DREAIMG.nbh is nowhere. People are just creating empty files with that filename to see what the bootloader will do.
damien667 said:
DREAIMG.nbh is nowhere. People are just creating empty files with that filename to see what the bootloader will do.
Click to expand...
Click to collapse
Yup. Well to be correct there are probably true DREAIMG.NBH files somewhere out there (at a htc repair center most likely), but they have not yet made their way into the hands of the hacking community.
True.
I would rick messing if there was an update.zip of the OTA RC30 as is now. So I could rescue myself.
Looking at the WinMo phones, they have NBH for a few devices, and it is common for all of them to put the OS partition at header 0x0400, even on the latest Diamond device. So I would risk trying a file with this IF I knew I wouldnt be bricking for life.
richbayliss said:
True.
I would rick messing if there was an update.zip of the OTA RC30 as is now. So I could rescue myself.
Looking at the WinMo phones, they have NBH for a few devices, and it is common for all of them to put the OS partition at header 0x0400, even on the latest Diamond device. So I would risk trying a file with this IF I knew I wouldnt be bricking for life.
Click to expand...
Click to collapse
there is an official rc30 update.zip out... however it does not seem to alter the os... i re-flahed my rc30 with it and i didnt have to re log into google and nothing was missing... all of my text messages were even intact
When you flash with update.zip, it does not affect the data partition (where all your settings and installed apps are located). It only changes radio, system, and boot partitions.
formar of DREAIMG.nbh:
0x200 bytes header,
then N images one by one(radio, hboot, recovery, boot, splash, sysfs, userfs)
header:
000: 48 00 00 00 54 00 00 00 43 00 00 00 49 00 00 00 │H...T...C...I...
010: 4D 00 00 00 41 00 00 00 47 00 00 00 45 00 00 00 │M...A...G...E...
020: 44 52 45 41 31 30 30 30 30 00 00 00 00 00 00 00 │DREA10000.......
030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │................
seems like simple "magic"
+0x40: 32 DD's - IMHO type descriptor's (type of each image, 00 if not used)
+0xC0: 32 DD's - offset of images
+0x140: 32 DD's - size of each image
+0x1C0: version?
1C0: 31 31 31 31 31 31 31 31 00 00 00 00 00 00 00 00 │11111111........
1D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │................
1E0: 30 2E 30 35 2E 30 2E 30 00 00 00 00 00 00 00 00 │0.05.0.0........
1F0: 47 65 6E 65 72 69 63 00 00 00 00 00 00 00 00 00 │Generic.........
Booting from the SD card is probably how you enter the manufacturers test mode RE: FACTORY_TEST Run as a manufacturer test application, running as the root user. "android.permission.FACTORY_TEST"
http://code.google.com/android/reference/android/Manifest.permission.html
I started working on the phone with the intention of upgrading it to make it faster and unlocking the sim. The T-mobile contract has been over for a long while now, they will not unlock it themselves for whatever reason. I committed a faux pas many on here many like to bash on (for good reason), no backup. I was going to after rooting but I used ODIN to flash the Bali 3.0.2.8 cwm and the screen turned into rainbow static when I tried rebooting, so I continued on to cm7 and then cm9. Worked great, and the SIM asked for unlock code.
I tried using script methods to unlock it but it kept telling me busybox wasn't installed right, I tried other versions and eventually saw a post saying it was only meant for gingerbread, so I flashed to that. Same problem, couldn't find the file or directory, so I looked myself and discovered there was no bml3 file. Restored a stock gb version with ODIN, the bml3 was 0.00mb. OK, so I looked at the hex code method, opened the nv_data bin and found the 8 digits and put them in. Incorrect, 9 attempts remaining. Tried again in case I mistyped; incorrect, 8 attempts remaining. I read that without an image backup or backup of the original nv_data or md5 I was screwed since the one I had was corrupt/generic/etc. I found one person saying he changed the FF 01 to FF 00 part in hex editor, according to him the SIM would (and mine did) stop asking to unlock. So that was progress. Since the SIM I want to use isn't activated yet I put in an activated AT&T SIM and was able to receive a test call. But the IMEI is still zero'ed out, apparently due to efs corruption.
So I have no efs or nv_data backups. I've been reading on forums how to restore the IMEI (I know it since it's right under the battery), one that can show you what I've been looking into is the article "Backup and Restore Lost IMEI on Samsung Galaxy Devices without Root" (I wrote the title because idk if url posting is allowed). Only problem: that's for the galaxy s3, when I type *#7284# I only have options for UART: PDA and MODEM and the same two options for USB. So I don't know how to use the NV-items_reader_writer tool to copy the corrupt nv_data.bin and rewrite the IMEI in the form it understands to get it back to the original state.
Can anyone help, or just pm others that can? Am I going in the right direction? I know there are lots of forums with similar posts but it's taking a lot of time to read and sort through them all
Try and search for 1-Click Gremlin remover in this forum. Or use Heimdall or Odin to go back to stock it might help.
If and only If, all fail, try the following tools at your own risk, they are meant to S3 but galaxy phones are similar (also make a backup of the efs directory, even if it is corrupted just in case):
First you have to use NV generator by putting your IMEI number and generate a text file contains hexadecimal numbers for NV data.
Then use the NV writer tool and flash the text file you generated using your IMEI.
I hope it works. Good luck :good:
Edit: Replaced SGS3 NV IMEI with the safer one per FB suggestion
Note that you need the 'nv.txt' to be able to generate hex numbers, otherwise it will crash.
I was able to generate the IMEI text file. The nv writer tool kept saying connected or does not exist depending on which com I used and if it was in download mode or not, if it connected I tried writing and it said "phone does not answer". Booted up normally (not download mode), double checked debugging mode was enabled, and I finally got it to connect to one- COM6- and it began writing, with the response:
Writing NV-items from a file:
Unsuccessfully written NV-items:
00550 (0x0226) - Unknown error
Done.
Realized I was on a stock gingerbread without root again since stock froyo flashback booted to S logo, vibrated, and looped again. Used superoneclick to root successfully. Clicked write again, phone does not answer, disconnect and connected, clicked write, received same unsuccessful write message from above. Reading more forums. Can this be placed manually or pushed by adb/terminal? Where in the efs folder or nv_data is this being written?
You can do it manually using hex editor if you know the memory offset, but I don't suggest it. If you wanna try anyway make backup. Sorry I can't think of something else to help you. I only tried this on S2 and S3. My S4G never had imei problems. But I recall that I unlocked it using hex editor by modifying the nv_data. Most likely the imei number is stored in the same file.
Edit: Besides, although it might be illegal to use a phone with empty IMEI number. Think of it as an advantage, the phone still works, receive and send calls, and the NSA wont be able to track you nor google :> The only problem with empty IMEI is intermittent 4g/3g connection.
Fbis251 had a nefty little app in playstore that will unlock for ya.
Sgs4g unlocker if I recall correctly.
Lol. True. I didn't know about the nv_gen tool though so I did make progress, thanks Rebel_X. I'll see if I can replace the hex formatted IMEI in the nv_data manually. That is where I manually changed 01 to 00 to unlock it.
@champ1919 it is technically unlocked now, an AT&T SIM worked. It's simply that the IMEI is zero'ed out and I've read some carriers don't like this/ data works intermittently as Rebel mentioned.
Once unlocked, always unlocked. Flash stock gb and see if it comes back. That has worked for others.
Holy carp I fixed it! Manual editing the nt_data.bin works.
I read that line 550 is where the IMEI hex is, when I viewed it in one editor (named HxD) it said line 00005500, so I clicked view>offset base>hexadecimal and it turns into 00000550. It's all FF FF FF... no zeros. Replaced it with my original IMEI (remember future readers, this can't change it to a different one) in hex format calculated form the sgs3_nv_gen tool. The NV-item_reader_writer tool would not push it successfully as noted before. Deleted nt_data.bin and nt_data.bin.bak under efs/root/afs/settings using root explorer (directory may be different in ics and up), placed my version of edited nt_data.bin, rebooted. IMEI restored. Backing this sucker up now...
http://imgur.com/wKO5Cjm
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
All hex IMEI starts with 08 #A apparently. Rest of personal data is marked out.
Upgraded to CM9. IMEI still correct, SIM still unlocked.
@asmarinian: I am happy for you
asmarinian said:
Holy carp I fixed it! Manual editing the nt_data.bin works.
I read that line 550 is where the IMEI hex is, when I viewed it in one editor (named HxD) it said line 00005500, so I clicked view>offset base>hexadecimal and it turns into 00000550. It's all FF FF FF... no zeros. Replaced it with my original IMEI (remember future readers, this can't change it to a different one) in hex format calculated form the sgs3_nv_gen tool. The NV-item_reader_writer tool would not push it successfully as noted before. Deleted nt_data.bin and nt_data.bin.bak under efs/root/afs/settings using root explorer (directory may be different in ics and up), placed my version of edited nt_data.bin, rebooted. IMEI restored. Backing this sucker up now...
http://imgur.com/wKO5Cjm
All hex IMEI starts with 08 #A apparently. Rest of personal data is marked out.
Click to expand...
Click to collapse
I have a few nv_data files from previous SGS4G phones I had and had been wondering what the offset was. I'll have to look into this too since I finally wound up finding the offset to the Unlock code (0x146E).
You can read more about it here:
https://github.com/fbis251/sgs4g-unlock-code-finder
Wouldn't be a bad idea to modify the program to add an IMEI number reader.
Thanks for the information!
---------- Post added at 06:41 PM ---------- Previous post was at 06:15 PM ----------
Rebel_X said:
Try and search for 1-Click Gremlin remover in this forum. Or use Heimdall or Odin to go back to stock it might help.
If and only If, all fail, try the following tools at your own risk, they are meant to S3 but galaxy phones are similar (also make a backup of the efs directory, even if it is corrupted just in case):
First you have to use NV generator by putting your IMEI number and generate a text file contains hexadecimal numbers for NV data.
Then use the NV writer tool and flash the text file you generated using your IMEI.
I hope it works. Good luck :good:
Click to expand...
Click to collapse
I checked SGS3-IMEI-NV-Gen.exe with VirusTotal and 40/50 antivirus programs flagged it as a virus. I'd be very wary about running this on your computer.
https://www.virustotal.com/en/file/...126102bb576a5d7d7800b049/analysis/1393510440/
FBis251 said:
I checked SGS3-IMEI-NV-Gen.exe with VirusTotal and 40/50 antivirus programs flagged it as a virus. I'd be very wary about running this on your computer.
https://www.virustotal.com/en/file/...126102bb576a5d7d7800b049/analysis/1393510440/
Click to expand...
Click to collapse
I have this file for quite for a long time, ESET never complained about it. If anything, other AV reports it as most probably a false positive. But nothing prevents you from running it in a sand box.
asmarinian said:
Holy carp I fixed it! Manual editing the nt_data.bin works.
I read that line 550 is where the IMEI hex is, when I viewed it in one editor (named HxD) it said line 00005500, so I clicked view>offset base>hexadecimal and it turns into 00000550. It's all FF FF FF... no zeros. Replaced it with my original IMEI (remember future readers, this can't change it to a different one) in hex format calculated form the sgs3_nv_gen tool. The NV-item_reader_writer tool would not push it successfully as noted before. Deleted nt_data.bin and nt_data.bin.bak under efs/root/afs/settings using root explorer (directory may be different in ics and up), placed my version of edited nt_data.bin, rebooted. IMEI restored. Backing this sucker up now...
http://imgur.com/wKO5Cjm
All hex IMEI starts with 08 #A apparently. Rest of personal data is marked out.
Click to expand...
Click to collapse
Can you please help me with this problem im working on a client phone and the IMEI turn to all zeros and don't find a way to fix it, how did you get your IMEI number back
banziitox24 said:
Can you please help me with this problem im working on a client phone and the IMEI turn to all zeros and don't find a way to fix it, how did you get your IMEI number back
Click to expand...
Click to collapse
Check on the sticker under the battery, that's where mine was. Just fyi don't post it on here for the world to see. If you find it, write it down or type it in a text editor, then let me know you've got it. I'll write up what I did step by step for you to follow.
asmarinian said:
Check on the sticker under the battery, that's where mine was. Just fyi don't post it on here for the world to see. If you find it, write it down or type it in a text editor, then let me know you've got it. I'll write up what I did step by step for you to follow.
Click to expand...
Click to collapse
Ok I wrote it down already what's next?
Credit goes out to lots of knowledgeable people all over the internets.
1. Once you know your IMEI you have to rearrange it into hexadecimal format. EXAMPLE: Say your IMEI is 954091051099226, break it up into two digit groupings. The start of an IMEI is always 08, and your first number will be followed by an 'A'. Each subsequent group of two digits is then reversed. The example IMEI in hexadecimal will be 08 9A 45 90 01 15 90 29 62.
2. Using a root explorer, go to efs/root/afs/settings and copy nv_data.bin to your computer for editing.
3. Download and install a hex editor. I used HxD and found it easiest to use. The link from cnet is http://download.cnet.com/HxD-Hex-Editor/3000-2352-10891068.html
4. Open nv_data.bin in HxD. On the top menu toolbar click view>offset base>hexadecimal. Scroll down through the file until you find offset 550, which will appear as 00000550. Type your IMEI in hexadecimal format into this line, overwriting the FF's. Fill in the remaining FF's in the line with zeros. Using the example IMEI, this would appear as [08 9A 45 90 01 15 90 29 62 00 00 00 00 00 00 00]. Fill in 7 lines of FF's below the line with your IMEI with all zeros. It should now appear like this:
08 9A 45 90 01 15 90 29 62 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Save the file. Make a copy on your phone storage.
5. Navigate back to efs/root/afs/settings and delete the existing nv_data.bin and nv_data.bin.bak.
6. Copy your modified nv_data.bin into efs/root/afs/settings.
7. Reboot and check under phone information if your IMEI has been reset.
Rebel_X said:
I have this file for quite for a long time, ESET never complained about it. If anything, other AV reports it as most probably a false positive. But nothing prevents you from running it in a sand box.
Click to expand...
Click to collapse
I wound up running the program in a sandbox.
The file you uploaded attempts to run a .bat file in a temp directory by calling cmd.exe to run it.
The bat file
Code:
@echo off
set ztmp=C:\Users\<USERNAME>\AppData\Local\Temp\ztmp
set MYFILES=C:\Users\<USERNAME>\AppData\Local\Temp\afolder
set bfcec=t17061.exe
attrib +h C:\Users\<USERNAME>\AppData\Local\Temp\ztmp
@echo off
CLS
cd %MYFILES%
"SGS3 IMEI.exe"
CLS
The EXE file created along with the .bat file is actually an ASCII file which contains the following text
Code:
RCHELICOPTERFTW
It also creates a new folder under
C:\Users\<USERNAME>\AppData\Local\Temp\afolder
which contains the SGS3 IMEI.exe program and a text file which contains:
Code:
[NV items]
[Complete items - 1, Items size - 128]
00550 (0x0226) - OK
XX XX XX XX XX XX XX XX XX00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
When I ran THAT exe through virustotal I got these results, which DO seem like false positives, unlike the EXE you uploaded which triggered 80% of the virus scanners, this one only triggers 2/45.
https://www.virustotal.com/en/file/...f7c17482773d478539e99148/analysis/1377777759/
I guess I can send the SGS3 IMEI.exe file to you so you can post a link to that one instead?
FBis251 said:
I guess I can send the SGS3 IMEI.exe file to you so you can post a link to that one instead?
Click to expand...
Click to collapse
It's easier/faster than the manual method. I'm sure some people just get spooked by false positives so I wanted the manual method for turning their IMEI into hexadecimal formal laid out. I just ignored the false positive on mine it since I know a lot of exe's and bat's that edit files get flagged more often. I do appreciate having someone who knows what they're doing analyzing it in sandbox mode though, thanks!
FBis251 said:
I have a few nv_data files from previous SGS4G phones I had and had been wondering what the offset was. I'll have to look into this too since I finally wound up finding the offset to the Unlock code (0x146E).
You can read more about it here:
https://github.com/fbis251/sgs4g-unlock-code-finder
Wouldn't be a bad idea to modify the program to add an IMEI number reader.
Thanks for the information!
---------- Post added at 06:41 PM ---------- Previous post was at 06:15 PM ----------
I checked SGS3-IMEI-NV-Gen.exe with VirusTotal and 40/50 antivirus programs flagged it as a virus. I'd be very wary about running this on your computer.
https://www.virustotal.com/en/file/...126102bb576a5d7d7800b049/analysis/1393510440/
Click to expand...
Click to collapse
If I actually knew more about what I was doing I probably would have set the com ports up properly and just used qpst the right way or the nv-item rw program. 550 appears to be an offset used in at least some other models and brands, could be whichever contain the ability to use the qualcomm tool. I'm sure they all exist in company documentation and manuals. Being only a user, and not even a programmer at that, I don't have the knowledge or means to reliably find certain information and first hand sources very often. That said if you download and install the qpst tool (I searched for QPST v2.7.378.zip), open RF NV Manager 1.4.32, click Option>Customized NV Item List you will see every offset value and what they are for.
Also, I glanced over the last sentence about the false positive too quickly, if you want to upload the edited version without the false positive trigger that'd be great!
asmarinian said:
Credit goes out to lots of knowledgeable people all over the internets.
1. Once you know your IMEI you have to rearrange it into hexadecimal format. EXAMPLE: Say your IMEI is 954091051099226, break it up into two digit groupings. The start of an IMEI is always 08, and your first number will be followed by an 'A'. Each subsequent group of two digits is then reversed. The example IMEI in hexadecimal will be 08 9A 45 90 01 15 90 29 62.
2. Using a root explorer, go to efs/root/afs/settings and copy nv_data.bin to your computer for editing.
3. Download and install a hex editor. I used HxD and found it easiest to use. The link from cnet is http://download.cnet.com/HxD-Hex-Editor/3000-2352-10891068.html
4. Open nv_data.bin in HxD. On the top menu toolbar click view>offset base>hexadecimal. Scroll down through the file until you find offset 550, which will appear as 00000550. Type your IMEI in hexadecimal format into this line, overwriting the FF's. Fill in the remaining FF's in the line with zeros. Using the example IMEI, this would appear as [08 9A 45 90 01 15 90 29 62 00 00 00 00 00 00 00]. Fill in 7 lines of FF's below the line with your IMEI with all zeros. It should now appear like this:
08 9A 45 90 01 15 90 29 62 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Save the file. Make a copy on your phone storage.
5. Navigate back to efs/root/afs/settings and delete the existing nv_data.bin and nv_data.bin.bak.
6. Copy your modified nv_data.bin into efs/root/afs/settings.
7. Reboot and check under phone information if your IMEI has been reset.
Click to expand...
Click to collapse
Tried all this Step-By-Step and IMEI Number stills all zeros
IMEI: 000000000000000/04
Device: Samsung Galaxy S 4G T959V T-Mobile Variant
Android Version: 2.3.5
Baseband Version: T959VUVKJ1
Kernel Version: 2.6.35.7-T959VUVKJ1-CL611444
PLEASE HELP ME WITH THIS PROBLEM!!!!