[UNBRICK] HTC Unbricking Project - HTC Sensation

We are proud to announce that the Sensation is now UNbrickable. Users with the QHSUSB_DLOAD issue can now fully recover their phones and get them fully functional.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
​
Note: This will fix only devices which were bricked by turning S ON. And bricks caused by a damaged hboot via interrupted OTA update/RUU flash on a S-ON device. Any devices bricked with other ways are currently *not* supported. We are working on it
The "core" of the unbricking project dev team:
MOVZX
RussianBear
Fuses
Dexter93
Testing stuff and irc support:
globatron
Deceptivechaos
dburgd84
Snake_skw
Other stuff:
dmcb123
xIndirect
Hawke84​
Thanks to trevE, xHausx and the rest of the evo3d team that gave us the basic info to work on and made us curious to see if we could get something out of it. Also thanks to ief and his team @revolutionary for helping us understand the bootloaders better. We should also not forget to thank cxb01 of malshenzu.com and xda members arthurire and untrueparadox who helped in translation.

Prerequisites
a linux box/live cd with automount disabled and without unity
the appropriate package for the device
the latest RUU for your device
a device bricked by writing security flag 3 with an unsigned hboot, or caused by a damaged hboot via interrupted OTA update/RUU flash on a S-ON device
a usb cable
some basic linux experience
patience
DISCLAIMER: We do NOT guarantee that this method will work for you, or that it is flawless. We are also not responsible if your phone is completely dead after the procedure, or your house burns down because your phone exploded. You are doing this in YOUR OWN RISK.
Instructions​Detailed video on the process. Thanks kgs1992
Boot the linux box and download the appropriate package for the device.
WARNING: IT IS DEVICE SPECIFIC. DO NOT USE THE XE VERSION ON A 4G/ORIGINAL SENSATION AND VICE VERSA
Extract the package in the home directory
Open up a terminal
Remove SIM, microSD card and battery and connect the device using the USB cable. This procedure must be done without battery
Detect the device using the script provided. Type this in the terminal
Code:
./brickdetect.sh
You should get something like sdX. We are interested on that "X"
Unplug the usb cable from the device
Backup the hboot currently in the phone by using this command. Plug the device in ONLY when asked to
Code:
sudo ./emmc_recover --backup b_hboot.img --device /dev/sdX12
Replace the "X" with the letter the script gave you
Follow the on-screen instructions from emmc_recover
Hexdump the b_hboot to check the hboot version
Code:
hexdump -C b_hboot.img |less
The output should be like this:
Code:
00000000 05 00 00 00 03 00 00 00 00 00 00 00 00 00 10 40 |[email protected]|
00000010 d8 fc 0f 00 d8 fb 0f 00 d8 fb 1f 40 00 01 00 00 |[email protected]|
00000020 d8 fc 1f 40 00 00 00 00 12 00 00 ea 31 2e 31 37 |[email protected][B]1.17[/B]|
00000030 2e 31 31 31 31 00 00 00 38 32 36 30 20 53 50 4c |.1111...8260 SPL|
00000040 00 00 00 00 00 f0 20 e3 53 48 49 50 00 00 00 00 |...... .SHIP....|
00000050 00 f0 20 e3 00 f0 20 e3 48 42 4f 4f 54 2d 38 32 |.. ... .HBOOT-82|
00000060 36 30 00 00 00 f0 20 e3 39 32 65 35 33 37 31 30 |60.... .92e53710|
This is the typical hex of a hboot. We are interested to check if that is the hboot partition and if it is, to get to know the version. In this case it is 1.17
If in the above step you failed to identify the hboot, unplug all devices connected to that pc, reboot and try again
Unplug the device
Check again it is the right version, because if you do a mistake here, you won't be able to go back
You can only flash the same version as the one in the device.
!!!!!DO NOT ATTEMPT TO FLASH ANOTHER VERSION OR DOWNGRADE!!!IT HAS BEEN PROVEN FATAL!!!!
Flash the hboot on the device. Replace "V.VV" with hboot version (eg. 1.17, 1.18, 1.19, 1.20, 1.23, 1.27) and "X" with the one you got from the detect script. Plug the device in ONLY when asked to
Code:
sudo ./emmc_recover --flash pyrV.VV.nb0 --device /dev/sdX12 --backupafter hboot_f.nb0
Follow the on-screen instructions from emmc_recover. A successful flash should have this output:
Code:
511+1 records in
511+1 records out
1047808 bytes(1.0 MB) copied
Unplug the device, put SIM, microSD card and battery in and power on
Congratulations, the device is unbricked.
FLASH THE RUU IMMEDIATELY AFTER RECOVERING!! The device will be unstable after the recovery if you don't flash it.
Notes on the procedure:​
If the device doesn't power on, get a copy of the hboot_f.nb0 and b_hboot.img (should be located in the home directory) and contact us
The connection between the device and the pc will be unstable, and will time out. You have to be quick when doing the above, specially while flashing. If the connection times out don't panic, just unplug and replug the device
Unity and automount are known to cause issues in ubuntu 11.04 and 11.10. We recommend getting rid of both, or use a 12.04, or 10.04/.10 liveCD
USB3 ports do not work properly. Please plug the device in a USB2 port
The liveCD provided has autoount enabled. please disable it
How to disable automount on ubuntu
Code:
gsettings set org.gnome.desktop.media-handling automount false
Downloads
For Sensation and Sensation 4G:
32bit version MD5: 859cf1c8f4cc96a9c911ecf696579e6f
64bit version MD5: d160e90234999a0f8e5ed632d3a2bb4e
For Sensation XE:
32bit version MD5: dec2309cc06dbc01398a4a49f8ae13cf
64bit version MD5: de677136626fe2e096f0a7f48e438978
Don't have a linux distro installed on your pc? We highly recommend this livecd​

awesome!
any people that know chinese, we need your help:
a chinese forum where a member posted a guide on how to de-brick a phone (zte u960) from qhsusb_mode:
http://bbs.malshenzu.com/read-htm-tid-38591-page-1.html
http://bbs.malshenzu.com/read-htm-tid-41957-page-1.html ( Sales MultiDL tool guide)
they use an additional tool (Sales MultiDL) that backs up alot of .mbn and .img files that we don't have (yet), so i'm not sure if we can pull those files out of the phone manually, or what?
translation per untrueparadox:
1. choose program mode
2. select the .hex and .mbn files from the included package
3. load the .xml included in the package
____ the path to xml file will show here
4. after selecting everything, click download to revive the brick
the files they used to flash:
anyone knows Chinese (google chrome translator is ok for basic understanding, but nothing more than that)?
i did pm the op of those threads to see what he thinks.

Yes a devs thread
So now we basically just have to wait to find out how to get the mbn files?
Sent from my HTC Sensation Z710e using XDA Premium App

dexter93 said:
----//notes//----
*the phone wont connect in diag mode using custom roms other than stock. certainly not with ics roms
*more pictures are available in the two threads mentioned
Click to expand...
Click to collapse
Dex, i'm on gb build of insert coin and diag works for me

RussianBear said:
Dex, i'm on gb build of insert coin and diag works for me
Click to expand...
Click to collapse
thanks. fixed it
it wouldnt work on ics insertcoin for me. it was missing some files( probably those werent even in the test ruu, or baad removed them)

if somebody doesn't like this thread (the one star rating), then contact a moderator or the op with your concerns. i don't see what is there not to like?

Found this. not sure if it helps but it's worth a look
http://www.scribd.com/doc/19215998/Qualcomm-Qpst-27-Users-Guide-2006
Some stuff about creating an mbn.

dmcb123 said:
Found this. not sure if it helps but it's worth a look
http://www.scribd.com/doc/19215998/Qualcomm-Qpst-27-Users-Guide-2006
Some stuff about creating an mbn.
Click to expand...
Click to collapse
search for "amss" in that pdf- seems like they've already had mentions of dual core msm chips back in 2006 (page 60). this guide is pretty cool! look up page 155-onwards as well.
need to find a newer version of this guide as well.

RussianBear said:
search for "amss" in that pdf- seems like they've already had mentions of dual core msm chips back in 2006 (page 60). this guide is pretty cool! look up page 155-onwards as well.
need to find a newer version of this guide as well.
Click to expand...
Click to collapse
the new version is included in the qpst download. check it

http://tjworld.net/wiki/Android/HTC/Vision
very cool stuff there. the guy dissects everything!
---------- Post added at 04:28 PM ---------- Previous post was at 04:27 PM ----------
dexter93 said:
the new version is included in the qpst download. check it
Click to expand...
Click to collapse
i skimmed thru it last night, will do again tonight

RussianBear said:
http://tjworld.net/wiki/Android/HTC/Vision
very cool stuff there. the guy dissects everything!
---------- Post added at 04:28 PM ---------- Previous post was at 04:27 PM ----------
i skimmed thru it last night, will do again tonight
Click to expand...
Click to collapse
Damn that is pretty comprehensive

another translation request, please.
http://wenku.baidu.com/view/5da95a6ba98271fe910ef9a2.html
---------- Post added at 05:41 PM ---------- Previous post was at 05:34 PM ----------
check this: http://android.modaco.com/topic/351690-zte-firmware-package-for-v11a-aka-vodafone-smarttab10/
i'll try to find a ruu or some kind of firmware for sensation to see if it has anything similar.
i think the phone's partition layout gets erased and we need the xml file to re-map it again. just a guess...

Guys we have to abandon it too... there is no fix with the way we are trying
I finally found IEF on the revolutionary irc and he told me that all these bricks happened because people went s on with modified, unsigned by htc, hboots. He also told me that under s on, we cant try anything, not even via QSPT, cause we would gain nothing. The only way of fixing that is by flashing the eMMC externally, using JTAG.
here is the conversation
[01:06] <@IEF> dexter93: you can't.
[01:06] <@IEF> simply put.
[01:06] <dexter93> not even via qspt?
[01:06] <@IEF> no
[01:06] <@IEF> that is for radio flashing
[01:07] <@IEF> and will get you nowhere under S-ON, even if you had all the other pieces.
[01:07] <dexter93> couldnt we just flash the phone again?
[01:07] <@IEF> that's what I said, not by software
[01:08] <@IEF> unless you consider JTAG sofware.
[01:08] <dexter93> but?
[01:08] <dexter93> by putting the device n download mode, do i gain something?
[01:08] <T-Junk> no butts..
[01:08] <@IEF> QCDL *is* download mode.
[01:08] <dexter93> qcdl?
[01:09] <@IEF> sigh
[01:09] <@IEF> the serial ports you get after bricking hboot.
[01:09] <dexter93> sorry... im a noob on those
[01:09] <@IEF> most people are, because you won't get anywhere without a proper loader
[01:10] <dexter93> and there is no way to bring it back to life?
[01:10] <@IEF> RMA
[01:10] <dexter93> any chance we can get that proper loader?
[01:11] <@IEF> did you honestly expect me to put it in those terms if I already had it?
[01:11] <@IEF> and again, it would gain you very little. QCDL is traditionally for baseband flashing
[01:11] <dexter93> i get it..
[01:12] <@IEF> signed hboots are a *security* measure for a reason.
[01:12] <dexter93> restoring a factory mbn wouldnt do the job?
[01:13] <@IEF> that's the same thing
[01:13] <dexter93> so that means that even htc cant fix that?
[01:14] <@IEF> ofcourse they can
[01:14] <@IEF> they can just flash the eMMC externally
[01:14] <dexter93> and why cant we?
[01:14] <dexter93> externally?
[01:14] <@IEF> ffs
[01:14] <@IEF> JTAG.
[01:14] <@IEF> this is getting pretty tiresome
[01:15] <dexter93> sorry to bother you ief
[01:15] <dexter93> and thanks for your time
[01:15] <dexter93> im just looking for some answers
[01:15] <@IEF> yeah, you could at least read up on some basic recovery procedures
[01:16] <@IEF> this is not exactly secret information
[01:16] <dexter93> i searched, but couldnt find anything
[01:16] <@IEF> if you don't have the skills to understand that or apply them, or do not have the access to it, there's really no point in asking
[01:16] <@IEF> that's what RMA is for
[01:16] <@IEF> and they may charge you for it, well within their rights
[01:17] <sfrost> trying to use revolutionary, I put in the correct info and got a key, but the program is saying its invalid ( thunderbolt with 1.04
[01:17] <dexter93> well, im patient and willing to learn
[01:18] <@IEF> it's not about willing to learn
[01:18] <@IEF> it's about having access to tools that only a chipset manufacturer has.
[01:19] <dexter93> i suppose that jtag development is out of the question without board schematics, right?
[01:22] <@IEF> no idea. you'd ask someone with a lot of JTAG experience.
[01:30] <dexter93> anyway, ill do a small research on that...
[01:30] <dexter93> thanks for the info
Click to expand...
Click to collapse
As you see there is no hope. And from a quick google search, JTAG is not available yet for our devices. That means only HTC RMA can deal with it...

dexter93 said:
Guys we have to abandon it too... there is no fix with the way we are trying
I finally found IEF on the revolutionary irc and he told me that all these bricks happened because people went s on with modified, unsigned by htc, hboots. He also told me that under s on, we cant try anything, not even via QSPT, cause we would gain nothing. The only way of fixing that is by flashing the eMMC externally, using JTAG.
here is the conversation
As you see there is no hope. And from a quick google search, JTAG is not available yet for our devices. That means only HTC RMA can deal with it...
Click to expand...
Click to collapse
i don't know, man. those chinese guys seem to be on it. check this pdf:
http://www.docin.com/p-323426686.html
page 30.

Well fix or not... Thank you for all the efforts you guys put in for the community... You guys are awesome...
Sent from my HTC Sensation 4G with Beats Audio

1、下载售后线刷。http://bbs.malshenzu.com/read-htm-tid-41602-fpage-2.html
download program for flashing here
2、安装SalesMultiDL_U960V1.00.03.exe,到SalesMultiDL安装好的目录(x:\Program Files\ZTE\SalesMultiDL_U960V1.00.03\Win32Driver)找SP驱动(ZTE_SPRD_TD_Handset_USB_DRIVER.exe),双击安装。(win7 32位的机油请右键选定该文件,选“兼容性”设为“XP”)
install sales...1.00.03.exe, go to SalesMultiDL folder (x:\program..\Win32Driver) to find the driver ZTE_SPRD_TD_Handset_USB_DRIVER.exe. install it . for windows 7 32 bit, right click, go to properties, run with xp compatibility.
3、装完驱动后接USB线,手机拨号界面输入 *983*376#,选“SP_download”,系统会进行驱动安装。
(此时装驱动比刷到89%才装会有更高的成功率)
after installing the driver and connecting the usb cable, dial that *983...# and choose SP_download, system will go into download mode.
4、下载setmode,运行setmode,手机重启。
download setmode, run it and reboot phone
5、拨掉USB线,开SalesMultiDL,选好线刷包目录,及SP的bin包。
disconnect usb cable, open salesmultidl, choose package to flash in the menu and sp bin file.
6、接上USB线,手机再次重启。手机重启时拔掉USB线,避免进入充电模式。
connect usb, reboot phone again and disconnect usb to avoid going into usb charging mode
7、手机见到G3首屏后接上USB线,售后官刷将显示“点右键下载”,点右键进行下载。
(点下载之前你怎样拔USB线都无所谓,但点了“下载”之后就不能拔线了。)
after seeing g3 boot screen, connect usb. in the software, right click on the menu that says right click to download. after you click download, do not unplug usb.
Click to expand...
Click to collapse
hope this helps guys. the link above shows similar stuff except if you dont see the setmode command and if you have a virtual cd drive from joinme or any other service, disable it.
不到一个月,已遇上两例“Qhsusb-Dload”的砖机,貌似这种情形还在蔓延,还是写个教程,方便大伙自救
大伙不爱回帖,只好隐一下,有怪莫怪。
after a month, i had two similar bricked phones. this situation is not rare so here's a tutorial. hope it helps.
1、安装Qhsusb-Dload驱动。
download Qh...load driver
装完驱动会有端口出现(由于俺没砖,只能模拟了)
after install, ports will show up. it will be virtual (i have no idea what this means)
【音量加和减同时按着,再点开机,无震动,但插USB有驱动安装,没砖的机油可先用此法装上驱动,以备不时之需】
hold volume up + down, turn on phone, no vibrate. when you insert usb and install driver, the driver will install.
2、QPST添加端口。
add port in QPST
3、打开线刷工具emmc software download。
open flashing tool
4、线刷包中对应的.hex和.mbn文件。
select packages
5、刷机。
flash phone
Click to expand...
Click to collapse
and if you guys need this too
RussianBear said:
hey, man! thanks for the translation!
could you translate this pic, please?
from this guide: http://bbs.malshenzu.com/read-htm-tid-38591-page-1.html
i'm really interested what the whole guide means
p.s. that picture is hidden in step 5. you need to post something on that forum to unlock it, but i guess, you can read Chinese
Thank you!
Click to expand...
Click to collapse
1. choose program mode
2. select the .hex and .mbn files from the included package
3. load the .xml included in the package
____ the path to xml file will show here
4. after selecting everything, click download to revive the brick

i think you're missing ief's point. most if not all sensation bricks aside from failed eMMC, are caused by flashing a non signed hboot during the process of returning to s-ON. Once you are s-ON the eMMC becomes write protected meaning even if you did manage to write anything it wouldn't stick.

cpittman said:
i think you're missing ief's point. most if not all sensation bricks aside from failed eMMC, are caused by flashing a non signed hboot during the process of returning to s-ON. Once you are s-ON the eMMC becomes write protected meaning even if you did manage to write anything it wouldn't stick.
Click to expand...
Click to collapse
appreciate all the constructive criticism.
from here: http://android.modaco.com/topic/335078-retrieving-mbn-files/page__view__findpost__p__1642041
Unfortunately , you can't get a raw nand image dump by just using QPST. You can however get a full RAM dump by putting the phone in download mode (by switching it on while holding the Vol+ and Vol- keys) and using revskills. You can then "cut" the obtained image and extract oemsbl & C.
P.S. Diagnostic (FTM) Mode and Download Mode are not the same. While in Download Mode, you can send the phone a bootloader and have it run on the ARM9 (baseband) processor. With a properly written/patched bootloader you have full access to the phone hardware, including the nand. Phone flasher sends its own bootloader (armprgZTE.bin) to the phone and then use it to flash the images... we could patch it to allow nand reading.
P.P.S. NV items contain values that must be stored in a Non-Volatile way (e.g. IMEI, lock status, ...).
Click to expand...
Click to collapse
and also, how do you explain Chinese guys successfully (allegedly) de-bricking their phones?
either way, once we can get something similar to this (same msm chip as ours):
http://android.modaco.com/topic/351724-flashing-zte-unsigned-roms/page__p__1902193#entry1902193
rawprogram0.xml 7.762 17.11.2011 16:49 -a--c
patch0.xml 1.573 17.11.2011 16:49 -a--c
partition.xml 3.705 02.09.2011 15:38 -a--c
tz.mbn 103.960 17.11.2011 16:00 -a--c
sbl3.mbn 622.592 17.11.2011 16:00 -a--c
sbl2.mbn 108.652 17.11.2011 15:58 -a--c
sbl1.mbn 71.840 17.11.2011 15:56 -a--c
rpm.mbn 116.420 17.11.2011 15:59 -a--c
partition.mbn 9.728 17.11.2011 16:49 -a--c
emmcbld.mbn 167.008 26.10.2011 10:31 -a--c
emmc_appsboot.mbn 72.000 06.12.2011 05:17 -a--c
cefs2.mbn 3.145.728 18.11.2011 15:21 -a--c
cefs1.mbn 3.145.728 18.11.2011 15:21 -a--c
amss.mbn 18.969.240 17.11.2011 16:48 -a--c
8660_msimage.mbn 1.679.872 18.11.2011 15:36 -a--c
recovery.img 5.195.776 06.12.2011 05:17 -a--c
boot.img 4.620.288 06.12.2011 05:17 -a--c
MPRG8660.hex 467.026 18.08.2011 16:02 -a--c
userdata.img.ext4 4.096.000 11.08.2011 05:54 -a--c
system.img.ext4 660.602.880 06.12.2011 05:17 -a--c
persist.img.ext4 4.496.000 06.12.2011 05:17 -a--c
cache.img.ext4 4.096.000 06.12.2011 05:17 -a--c
partition.bin 26.112 17.11.2011 16:49 -a--c
NON-HLOS.bin 25.081.344 17.11.2011 16:49 -a--c
MBR0.bin 512 17.11.2011 16:49 -a--c
EBR0.bin 9.216 17.11.2011 16:49 -a--c
cdrom.bin 10.485.760 16.11.2011 15:09 -a--c
Click to expand...
Click to collapse
or
and have a person with a brick try it out, then i will admit that this either failed or succeeded.

RussianBear said:
appreciate all the constructive criticism.
from here: http://android.modaco.com/topic/335078-retrieving-mbn-files/page__view__findpost__p__1642041
and also, how do you explain Chinese guys successfully (allegedly) de-bricking their phones?
either way, once we can get something similar to this (same msm chip as ours):
http://android.modaco.com/topic/351724-flashing-zte-unsigned-roms/page__p__1902193#entry1902193
or
and have a person with a brick try it out, then i will admit that this either failed or succeeded.
Click to expand...
Click to collapse
As I told you in the pm, we could unbrick that way only S OFF phones -really rare cases to be bricked that way. Also the Chinese guys were messing with ZTE bootloaders, which I doubt that they have the security of HTC's . If you insist and we find a volunteer with a bricked device, I guess we could try it... The worst case scenario is to stay bricked.
Sent from my HTC Sensation XE with Beats Audio Z715e using Tapatalk

Related

Will this method work to bypass devauth ?

I read somewhere that I dont have to SUPER CID to install a 3rd party ROM, or perhaps our WM6 ROM
"Here is how I got the rom to install without the devauth error.
1) use a hex editor on the rom file and search for the devauth.exe string e.g. 44 00 65 00 76 00 41 00
2) between the "devauth" and the "exe" you will see the hex "00 2e".
3) swap these bytes around so they are "2e 00" instead of "00 2e".
4) This will keep te same checksum but will not allow the devauth.exe to run. well it work in my case at least"
Hope it works
Click to expand...
Click to collapse
Will the above method works? because my phone is still under warranty, and i dont want to void it so early

Building NBH files from RAW files for a Kaiser

Well. I've spent 1 week. Yes, one week. I haven't been productive at all becacuse I've dedicated more than 16 hours per day to find one stupid answer to this question:
Once you dump the rom of your kaiser into the Part00.raw, Part01.raw, Part02.raw and Part03.raw, how can you create an NBH file?
Listen everybody: I've been looking for this site AND OTHERS, and the only gaseous, not so clear at all, lame answers are: "Oh, oh. You need to use Tadzio´s tools".
And that's it. How the f.... do you think that an answer like that is going to work?
Step by Step instructions, people !!!!!
That's what we need to build knowledgebase.
Most people are lazy and want fast answers with out reasearching. That's why they brick their phones. Others, like me, do our their homework but since there isn't anywhere else to ask, so, I have no choice to create a new thread since there isn't NO G.. D..N answer in the forum or in the site !!!!
I have my eyes squared and peeled of looking google's, live search and yahoo results.
Please, people, lets recreate the scenario:
You have a kaiser (TyTN II or what ever you want to call it) phone and you decide that, before bricking, or, even in case of bricking it, you want to copy your original ROM and have a copy of it and also BUILD, for chrisake, a flashable ROM to make the restore procedure easy and dandy.
You download itstools and execute pdocread.exe -l to get the RAW files.
Once you get your 4 RAW files, THEN WHAT????
All what I could find is that you can use some tools from Tadzio called imgfstools but, again, and so nice from you, NO INSTRUCTIONS AT ALL !!!!
So. Any kind soul to give a DETAILED, step-by-step walk through for a Kaiser?
Thanks, community.
http://forum.xda-developers.com/showthread.php?p=1968557
"How to Reconstruct a Dumped ROM & Reconstructed ROMs" by jcespi2005
goye said:
. . . Once you dump the rom of your kaiser into the Part00.raw, Part01.raw, Part02.raw and Part03.raw, how can you create an NBH file?
. . . So. Any kind soul to give a DETAILED, step-by-step walk through for a Kaiser?
Thanks, community.
Click to expand...
Click to collapse
I think this is the thread you want, "How to Reconstruct a Dumped ROM & Reconstructed ROMs" by jcespi2005
Thanks, but no thanks ....
Thanks community for your fast reply.
Well, actually that article "How to Reconstruct a Dumped ROM & Reconstructed ROMs" (http://forum.xda-developers.com/showthread.php?t=337066) from jcespi2005 sucks.
He doesn't give any details of how to do it.
I did learn a lot from doctaJay's videos (http://forum.xda-developers.com/showthread.php?t=372469) on his series "Cooking Guides for the Ultimate Noobs- Screencasts".
Now that's helping the community.
But, no. I need to build FROM SCRATCH my own NBH files using my Part0x.raw files. I don't need to use any one's RUU_Signed.nbh file to cook mine. I need to create FROM SCRATCH the NBH file only from my RAW files, with out using any other NBH file!
I mean ----
0. You tweak your registry IN YOUR PDA, not the computer, to change a Security Policy key:
HKLM\Security\Policies\Policies
valuename '00001001' was set to dword:2, change it to dword:1
YOU NEED TO USE A Registry Tweaker like RegeditSTG. Google it just as I did.
Once you've done all this, then
1. you pdocread.exe -l your ORIGINAL ROM from your kaiser.
So you get an output like this:
210.38M (0xd260000) FLASHDR
| 3.12M (0x31f000) Part00
| 3.63M (0x3a0000) Part01
| 68.50M (0x4480000) Part02
| 135.13M (0x8720000) Part03
STRG handles:
handle a7486c82135.13M (0x8720000)
handle a749618e 68.50M (0x4480000)
handle 074aff52 3.63M (0x3a0000)
handle 074aff76 3.12M (0x31f000)
disk a7486c82
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk a749618e
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 074aff52
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 074aff76
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Cute!
2. Step Two is Supposed to be creating your own, personal NBH installer kit from your original dumped ROM without using any other's ruu_signed.nbh downloaded from some guy's ROM kit.
I've read that you need Tadzio's imgfstools for doing so. See?
Even Tadzio's, the creator of the tool doesn't even explain, men and women !
That's pretty much f...ed up !
3. Open and HardSPL your phone BEFORE doing ANY FLASHING TASKS or you would really end up with a nice paper holder on your desk.
4. You should find a way to back up your RADIO ROM.
That's something completely differerent from the OS ROM. Many people complains that once they use some guy's ROM kit, their phones stop working in their networks.
Me, I live in Japan. I can't just download what ever ROM kit and flash my Kaiser, since in Japan my phone provider, E-Mobile, uses a weird 1700 Mhz W-CDMA frecuency, and most of the ROM kits are flashed for GSM networks and different 800Mhz - 1900 Mhz and 2100 Mhz GSM/GPRS networks.
Many stupidly think that flashing a phone's OS is a matter of downloading a g.. d...ed ROM and "bingo", you got your phone done. Actually, because following this guy jcespi2005's ROM (I can't blame him. You can't blame no one for flashing and messing your own ROM, I want to make that CLEAR), my phone doesn't work.
So .... You have to be careful and teach others to be careful, but the best way is to do a comprehensive, all in one step-by-step guide that will clearify most of the doubts of people.
5. Cook your own ROM's
I think, personally, that following these steps will prevent most people of bugging their phones and, at least, in the worse scenario, be able to some how restore most of the original condition of the kaiser so we can claim service or guarantee.
---------------------------------------
We have our RAW files from scratch, dumped BEFORE DOING anything that potentialy might brick our kaiser.
Now, before cooking and all that (again, thanks doctaJay for your screencasts, you da man !), I need to know:
HOW CAN I BUILD AN IMAGE FILE FROM TOTALLY SCRATCH JUST USING MY OWN RAW FILES !!!
It is said that we can use imgfstools from tadzios, but, as usual, not even a g.. d..med clue here !
Instructions !!
I can commit to post a nice, very in depth screencast for all of the people, but, please, I need to create from scratch, with out using ANYONE's dumped image NBH or ROM, a ROM file.
It's as simple as this: How did the FIRST PERSON IN this community manage to create FROM SCRATCH a NBH from his/her RAW files? And let it be told: FOR A KAISER, for chrisake ! Don't compare apples with oranges, even if they tend to behave alike.
See? That's the nature of the question. I'm not interested in COOKING A ROM, using as a base someone else's ROM.
That's the question, community.
Believe me, once I have all these steps mastered, I will make videocasts (screen casts) in both English and Spanish (Maybe Japanese as well).
So, help me out to help others and in tha way we can help new users in a better way !
Thanks !
i don't know how much reading you did in either post from the other guys but the threads they posted give you a STEP-BY-STEP walkthrough, if you can't read the walkthrough then you're a f*****g idiot and you shouldn't be trying any of the $h1t you are trying to do. READ i read through both of those threads posted and now i can dump a rom and cook one for the hell of it, mine only go to me but whatever. your steps only say "2. Step Two is Supposed to be creating your own, personal NBH installer kit from your original dumped ROM without using any other's ruu_signed.nbh downloaded from some guy's ROM kit.
I've read that you need Tadzio's imgfstools for doing so. See?
Even Tadzio's, the creator of the tool doesn't even explain, men and women !
That's pretty much f...ed up !" well that's not an answer. don't creat a thread just to ***** about how you want an answer, write your own damn program and DIYFS if you want to do everything from scratch.
personally i thank each and every member who has contributed anything, because without the guys here i would still have a stock att rom(minus bloat). thank you chefs and all others that have allowed my phone to be as great as it can be
STEP 1: Extract the RAW (IMGFS) file to a dump directory
imgfstodump part02.raw
fgs......how much more info do you need.
from the rom reconstruction thread.
jcespi2005 said:
2. Download the WWE BaseROM to use in the reconstruction process here http://rapidshare.com/files/5781641...dio_sign_22.45.88.07_1.27.12.11_Ship.rar.html
3. Download the modified version by Alex of Kaiser Kitchen here, that allows to reconstruct the ROM from the dump. Follow the guide included in the Readme using WWE from previous step and to will get you reconstructed ROM from your device.
Click to expand...
Click to collapse
sure i admit, that's not that much info, which is why i gave u the link to doctajay's screencasts, watch all his videos, everything you need is there. what more do you want?
I forgot to mention: My network is not GSM or similiar and I can't smoke my Radio
tubaking182 said:
i don't know how much reading you did in either post from the other guys but the threads they posted give you a STEP-BY-STEP walkthrough, if you can't read the walkthrough then you're a f*****g idiot and you shouldn't be trying any of the $h1t you are trying to do. READ i read through both of those threads posted and now i can dump a rom and cook one for the hell of it, mine only go to me but whatever. your steps only say "2. Step Two is Supposed to be creating your own, personal NBH installer kit from your original dumped ROM without using any other's ruu_signed.nbh downloaded from some guy's ROM kit.
I've read that you need Tadzio's imgfstools for doing so. See?
Even Tadzio's, the creator of the tool doesn't even explain, men and women !
That's pretty much f...ed up !" well that's not an answer. don't creat a thread just to ***** about how you want an answer, write your own damn program and DIYFS if you want to do everything from scratch.
personally i thank each and every member who has contributed anything, because without the guys here i would still have a stock att rom(minus bloat). thank you chefs and all others that have allowed my phone to be as great as it can be
Click to expand...
Click to collapse
Also, I already mentioned this (who's not reading?):
goye said:
4. You should find a way to back up your RADIO ROM.
That's something completely differerent from the OS ROM. Many people complains that once they use some guy's ROM kit, their phones stop working in their networks.
Me, I live in Japan. I can't just download what ever ROM kit and flash my Kaiser, since in Japan my phone provider, E-Mobile, uses a weird 1700 Mhz W-CDMA frecuency, and most of the ROM kits are flashed for GSM networks and different 800Mhz - 1900 Mhz and 2100 Mhz GSM/GPRS networks.
Click to expand...
Click to collapse
That's why I need to create my own ROM from SCRATCH, not taking other ROMs as a base.

[TUTORIAL] Unlock Samsung [GT-S5570 / i5500 / Galaxy Ace]

Unlock your Samsung Phone
[GT-S5570 / more...]​
------------------------------------------------------------------------------------------------------------------------------------------------------------
First i would like to say some words about this thread. I made this thread at some users requests, original thread contains some obsolete method for unlocking, making some people brick theyr phone. The last method and safe one, was somewhere mixed through other posts from different method and may confuse users. I just rewrite this from 0 for a better understanding and possible questions, discussions about this. I don't own anything from method used.
Original author of method: tweakradje
Original thread: http://forum.xda-developers.com/showthread.php?t=828534&page=34
------------------------------------------------------------------------------------------------------------------------------------------------------------
This tutorial was tested on a Samsung GT-S5570 ( Galaxy Mini ) but worked on some other models too ( i5500 / Galaxy Ace ). For more details you can search in original thread.
First thing you must know is that in order to keep following this tutorial you must have your phone rooted. Temporary or permanent, both will do the job. For any information about rooting phone ( Android 2.2 / 2.3 ) you can do a quick search on XDA-forum or Google.
Root Desktop App: SuperOneClick
SuperOneClick Root Tutorial: Root Tutorial
Now there are 2 methods for extracting the file we need to obtain unlock code, one using ADB Shell(if you use this method, make sure you have installed Android USB Driver first) or using a Terminal App for phone. ADB comes with Android SDK Tools and Terminal Emulator App from market or somewhere else.
• Method 1 (ADB Shell)
- Open one instance of "Command Prompt" and go to folder containing ADB tool (adb.exe). (e.g C:\Program Files (x86)\Android\android-sdk\platform-tools>)
- Make sure your phone is connected to PC and "USB Debugging" it's enabled. (Settings -> Applications -> Development -> USB debugging [X])
- The following commands will be executed in "Command Prompt" that we opened earlier:
Code:
- adb shell
- su
- cat /dev/block/bml5>/sdcard/bml5.img
- exit (2x)
- adb pull /sdcard/bml5.img
So let's understand what we did here. First we run remote shell interactively, grant super-user access, extract the bml5 file to /sdcard then copy it to PC.
The file that we copied to PC should be in C:\Users\~username~\AppData\Local\VirtualStore but you can do a quick search to find it.
• Method 2 (Terminal App)
- Open Terminal Emulator app
- Grant Super-user access to application
- The following commands will be executed in current opened application:
Code:
- su
- cat /dev/block/bml5>/sdcard/bml5.img
- exit (2x)
- Close the application.
bml5 -> (BE-EM-EL-FIVE)
2x -> run the command 2 times
Attention: If you run cat command with the path from above and it's says the file doesn't exists or something like that make sure you try "cat /dev/bml5>/sdcard/bml5.img". For Samsung GT-S5570 the files is under /dev/block.
Click to expand...
Click to collapse
If you get this message when trying to access .bml file while your connected to PC: Permission Denied then try to get your USB card out of Mass Storage mode, so card won't be used by another process.
Click to expand...
Click to collapse
Ok, so after using one of these methods we have our file bml5.img in our PC if we used first method or on our /sdcard if we used second method. Keep in mind that we need this file on our PC, so if you used second method just copy the file to PC!
Now comes the part where we need to work with the file that we just extracted. So, in order to get the unlock code we need a HEX Editor, i've used XVI32 Hex Editor to open the file.
• Finding the unlock code
- Open XVI32 Application that we just downloaded. Hit CTRL+O and select the bml5.img file that we extracted earlier. (Open the file)
- At the first look we will see just a bunch of FF's and 00's and random decimals or symbols, but somewhere deep in there it's our unlock code.
- Hit CTRL+F to open search dialog, select "Hex String" and put the following search string
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30 30 30
Click to expand...
Click to collapse
(maybe the search string won't be the same for all phones, but the one from above worked for Samsung GT-S5570)
- Mark "Case Sensitive", Direction "Down", Scope from "Begin".
- Click ok, or hit ENTER to start our search.
- So now, we must hit F3 untill we find our unlock code.
Our unlock code will be 8 digits plain text surrounded by unknown symbols just like in image below.
(I've hited F3 like 3 times, but don't know if it's the same for everyone. Also to make sure you see the code, after hitting F3 make sure you go 2-3 rows up to make sure the code is not above the searched string.)
(Unlock code can be finded in multiple places in file, so if you skip one searched string by mistake, just pay attention for next ones)
After getting the unlock code, write it somewhere in PC or paper... close the phone, remove the actual SIM Card, insert a foreign one and turn it ON! Wait untill it boots up, insert the unlock code and your done. Now you have an unlocked phone!
Attention: Unlock code can be extracted using a Custom ROM like CM7 in my case, the file was there, but can't be unlocked since the window to insert code doesn't appear(pop-up). In order to unlock your phone you must have a Stock ROM that actually can read any Samsung code and have that Network unlock code window!
Click to expand...
Click to collapse
Most custom roms that tries to remove blur break the subsidy lock interface (sim unlock screen doesn't show on them). If you flash other rom and subsidy unlock screen doesn't pop when you insert foreign sim, you will need to flash back stock ROM in order to unlock. So the easyest way for those of you running a Custom ROM, just do a nandroid backup using CWM, flash Stock ROM, unlock your phone then restore your backup.
Click to expand...
Click to collapse
• Useful Codes
*#7465625# - Dial code to check if phone it's network locked.
#7465625*638*UNLOCK-CODE# - Replace UNLOCK-CODE with your 8 digits number, then dial. Phone might reboot.
Click to expand...
Click to collapse
Details about test environment
Code:
Phone used: Samsung GT-S5570 (Galaxy Mini)
Android Version: 2.3.4 (Gingerbread)
PC Windows: Windows 7 (64-bit)
------------------------------------------------------------------------------------------------------------------------------------------------------------
If you have reached the end of the tutorial and you wasn't able to obtain the unlock code( find numbers like 00000000 / 11111111 ), then it means that your phone it's "Hard Locked" or doesn't have the unlock code provided with the phone. I don't know any solution until now for this problem. For most of the people here, this works flawlessly, for some doesn't work.
------------------------------------------------------------------------------------------------------------------------------------------------------------
If you find this tutorial useful please consider pushing the Thanks button at the end of thread.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
You can also send me a beer by donating Thank you.
Nice work. I will add it to the OP of my thread.
Cheers
tweakradje said:
Nice work. I will add it to the OP of my thread.
Cheers
Click to expand...
Click to collapse
Nice. Thank you i hope it's clear enough.
Cheers
Nice work OP!
I have extracted the unlock code from a Samsung Galaxy ACE (st-5830) with CM7 mod with the PC method. However, the file was in the SD finally.
I can't unlock the phone until I flash a stock rom. In less than a week I will post if it has work or not.
Thank you everyone.
EDIT: IT IS WORKING RIGHT. My Galaxy Ace is now unlock and making calls. =)
davidteleco said:
I have extracted the unlock code from a Samsung Galaxy ACE (st-5830) with CM7 mod with the PC method. However, the file was in the SD finally.
I can't unlock the phone until I flash a stock rom. In less than a week I will post if it has work or not.
Thank you everyone.
EDIT: IT IS WORKING RIGHT. My Galaxy Ace is now unlock and making calls. =)
Click to expand...
Click to collapse
Nice to hear that heh
@pvp26 - Thank you.
Thanks. I have bml5.img on my sdcard, but how do I transfer it to my PC. I've been searching and can't seem to find an answer. I tried following a link (can't post it because I'm a new member) but my “Wireless and Network” does not have a USB utilities
EDIT: I got it unlocked!! I just emailed myself bml5.img. But does anyone know why I couldn't transfer before?
Many thanks for your organized post.
With it I was able to find my unlock code but I cant get the popup message.( "Unlock code can be extracted using a Custom ROM like CM7 in my case, the file was there, but can't be unlocked since the window to insert code doesn't appear") I have cyanogenmod 7.1 and I would like to know which stock rom you used and where did you get it. Thanks and good job.
LuisDuarte said:
Many thanks for your organized post.
With it I was able to find my unlock code but I cant get the popup message.( "Unlock code can be extracted using a Custom ROM like CM7 in my case, the file was there, but can't be unlocked since the window to insert code doesn't appear") I have cyanogenmod 7.1 and I would like to know which stock rom you used and where did you get it. Thanks and good job.
Click to expand...
Click to collapse
I used stock Gingerbread 2.3.4 that you can get it on samfirmware, scrool down, search for your phone model and click FIRMWARE from table.
@dannycastaway - i don't know exactly why, but usually when you insert USB cable a notification should show on statusbar, slide down and click "Manage Storage / Copy files" something like that and activate it.
It works really good for me!
Samsung Gio S5660, gingerbread 2.3.4 (locked from Bell mobility).
Thanks
This is really a good simple guide. That works, thanks
nice one..!
works fine.. thank you!
Nice work!
Samsung Galaxy Mini (GT-S5570), Gingerbread 2.3.5, Orange network - working flawlessly
Thank you!
I have just registered to show my appreciation! Ive got an S2, but bought the mrs an ACE locked to Orange.
While ive flashed Android Roms on my old galaxy portal, Ive never used ADB, and after a bit of searching online I managed to get my head round it.
So heres a Big thank you for a Complete working unlock on a Galaxy ACE.
Only thing i may add is that i had to use 'cat /dev/bml5>/sdcard/bml5.img'
And with hex editor found the code straight away.
Thanks again!
Ill stick around and see what i can do with my S2 now aswell
tks!
great guys! you are truly amazing.
Perfectly working on i5500
But if you restore the phone unlock code to be reset again? and remains always the same?
Thanks for the answer
marianomonaco said:
great guys! you are truly amazing.
Perfectly working on i5500
But if you restore the phone unlock code to be reset again? and remains always the same?
Thanks for the answer
Click to expand...
Click to collapse
The phone should remain unlocked even after reset or flashing ROM.
Worked in Samsung i5500 Android 2.1
I have a Samsung Galaxy i5500 (Galaxy 5, Galaxy europa, Corby, Galaxy 550), with Android 2.1 update1 bought in Amazon USA.
The given instructions worked perfectly.
I found the code in the first search and was only once in the file.
I got root using SuperOneClick: http://forum.xda-developers.com/showthread.php?t=803682
Here is how I made SuperOneClick work for me: http://forum.xda-developers.com/showthread.php?t=803682
I had previously installed:
Java SDK (JDK): http://www.oracle.com/technetwork/java/javase/downloads/index.html
(needed by Android SDK)
Android SDK: http://developer.android.com/sdk/index.html
(that installs adb)
Android USB Driver: http://developer.android.com/sdk/win-usb.html
(I don't know if it's needed)
Hi, many thanks for the guide, it didnt work for me I have a galaxy y and there is no: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30 30 30 in bml5.
AchilleX said:
It works really good for me!
Samsung Gio S5660, gingerbread 2.3.4 (locked from Bell mobility).
Thanks
Click to expand...
Click to collapse
How did you manage to do it? What's the process you've used?
I've tried the second method and in the terminal emulator it says permission denied
wow, very useful, thanks!

N920T Storage issues after flashing.

Greetings and salutations, fellow brothers and sisters in modding! You probably have never seen me around, but I've been here a looooong time, behind the scenes, clicking, watching, learning and, of course, modding it up like the crazy fool I am!
Let me just say I love XDA. XDA has helped me out of some HELLA messed up situations, a couple of times my reckless flashing has ended in bricking and if not for XDA I would have to do some fast talking! LOL
N e wayz!! My goal for this phone is to have a stable, updatable ROM on this phone. I need, at least, temporary root for sim unlocking later.
Right now, I'm very confused that after many hours of downloading and flashing the wrong firmware.... no, scratch that, I'm not confused at all.... this is exactly WHY my phone is doing what its doing...
I have root with cf-auto-root and I'm on firmware N920TUVS4DQA2_N920TTMB4DQA2_TMB
The rom is very stable but I only have 8gigs of total storage and the OS eats up about 7.5gigs of that so I can only install busybox and my storage is full!
The specs say I should have 32/64/128 GB of storage.
I'm not sure what to do next to fix this.
Also, I'm receiving a push notify, something about it being locked. I'll post a screen on it.
Any assistance is HUGELY appreciated!!!!!
Much love,
D
P.S. I have the Z3X unlock box for Samsung but it has done absolutely nothing with this phone except let me get the phone codes info off of it, so I'll copy/paste that in. Just in case it helps figure it out lol
Operation: Read Codes
Selected model: SM-N920T
Software version: 29.6
Waiting ADB device... OK
Reading phone info...
Model: SM-N920T
Android version: 6.0.1
Product code: SM-N920TZWATMB
Phone version: N920TUVS4DQA2
PDA version: N920TUVS4DQA2
CSC version: N920TTMB4DQA2
CSC country code: USA
CSC sales code: TMB
HW version: REV0.2
Phone SN: RF8G71W808R
Chip name: EXYNOS7420
Modem board: SHANNON333
Security patch: 2017-01-01
RF cal date: 20150728
IMEI: 000000000000000
Checking Super user right... true
Reading NV data... OK
Checking NV data... OK
Initialization zTool... OK
Running zTool, please wait... OK
HWID: 48 C6 12 AF 0E 07 00 00 00 00 00 00 00 00 00 00
Calculating... OK
Checking hash file... OK
Please wait, calculating codes... OK (time - 00:00:16)
Freeze code: 42050703
NET lock: 17368573
SUB lock: 00000000
SP lock: 00000000
CP lock: 00000000
SIM lock: 00000000
Done with Samsung Tool PRO v.29.6
Screenshot

[GUIDE] How to change SKUID to Worldwide or China (Root required)

FIH made Android Phones with Android 8.0 out of factory installed can't switch SKUID by OST LA without service permission.
Changing SKUID will allow you pass SafetyNet, especially for the Nokia 7 plus converted from TA-1062 China Variant.
如果你来自中国,请看下面翻译成中文的教程:
If you're from China, Chinese translation of this guide:
https://dospy.wang/forum.php?mod=viewthread&tid=154&extra=page=1
Click to expand...
Click to collapse
Here's the procedure:
1. Bootloader must be unlocked and you must get your phone rooted.
2. Use a terminal emulator or adb shell to execute these commands:
Code:
$ su
(Accept root permission on your phone)
# dd if=/dev/block/bootdevice/by-name/deviceinfo of=/storage/emulated/0/deviceinfo.img
WARNING: YOU MUST USE YOUR OWN DEVICEINFO, DO NOT ASK ANY OTHERS FOR THIS DUMP.
THIS PARTITION CONTAINS YOUR IMEI AND SERIAL, AND CRUCIAL DRM KEY, SERVICE KEY THAT ALLOWS YOU TO FLASH PARTITION.
Click to expand...
Click to collapse
3. Use a Hex Editor to open deviceinfo.img placed at root directory of internal storage.
4. Goto offset 0x13B0, you should see data look like this:
Code:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00001380 53 4B 55 49 44 00 00 00 00 00 00 00 00 00 00 00 SKUID
00001390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000013A0 53 4B 55 63 68 61 6E 67 65 00 00 00 00 00 00 00 SKUchange
000013B0 36 30 30 43 4E 00 00 00 00 00 00 00 00 00 00 00 600CN
On Nokia 6 (TA-1000) or any other variants, you may not see string "SKUchange" from offset 0x13A0 to 0x13A8, which is normal.
Click to expand...
Click to collapse
5. Modify the value of 0x13B3 and 0x13B4 to 57 which is ASCII "W".
Code:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00001380 53 4B 55 49 44 00 00 00 00 00 00 00 00 00 00 00 SKUID
00001390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000013A0 53 4B 55 63 68 61 6E 67 65 00 00 00 00 00 00 00 SKUchange
000013B0 36 30 30 57 57 00 00 00 00 00 00 00 00 00 00 00 600WW
5. Save it as deviceinfo_mod.img.
6. Copy it to internal storage if you modify it on a PC, then execute these commands with a terminal emulator or adb shell:
Code:
$ su
# dd if=/storage/emulated/0/deviceinfo_mod.img of=/dev/block/bootdevice/by-name/deviceinfo
7. Reboot your phone, reflash global firmware and relock your phone if you wish:
Code:
fastboot flashing lock_critical
(Confirm on your phone)
fastboot oem lock-go
(Confirm on your phone again)
8. Now your phone is completely converted to global version which can pass SafetyNet - you can use Google Pay normally now.
good job
It works~
After doing this and converting from CN version to Android One, the first splash is changed to Android One , not Powered By Android.
Thank you, I have used your method to successfully modify my SKUID to 600WW.
hikari_calyx said:
FIH made Android Phones with Android 8.0 out of factory installed can't switch SKUID by OST LA without service permission.
Changing SKUID will allow you pass SafetyNet, especially for the Nokia 7 plus converted from TA-1062 China Variant.
Here's the procedure:
1. Bootloader must be unlocked and you must get your phone rooted.
2. Use a terminal emulator or adb shell to execute these commands:
3. Use a Hex Editor to open deviceinfo.img placed at root directory of internal storage.
4. Goto offset 0x13B0, you should see data look like this:
5. Modify the value of 0x13B3 and 0x13B4 to 57 which is ASCII "W".
5. Save it as deviceinfo_mod.img.
6. Copy it to internal storage if you modify it on a PC, then execute these commands with a terminal emulator or adb shell:
7. Reboot your phone, reflash global firmware and relock your phone if you wish:
8. Now your phone is completely converted to global version which can pass SafetyNet - you can use Google Pay normally now.
Click to expand...
Click to collapse
can use china sim card?
hackjackyer said:
can use china sim card?
Click to expand...
Click to collapse
Can use China SIM card, mine is China Mobile and China Telecom, dual 4G online
hi everyone, before editing the hex and everything, can you tell me how to unlock the bootloader of nokia 7 plus?(ta-1062)
I succeed and change my boot UI to Android One,then I flashed my phone to 213E by OST and got june patch ,but it still shows uncertified in playstore,will it effect OTA? (T1046 unlocked)
MUGIW said:
I succeed and change my boot UI to Android One,then I flashed my phone to 213E by OST and got june patch ,but it still shows uncertified in playstore,will it effect OTA? (T1046 unlocked)
Click to expand...
Click to collapse
It won't affect OTA. If you wanna make it certified, you need relock bootloader. Just the same methods as unlock bl.
fastboot flash unlock unlock.bin
fastboot oem lock
fastboot flash unlock unlock.bin
fastboot flashing lock_critical
SUN Huayan said:
It works~
After doing this and converting from CN version to Android One, the first splash is changed to Android One , not Powered By Android.
Click to expand...
Click to collapse
which device u use?
juwelrana091 said:
which device u use?
Click to expand...
Click to collapse
Nokia 7 Plus TA-1062 Chinese Version
SUN Huayan said:
Nokia 7 Plus TA-1062 Chinese Version
Click to expand...
Click to collapse
What firmware version was you on and how did you root?
It worked! This needs to be added to the china conversion thread.
Thanks so much
I broke it
Actually, I really stuffed up.
My TA-1062 was rooted and unlocked bootloader, went to follow the guide.
Updated and copied over the device_info.img
Then I did the steps out of order and my device is stuck in download mode.
I relocked my bootloader, which wiped the device, and I though this was reflashing global firmware, which is wasnt.
After the device had wiped itself, I then used magisk manager to remove root, which then caused the phone to only boot to download mode.
I then re-unlocked my bootloader, then I used the deprecated instructions here to try and reflash my device, but the vendor, e2p_script and formatuserdata commands failed. My phone is now still stuck in download mode.
I also tried to reflash using OST 6.1.2 patched, but it seems to get stuck on Reflash Service Bootloader (900sec)
Any tips on how to fix this?
Thanks,
Tom
Thanks!
Getting root took me a while, but with this guide and some others I finally pass SafetyNet.
tomascivinod said:
Actually, I really stuffed up.
My TA-1062 was rooted and unlocked bootloader, went to follow the guide.
Updated and copied over the device_info.img
Then I did the steps out of order and my device is stuck in download mode.
I relocked my bootloader, which wiped the device, and I though this was reflashing global firmware, which is wasnt.
After the device had wiped itself, I then used magisk manager to remove root, which then caused the phone to only boot to download mode.
I then re-unlocked my bootloader, then I used the deprecated instructions here to try and reflash my device, but the vendor, e2p_script and formatuserdata commands failed. My phone is now still stuck in download mode.
I also tried to reflash using OST 6.1.2 patched, but it seems to get stuck on Reflash Service Bootloader (900sec)
Any tips on how to fix this?
Thanks,
Tom
Click to expand...
Click to collapse
Can you get into recovery mode? (Volume UP and Power until it buzzes, then Vol Up and power again to bring up the abd screen). If so you should be able to adb sideload from there.
I cant seem to get this to stick. My about phone still shows TA-1062.
How would i know if this worked?
Should i then flash the worldwide TWRP over the 1062 flash as well?
Surgent said:
I cant seem to get this to stick. My about phone still shows TA-1062.
How would i know if this worked?
Should i then flash the worldwide TWRP over the 1062 flash as well?
Click to expand...
Click to collapse
Yeah it will still show TA-1062. The difference is that it will show the 'WW' model instead of 'CN'. I knew mine had stuck when the play SafetyNet checker showed a pass.
Here's what I did:
1. Unlocked bootloader and critical bootloader
2. Rooted.
3. Followed this guide to make the change.
4. Uninstalled Magisk (basically unrooting)
5. Relock bootloader and critical bootloader
6. Sideloaded the stock Oreo image
And everything is hunky dory. You could also sideload the P beta image from Nokia as well.
shiftybugger said:
Yeah it will still show TA-1062. The difference is that it will show the 'WW' model instead of 'CN'. I knew mine had stuck when the play SafetyNet checker showed a pass.
Here's what I did:
1. Unlocked bootloader and critical bootloader
2. Rooted.
3. Followed this guide to make the change.
4. Uninstalled Magisk (basically unrooting)
5. Relock bootloader and critical bootloader
6. Sideloaded the stock Oreo image
And everything is hunky dory. You could also sideload the P beta image from Nokia as well.
Click to expand...
Click to collapse
Have you received the August ota since doing this?
Yep, got August the day before yesterday.

Categories

Resources