Database Info

Binary partition 1 corrupt

Hi,
I ran doctest on my prophet which ended up corrupting the doc. I managed to get the doc fixed except for binary partition 1. Now I have a prophet which boots into the OS, but has a corrupt CID, IMEI, SIMLOCK, GSMDATA, etc- which means my prophet is now a PDA without a phone...
In short, 0x0-0x44000 area on binary partition 1 is corrupt and I don't have a backup of it.
Can a dump of this block from another prophet be used directly on my device? What all would have to be reconstructed in this block to make it run successfully on my device?
Pls help!

slickdick said:
Hi,
I ran doctest on my prophet which ended up corrupting the doc. I managed to get the doc fixed except for binary partition 1. Now I have a prophet which boots into the OS, but has a corrupt CID, IMEI, SIMLOCK, GSMDATA, etc- which means my prophet is now a PDA without a phone...
In short, 0x0-0x44000 area on binary partition 1 is corrupt and I don't have a backup of it.
Can a dump of this block from another prophet be used directly on my device? What all would have to be reconstructed in this block to make it run successfully on my device?
Pls help!
Click to expand...
Click to collapse
for people reading this, DO NOT RUN DOCTEST ! EVER !
for sidekick, what do you have ? G3/G4?
if you have a G3 it should be possible to fix with itsme tools if you know what you are doing.

I have a G3 IPL 1.0 SPL 2.15.0000 (+gold card)
I have managed to get 0x00000-0x10000 from a wizard (cid locked/sim unlocked). Updated it with superCID using typhooncidedit.pl and flashed it on my doc using pdocwrite.
However, I am still getting a "GetDeviceCID: Error - InitDecoder" on running 'info 2', IMEI is still the default 44xxxx... and am getting Simlock.exe error-"Data error: contact service....." on inserting a SIM
I can think of the following three reasons why this hasn't worked for me:
1. wizard and prophet have different CID blocks and one from prophet might work
2. CID block contains a unique device specific identifier (docuniqueid maybe) apart from what is not mentioned in typhooncidedit.pl
# 0x0000-0x0004 - version
# 0x0010-0x0018 - checksum cryptkey
# 0x0140-0x0148 - imei
# 0x0160-0x0180 - cid
# 0x01a0-0x01a8 - keyindex at byte +3
# 0x1200-0x1a00 - cid cryptkey
# 0x1c80-0x1c88 - lockflag
# 0x1d00-0x1f00 - lockcodes
# 0x4000-0x4400 - mccmnc ??
# 0xfff8-0xffff - checksum of 0-0xfff8
3. the device looks at information in 0x10000-0x40000 at least for IMEI & simlock
Am I on the right track or are there any easier alternatives? Either ways, I think it is important for me to get 0x00000-0x44000 of a G3 prophet in order to investigate further.
It would of GREEEAAAT help if someone can provide me a dump of this area
pdocread -n 1 0 0x40000 cidblock.bin
pdocread -n 1 0x40000 0x4000 -b 0x4000 gsmdata.bin
(pls also mention your docuniqueid from 'pdocread -l')

slickdick said:
I have a G3 IPL 1.0 SPL 2.15.0000 (+gold card)
I have managed to get 0x00000-0x10000 from a wizard (cid locked/sim unlocked). Updated it with superCID using typhooncidedit.pl and flashed it on my doc using pdocwrite.
However, I am still getting a "GetDeviceCID: Error - InitDecoder" on running 'info 2', IMEI is still the default 44xxxx... and am getting Simlock.exe error-"Data error: contact service....." on inserting a SIM
I can think of the following three reasons why this hasn't worked for me:
1. wizard and prophet have different CID blocks and one from prophet might work
2. CID block contains a unique device specific identifier (docuniqueid maybe) apart from what is not mentioned in typhooncidedit.pl
# 0x0000-0x0004 - version
# 0x0010-0x0018 - checksum cryptkey
# 0x0140-0x0148 - imei
# 0x0160-0x0180 - cid
# 0x01a0-0x01a8 - keyindex at byte +3
# 0x1200-0x1a00 - cid cryptkey
# 0x1c80-0x1c88 - lockflag
# 0x1d00-0x1f00 - lockcodes
# 0x4000-0x4400 - mccmnc ??
# 0xfff8-0xffff - checksum of 0-0xfff8
3. the device looks at information in 0x10000-0x40000 at least for IMEI & simlock
Am I on the right track or are there any easier alternatives? Either ways, I think it is important for me to get 0x00000-0x44000 of a G3 prophet in order to investigate further.
It would of GREEEAAAT help if someone can provide me a dump of this area
pdocread -n 1 0 0x40000 cidblock.bin
pdocread -n 1 0x40000 0x4000 -b 0x4000 gsmdata.bin
(pls also mention your docuniqueid from 'pdocread -l')
Click to expand...
Click to collapse
you are on the right track, as you have a G3 it should be possible to fix as pdocwrite can write a G3 DOC
as you can see from my signature, my G3 is bricked so I can't help at the moment
however, I see you have a gold card !? care to explain how you made it ?
Thanks

Prophet Goldcard
I just followed the instructions in typhoonnbfdecode.pl with slight modifications to some checks in IPL & OS
you have a bricked G3.... stuck in bootloader I presume? There are two ways you can fix it with the help of a gold card.
1. Cardid is known and docuniqueid is not known
use tornado keys and xxx magic and '00' as first two chars in cardid to generate a securitylevel=0 non-flashable sd image.
>perl typhoonnbfdecode.pl -d prophet_gold.img -p magic=xxx -p cardid=00610032DF69A01947323044534D5402 -p keys=tornado -p seclevel=0
using this card I get a the normal bootloader screen but with a security level of 0
Cmd>set 32 0
+ SD Controller init
- SD Controller init
+StorageInit
***** user area size = 0x7AC00000 Bytes
Unlimited time!
GetDeviceCID: Error - InitDecoder <<<<< due to corrupt bin partition 1
g_cKeyCardSecurityLevel = 0 <<<<< Voila!
now use the l or lr command in bootloader!!!
2. both Cardid and and docuniqueid are known
use tornado keys and '00' as first two chars in cardid to generate a flashable sd image.
however, for this to work, comment out all the checks in validate_os and the BIPO check in validate_ipl in typhoonnbfdecode.pl
>perl typhoonnbfdecode.pl -d sd80.img -p cardid=00610032DF69A01947323044534D5402 -p keys=tornado -p seclevel=0 -p docuniqueid=00000000a440020420380318130b0571 -r os=OS.nb
no more "Not Allow Update" 's

I'm so busy now in the college exams, this is my graduation year, and I only look at the posts like checking my mail without replying.
But at least I find a guy understand what he is doing, and has no ego, and polite, not like others in this very impolite, and the problem they are stupid, and think themselves understand, all what they do, reading and repeating without understanding or try to improve.
After this long story you don't have to read it, trying to help you if I can.
About the IMEI block => try to use IMEI wizard for changing the IMEI for prophet it will overwrite the old block. It uses pdocwrite.exe =pdocread.exe
About the other blocks I have a G3 prophet IPL 2.10 SPL 2.20 and I have back up with r2sd all and unlocked CID.
I'll pdocread any block you want but I'm going to send it by e-mail in parts, because I can't guarantee the net in big files, so just read your private messages.

slickdick said:
I just followed the instructions in typhoonnbfdecode.pl with slight modifications to some checks in IPL & OS
you have a bricked G3.... stuck in bootloader I presume? There are two ways you can fix it with the help of a gold card.
1. Cardid is known and docuniqueid is not known
use tornado keys and xxx magic and '00' as first two chars in cardid to generate a securitylevel=0 non-flashable sd image.
>perl typhoonnbfdecode.pl -d prophet_gold.img -p magic=xxx -p cardid=00610032DF69A01947323044534D5402 -p keys=tornado -p seclevel=0
using this card I get a the normal bootloader screen but with a security level of 0
Cmd>set 32 0
+ SD Controller init
- SD Controller init
+StorageInit
***** user area size = 0x7AC00000 Bytes
Unlimited time!
GetDeviceCID: Error - InitDecoder <<<<< due to corrupt bin partition 1
g_cKeyCardSecurityLevel = 0 <<<<< Voila!
now use the l or lr command in bootloader!!!
2. both Cardid and and docuniqueid are known
use tornado keys and '00' as first two chars in cardid to generate a flashable sd image.
however, for this to work, comment out all the checks in validate_os and the BIPO check in validate_ipl in typhoonnbfdecode.pl
>perl typhoonnbfdecode.pl -d sd80.img -p cardid=00610032DF69A01947323044534D5402 -p keys=tornado -p seclevel=0 -p docuniqueid=00000000a440020420380318130b0571 -r os=OS.nb
no more "Not Allow Update" 's
Click to expand...
Click to collapse
Create, Let me try some things here, In my gold card thread I've started outlining this.
I used the same steps as you did, however I got stuck in getting the cardid, for some reason the memdump didnt contain the cardid.
which route did you use to get the cardid ?
(I used my second prophet to get that, but failed)
Thanks for the explaining so far.

paradis_pal said:
I'm so busy now in the college exams, this is my graduation year, and I only look at the posts like checking my mail without replying.
But at least I find a guy understand what he is doing, and has no ego, and polite, not like others in this very impolite, and the problem they are stupid, and think themselves understand, all what they do, reading and repeating without understanding or try to improve.
After this long story you don't have to read it, trying to help you if I can.
About the IMEI block => try to use IMEI wizard for changing the IMEI for prophet it will overwrite the old block. It uses pdocwrite.exe =pdocread.exe
About the other blocks I have a G3 prophet IPL 2.10 SPL 2.20 and I have back up with r2sd all and unlocked CID.
I'll pdocread any block you want but I'm going to send it by e-mail in parts, because I can't guarantee the net in big files, so just read your private messages.
Click to expand...
Click to collapse
Nice to see you back on the board, I've read some of your early posts and they were a great help !
If you could help out that would be great, I know what it is like during exams

Id would be great if you guys could help me find the cardid, I'm trying to get this, but im guessing i'm looking at the wrong section:
Using memmap on my G4 i've dumped the memory section of device.exe
pmemmap -s 0x06000000 -w deviceexe.mem -p 0x10000000-0x12000000
However when searching through it, I can't find the SBDS/ Memory Card section, only a RSDS section at 0x1101C.
Am I dumping the wrong section ?

try to search for memory card using unicode character set ((winhex)), because it's writtin in unicode
I'm not sure, if you are using any other ROM but try to use original qteck s200 rom 2.20 without insalling anyother programs, and try again without installing the ext rom,
try any debuger manger to find out the memory section of device.exe cause it is not always 0x06000000

paradis_pal said:
try to search for memory card using unicode character set ((winhex)), because it's writtin in unicode
I'm not sure, if you are using any other ROM but try to use original qteck s200 rom 2.20 without insalling anyother programs, and try again without installing the ext rom,
try any debuger manger to find out the memory section of device.exe cause it is not always 0x06000000
Click to expand...
Click to collapse
Thanks for the advice, I did use winhex in unicode, I will try with the qtek rom,I will post an update soon, getting my card reader at work now
hope your exams are going ok !

How to find Cardid on Prophet
For CardID, on my G3, I did not find the SBDS signature in the memory dump of device.exe. However, there were two occurances of Unicode "Memory Card". 73 (0x49) bytes after one of them was what I could recognize as the cardid.
From what I can make of the codes (ASCII) mentioned in typoonnbfdecode.pl
'UE...c.U821DSDS.' for minisd
'[email protected]' for kingston
'?<.e.Gd.821DSMT.' for daneelec
All three have 821, which is reverse of 128!!! size 128MB!!! Ring-a-bell?!? Can we interpret similar structure for all other cards < 1GB?
'DSMT' seems to be standard for Dane Elec cards. same can be interpreted for other types like DSDS looks to be standard(maybe somone can confirm this)
If you analyze the ASCII of card id of my 2GB Dane Elec- '%a.2ßi..G20DSMT.'
you will see 'G20' representing size (representation for size seems to be different for cards > 1G. Again, someone needs to confirm this observation) and 'DSMT' standard signature for Dane Elec.
All in all, if you are not able to find the 'Memory Card' pattern, depending upon card make and size, search for any of the CardID ASCII patterns in the memory dump.
(btw, To find the starting offset of CardId- third character of CardId seems to be 0x00. If you are familiar with using grep, finding cardid in the memory dump could be easier)
Let me know if this helps.

Reverse of cardids is shown below:
minisd in typoonnbfdecode.pl
03 53 44 53 44 31 32 38 55 00 63 CF AC 00 45 55 SDSD128U cϬ EU
kingston in typoonnbfdecode.pl
18 49 4E 31 32 38 4D 42 03 40 1F 53 09 00 51 3F IN128MB @ S Q?
Dane Elec in typoonnbfdecode.pl
02 54 4D 53 44 31 32 38 07 64 47 BA 65 00 3C 3F TMSD128 dGºe <?
and finally my 2GB Dane elec
02 54 4D 53 44 30 32 47 19 A0 69 DF 32 00 61 25 TMSD02G *iß2 a%
Makes sense? I think you can directly search for the cardid pattern in the memory dump.

slickdick said:
Reverse of cardids is shown below:
minisd in typoonnbfdecode.pl
03 53 44 53 44 31 32 38 55 00 63 CF AC 00 45 55 SDSD128U cϬ EU
kingston in typoonnbfdecode.pl
18 49 4E 31 32 38 4D 42 03 40 1F 53 09 00 51 3F IN128MB @ S Q?
Dane Elec in typoonnbfdecode.pl
02 54 4D 53 44 31 32 38 07 64 47 BA 65 00 3C 3F TMSD128 dGºe <?
and finally my 2GB Dane elec
02 54 4D 53 44 30 32 47 19 A0 69 DF 32 00 61 25 TMSD02G *iß2 a%
Makes sense? I think you can directly search for the cardid pattern in the memory dump.
Click to expand...
Click to collapse
Great ! thanks, I'm dumping right now, after looking for the memory adress of device.exe using pps
will update in a moment

uhmm, I think we have a winner ??
at 00729EC0
23 61 00 3D 92 68 10 80 32 31 35 52 53 44 53 03
#a.=’h.€215RSDS.
for a 512 MB sandisk sd card
created the image, I now have sec level 0.
I've downloaded mtty and want to upload a new SPL using the L or LR command, however I don't know what parameters L or LR takes ?
is it just L <filename>
or do I have to specify the memory adress or the SPL ?

Jesterz said:
is it just L <filename>
or do I have to specify the memory adress or the SPL ?
Click to expand...
Click to collapse
Code:
l <path_name> <startAddr offset>
You have to specify the address of the SPL, if you don't specify it most probably will default to OS address.

pof said:
Code:
l <path_name> <startAddr offset>
You have to specify the address of the SPL, if you don't specify it most probably will default to OS address.
Click to expand...
Click to collapse
ok thanks ! i'm going to give this a go
l spl.nb 0x91000000
fingers crossed, lol

Cmd>l spl.nb 91000000
clean up the image temp buffer at 0x8C100000 Length 0x03900000
BOOTLOAD_PAGE_TABLE_BASE_C_VIRTUAL= 0x8C080000
Clear image temp buffer done .
MTTYDownloadImage "spl.nb"
:F=spl.nb
start download

SAddress A0000000h Length 000C0000h, pszImageTempBuffer = 8C100H000h
OEMGetFlashIndex()- dwVaddr = 0xA0000000
OEMGetFlashIndex()- iIndex = 0xFFFFFFFF
Start flashing new image!!!
<CE-31><CE-1167><CE-995>
weird, the screen then goes all white, and I hear the usb disconnect, for the rest nothing happens.
which format does the spl file need to be ? i've used the "standard" nb file
i'm trying more stuff, but right now, i'm clueless

Jesterz said:
BOOTLOAD_PAGE_TABLE_BASE_C_VIRTUAL= 0x8C080000
Click to expand...
Click to collapse
This seems good, as it is the virtual address from where the bootloader expects to be executed.
Jesterz said:
weird, the screen then goes all white, and I hear the usb disconnect, for the rest nothing happens.
Click to expand...
Click to collapse
Weird... I believe command "l" auto-launches code once downloaded, probably this is the reason.
Jesterz said:
which format does the spl file need to be ? i've used the "standard" nb file
Click to expand...
Click to collapse
I think it should be a BIN file with "l" command... maybe try "lnb" command? (I don't know if prophet has it, I don't have a prophet). Hope the previous "l" command hasn't screewed things more than they where.
Just out of curiosity, tell me how the story ends

pof said:
I think it should be a BIN file with "l" command... maybe try "lnb" command? (I don't know if prophet has it, I don't have a prophet). Hope the previous "l" command hasn't screewed things more than they where.
Just out of curiosity, tell me how the story ends
Click to expand...
Click to collapse
as far as i know, "l" is for .bin only (at least on wizard)... I hope Jesterz did not just nuke his bootloader.

Samsung Galaxy S 4G Unlock Code Found

***** IMPORTANT ROOT IS REQUIRED BEFORE PROCEEDING *****
***** ALSO PLEASE READ CAREFULLY BEFORE ACTUALLY APPLYING STEPS *****
All right ladies and gentlemen, coders and non coders I have personally found the unlock code NOT THE FREEZE CODE only the unlock code for your Samsung Galaxy S 4G hidden in the same files as previous Vibrant phones.
Please understand this was a hard complex and still needs work procedure.
Of-course this all depends on your dedication and time but hopefully I have simplified it for you.
Steps:
1. Install "010 Hex editor" you can use trial does not have to be registered
2. Go to your SGS 4G and open a terminal emulator (free on the Market) - (Root Required)
The following steps are credit to SS2006 on a different post
*** Dont forget the (su) command *** after the second line
_____
after opening a terminal emulator type the following
cd /dev/block <enter>
su <enter> <at this point your phone will ask for superuser access ALLOW it if you already havent done so>
dd if=/dev/block/bml3 of=/sdcard/bml3.bak <enter>
Go find the file on your SD Card and transfer it to your computer
3. Open 010 Hex Editor
4. In 010 Hex Editor go to the Menus above and select VIEW>LINEFEEDS>SELECT CUSTOM>SET YOUR BYTES TO "32" Nothing Less
5. Locate the bml3.bak file you created and transfered to your computer and open it using the editor
(CREDIT TO FR0Z3N FOR CLARIFYING THE FOLLOWING 2 STEPS)
6. Using your keyboard select CRTL+F to search for a hex string, when the search window pops up select "Hex byte" in the Type field and then search for the following string below:
"FFFFFFFFFF0100000000" ALL TOGETHER, Then Hit the FIND ALL button to the right, some of you will get 2 results and others up to 10 results on your screen below
7. If you look at your Hex editor there are 3 window panes on the selected line (See Image Below)
e.g 4CCC60h <-- Offset
01 01 01 01 < -- Hex Keys
yyyyyyyyy <- ASCII text where your code is
h.t .t p / / i1201.photobucket . com /albums/ bb359/sanfranx415/unlock.jpg
8. Go through each result from the above search and you will see on the 3rd window pane (as shown on pic above) after the hex keys there is an 8 DIGIT CODE (Write this code Down) this is your unlock code NCK for your phone
Sidenote: THIS 8 DIG CODE SHOULD SHOW ON AT-LEAST ONE MORE RESULT CHECK ALL YOUR RESULTS FROM THE SEARCH ABOVE IF YOU HAVE ANY DOUBTS ( SOME OF YOU WILL HAVE YOUR CODE SHOWN AT-LEAST 2 TIMES AND SOME OF YOU WILL HAVE THE CODE SHOW MORE THAN 4 TIMES BUT YOU SHOULD NOT HAVE THAT MANY RESULTS )
**** TO INPUT THE UNLOCK NETWORK CODE DO THE FOLLOWING ****
9. Turn off your phone
10. Insert a foreign SIM card not attached to your current provider (e.g if you have T-mob use an ATT SIM CARD) and turn on your phone
11. You will be prompted to enter a Network Unlock Control Key ( Use the code above that you wrote down and type it in your phone exactly)
12. After entering your NCK please hit Unlock or GO button and you should see a screen that says "network unlock successful" and your phone should go in the main screen after your phone has been unlocked.
THATS IT FOLKS HAVE FUN
PS> If you entered an incorrect code you must of entered the wrong code or wrote it down wrong please read carefully and verify the code matches the results from above in at-least more than one instance
SHOULD ANYONE NEED HELP PM ME AND I WILL BE GLAD TO HELP
personally my SGS4G has been rooted from day 1 and wi-fi tethering enabled and now it has been Unlocked

Thanks, will try

This seems like it doesn't work. If you go to line 157028 you end up at offset 4CAC60h which is nothing but zeros. And if you go to offset 4CCC60h, there's no 01010101 value.

Ok is this BS or what? I noticed that no one else has posted here. I have tried every combination with these line #'s and I cant find any 8 digit code in the third section. con anybody tell me if this is legit?

doesnt work for me either

OMG! Sick it did work, i found it on a different line
w00t just unlocked mine!

fr0z3n said:
OMG! Sick it did work, i found it on a different line
w00t just unlocked mine!
Click to expand...
Click to collapse
Well can you share what line you found it on

I just unlocked two of them, its on different lines everytime.
Folowing are the instructions:
Open the file in Hex Editor
1.) Press - Ctrl + F
A window should open up
2.) Change the type to "Hex Bytes (h)
3.) Value: FF FF FF FF FF 01 00 00 00 00
4.) Click Find All, for me the code
the code is visible right after this, 8 digit code. For me it was repeared 9-10 times in the file.
Good luck

did it work?

No this is not BS and Yes Fr0z3N is correct I should have said look for this line value
Value: FF FF FF FF FF 01 00 00 00 00
You will find your code it takes patience but your code is there if you follow the instructions
Thanks Fr0Z3n for the clarification and more indepth analysis

Works for me, too. Thanx sanfran and fr0z3n.
Sent from my SGH-T959V using XDA App

hello, can you tell me if moving to Europe this device will work also on European 3G UMTS 900/2100 ? Thanks a lot

pipporobby said:
hello, can you tell me if moving to Europe this device will work also on European 3G UMTS 900/2100 ? Thanks a lot
Click to expand...
Click to collapse
Moving to europe has no barring at all- Once you unlock your Phone you can use it with any GSM provider in the world including Europe just switch out the sim Cards with the european SIM
The technology has not changed for 3G phones are still capable of the same frequencies its just 4G is now being used more common in the US depending on your carrier of-course either HSPA or LTE or WIMAX in the US but in Short to answer your question YES it will work
Have fun in Europe

Still no luck Ive tried it over and over the only numbers that I find that are on more than one line is 0123456789 and I doubt that is my unlock code. And I followed the instructions to the "T" Why is this not working? Also you said 2 to 10 results below and I get 160 results every time.

@droidboy: Is your Samsung Galaxy S 4G rooted?
Sent from my SGH-T959V using XDA App

sk8er_ said:
@droidboy: Is your Samsung Galaxy S 4G rooted?
Sent from my SGH-T959V using XDA App
Click to expand...
Click to collapse
Yeah I am rooted, I rooted through super one click v1.7

@Droidboy quick question did you try using any galaxy s unlock app from the market if you did and they alter your original files that came with your phone thus causing a different bak file to be outputed when you do the terminal commands as stated. You should revert if possible with the same program used or PM me and send me your bak file to see if I can help

Thanks. It worked!!
Sent from my SGH-T959V using XDA App

fr0z3n said:
I just unlocked two of them, its on different lines everytime.
Folowing are the instructions:
Open the file in Hex Editor
1.) Press - Ctrl + F
A window should open up
2.) Change the type to "Hex Bytes (h)
3.) Value: FF FF FF FF FF 01 00 00 00 00
4.) Click Find All, for me the code
the code is visible right after this, 8 digit code. For me it was repeared 9-10 times in the file.
Good luck
Click to expand...
Click to collapse
I followed these instructions after I downloaded the .bak file, used the CTRL+F to find the first instance then used F3 (Find Next) to find the other places where the code is.

Has anyone tried a AT&T sim card to see if 3G works just like it did for the Vibrant?

wifi hot spot dosent like moto...

wtf... when you need wifi access it turns out that the mac address of the phone is filtered...
to be sure, changed my laptop wifi mac to match the phone one, and guess... no access....
ok the mac address on the phone wifi, can be changed temporary, but it is a pain (and when i say pain i mean repeating pain )
so i found that actually the mac is stored in /pds/wifi/nvs_map.bin
long story short...
moto mac 11:22:33:44:55:66
relevant part in hex of the nvs_map:
Code:
00000000 01 6D 54 [b]66[/b] [b]55[/b] [b]44[/b] [b]33[/b] 01 71 54 [b]22[/b] [b]11[/b]
and changed mac aa:bb:cc:dd:ee:ff
and the relevant part in the nvs_map
Code:
00000000 01 6D 54 [b]ff[/b] [b]ee[/b] [b]dd[/b] [b]cc[/b] 01 71 54 [b]bb[/b] [b]aa[/b]
after replacing the file (ofcourse, make a backup)
the change will be permanent (or at least until restore from the backup
so choose carefully the mac address please
i tested that with success on my xt720, i suppose that the trick will work on every phone which utilize /pds/wifi/nvs_map.bin file on wlan initialization...
e.g. if there is service like
Code:
service wlan_loader /system/bin/wlan_loader \
-f /system/etc/wifi/fw_wlan1271.bin -i /system/etc/wifi/tiwlan.ini \
-e [b]/pds/wifi/nvs_map.bin[/b]
class post-zygote_services
disabled
oneshot
p.s. intensionally the post is not very user friendly. the reason is that i am afraid that if somebody do not understand really well what to do, can screw the wifi. I cannot explain in great details, but the above is more than enough if someone know about hex editors, copying files etc..

problem with MAC Wifi - Motorola Defy
peshovec said:
wtf... when you need wifi access it turns out that the mac address of the phone is filtered...
to be sure, changed my laptop wifi mac to match the phone one, and guess... no access....
ok the mac address on the phone wifi, can be changed temporary, but it is a pain (and when i say pain i mean repeating pain )
so i found that actually the mac is stored in /pds/wifi/nvs_map.bin
long story short...
moto mac 11:22:33:44:55:66
relevant part in hex of the nvs_map:
Code:
00000000 01 6D 54 [b]66[/b] [b]55[/b] [b]44[/b] [b]33[/b] 01 71 54 [b]22[/b] [b]11[/b]
and changed mac aa:bb:cc:dd:ee:ff
and the relevant part in the nvs_map
Code:
00000000 01 6D 54 [b]ff[/b] [b]ee[/b] [b]dd[/b] [b]cc[/b] 01 71 54 [b]bb[/b] [b]aa[/b]
after replacing the file (ofcourse, make a backup)
the change will be permanent (or at least until restore from the backup
so choose carefully the mac address please
i tested that with success on my xt720, i suppose that the trick will work on every phone which utilize /pds/wifi/nvs_map.bin file on wlan initialization...
e.g. if there is service like
Code:
service wlan_loader /system/bin/wlan_loader \
-f /system/etc/wifi/fw_wlan1271.bin -i /system/etc/wifi/tiwlan.ini \
-e [b]/pds/wifi/nvs_map.bin[/b]
class post-zygote_services
disabled
oneshot
p.s. intensionally the post is not very user friendly. the reason is that i am afraid that if somebody do not understand really well what to do, can screw the wifi. I cannot explain in great details, but the above is more than enough if someone know about hex editors, copying files etc..
Click to expand...
Click to collapse
----------------------------
Hi guys...
I need help to configure the nvs_map.bin... Edit the file with Hex Editor program and now the WIFI does not work. I have no backup file nvs_map.bin.
I need to get back to the Mac I had before. I have not a backup file nvs_map.bin, but if I have a backup of the MAC shown in the phone settings menu. Now I get 00:00:00:00:00:00.
Sorry. My English is bad .. I am Spanish
Thanks for the info

[tutorial] change your mid to wwe version

This is a short tutorial on how to change you mid on your htc one mini. Make sure your bootloader is unlocked you are rooted and have s-off with super cid! This is the config that is know working for the mod. After the change you can lock everything back up if you want.
1. Boot up your phone and connect to pc with usb debugging turned on.
2. Open up command prompt or terminal and "adb shell" and then type "su"
3. Dd if=/dev/block/mmcblk0p6 of=/sdcard/mid.img
4.exit shell
5.adb pull /sdcard/mid.img
6.open up mid.img in hex editor and search for this value 50 00 4f 00 35 00 38 you will see (in the text side of the editor) either p.o.5.8.2.2.0.0.0 or p.o.5.8.2.0.0.0.0 if it reads p.o.5.8.2.2.0.0.0 its an att model and you want to simply overwrite the last 2 with a 0. Use f3 or whatever button to find the value again and change that 2 to a 0 in all places in the file. 2 or 3 times if i remember correctly. (this does work and it is fully tested by me) make sure you have the editor overwriting not inserting!! And only change what ive told you!!
7.then save and push the file back to sdcard
8.run this command dd if=/sdcard/mid.img of=/dev/block/mmcblk0p6
9.adb reboot bootloader
10.finally fastboot getvar all....and youll see your mid has been successfully changed. Ota updates will now work on stock rom.

[Q&A] Running Ubuntu natively on the Shield Tablet

Q&A for Running Ubuntu natively on the Shield Tablet
Some developers prefer that questions remain separate from their main development thread to help keep things organized. Placing your question within this thread will increase its chances of being answered by a member of the community or by the developer.
Before posting, please use the forum search and read through the discussion thread for Running Ubuntu natively on the Shield Tablet. If you can't find an answer, post it here, being sure to give as much information as possible (firmware version, steps to reproduce, logcat if available) so that you can get help.
Thanks for understanding and for helping to keep XDA neat and tidy!

It's amazing
Wow, it is really great that we will be able to run Ubuntu on the Shield!!
As of now, how would you describe the performance of it? Is it laggy or running smoothly? Also, do I understand correctly from your fist post that wifi is not working? Is there other functions not working?

dual boot
Also, as someone managed to get an android /ubuntu dual boot?

Teve1982 said:
Wow, it is really great that we will be able to run Ubuntu on the Shield!!
As of now, how would you describe the performance of it? Is it laggy or running smoothly? Also, do I understand correctly from your fist post that wifi is not working? Is there other functions not working?
Click to expand...
Click to collapse
it works well enough, I don't have anything to compare it to but it's not slow or anything
WiFi and Bluetooth work now. Touchscreen doesn't work, and I don't know yet if it ever will on Linux. Touchscreen works too!
Teve1982 said:
Also, as someone managed to get an android /ubuntu dual boot?
Click to expand...
Click to collapse
it's already dual boot, Linux stays in its own directory on the userdata partition

miscellaneous info
Hi guys, I'm totally noob with linux and ubuntu so my question may be stupid:
How Can I dualboot lollipop and ubuntu on the shield tablet?
If I use the img linked here what is the command that I must use to flash on tablet? I need only that file or I need something else?
I saw that the image kernel file is updated frequently to implement new feature, how can I upgrade to a new version?
Thanks a lot and be patient with me
Polve72

Interest is peaked.
Sent from Bad Azz VZW LG G3 Cyan Tapatalk

Unable to complete boot
Hey guys,
so i followed the instructions to the letter, or at least i think so.
1. downloaded the latest boot image. new_boot(94)
2. downloaded , unpacked and repacked the files from nvidia as explained
3. transferred repacked bz2 file to device, unpacked in /data/linux/
4. booted using fastboot command with command extra command line arguement.
given that i add the extra command line argument, then ubuntu seems to boot fine, but it stops after a while with the last report being :
"enable autosuspend for nvidia bruce"
nothing seems to be happening after that...
i have tried the two previous boot images also, but the same thing happens... any ideas?

Ubuntu issues
Hey,
I tried following the directions on the post. I got the device rooted and unlocked the bootloader, cwm is installed, busybox is installed, and root checker says I am rooted. I also followed the directions and have the root file system moved across into /data. When I use fastboot to load the image, I get a kernel panic. Things are scrolling pretty quickly but it looks like the busybox operations that are trying to mount certain areas keep failing saying no such file or directory. It almost seems like from the bootloader, it can't see /data, however I am able to mount it via cwm and see the files are there via adb. One of the error messages I got on the boot was that "mount /dev/mmcblk0p24 on /data failed invalid argument". Would you have any idea what I might be missing here. One thing I did notice while following the directions was that sudo ./apply_binaries.sh did not seem to do anything, it just displays the usage info like it was expecting different arguments.
Any suggestions you have for me would be much appreciated.
Thanks.

polve72 said:
Hi guys, I'm totally noob with linux and ubuntu so my question may be stupid:
How Can I dualboot lollipop and ubuntu on the shield tablet?
If I use the img linked here what is the command that I must use to flash on tablet? I need only that file or I need something else?
I saw that the image kernel file is updated frequently to implement new feature, how can I upgrade to a new version?
Thanks a lot and be patient with me
Polve72
Click to expand...
Click to collapse
At the moment, I honestly can't recommend trying this if you have no Linux experience, it's still WIP (for example, the touchscreen and Bluetooth won't work without additional configuration), and this is still ARM so most closed-source software (such as most games) still won't work (at least not at acceptable performance levels). But, if you still want to try, you need to follow the instructions from the post that contains the boot.img downloads (mainly the rootfs part). At the moment there's no real solution for dual-booting, but it's possible to flash the boot.img to the recovery partition (after which, booting the recovery will go to Linux instead). Good luck!
dud3rin0 said:
Hey guys,
so i followed the instructions to the letter, or at least i think so.
1. downloaded the latest boot image. new_boot(94)
2. downloaded , unpacked and repacked the files from nvidia as explained
3. transferred repacked bz2 file to device, unpacked in /data/linux/
4. booted using fastboot command with command extra command line arguement.
given that i add the extra command line argument, then ubuntu seems to boot fine, but it stops after a while with the last report being :
"enable autosuspend for nvidia bruce"
nothing seems to be happening after that...
i have tried the two previous boot images also, but the same thing happens... any ideas?
Click to expand...
Click to collapse
Can you please post a picture of the screen when it gets stuck? (the bruce message usually appears after the rootfs is mounted, so since it doesn't continue, that probably failed). apply-binaries.sh should work fine, if it didn't run I think it would still boot, but there will be no GPU acceleration for sure (and maybe no X11 at all).
jfsir said:
Hey,
I tried following the directions on the post. I got the device rooted and unlocked the bootloader, cwm is installed, busybox is installed, and root checker says I am rooted. I also followed the directions and have the root file system moved across into /data. When I use fastboot to load the image, I get a kernel panic. Things are scrolling pretty quickly but it looks like the busybox operations that are trying to mount certain areas keep failing saying no such file or directory. It almost seems like from the bootloader, it can't see /data, however I am able to mount it via cwm and see the files are there via adb. One of the error messages I got on the boot was that "mount /dev/mmcblk0p24 on /data failed invalid argument". Would you have any idea what I might be missing here. One thing I did notice while following the directions was that sudo ./apply_binaries.sh did not seem to do anything, it just displays the usage info like it was expecting different arguments.
Any suggestions you have for me would be much appreciated.
Thanks.
Click to expand...
Click to collapse
It's possible that your internal memory isn't recognized by the kernel. I'll send you a PM later today with a custom kernel so that we can start debugging this, I've had this issue before but I'm pretty sure I fixed it early on.

@Bogdacutu
I think you'll right. I'll wait a better and more user friendly approach.
Polve72

Thanks. Any help is much appreciated.

Thank you
@Bogdacutu Thank you very much for this!!!! buntu runs fairly smooth on my Tablet. But how will you get x86 software run on ARM? I thought there is no way.
Best Regards

aarr_ee said:
@Bogdacutu Thank you very much for this!!!! buntu runs fairly smooth on my Tablet. But how will you get x86 software run on ARM? I thought there is no way.
Best Regards
Click to expand...
Click to collapse
qemu can run in userspace (so it can run x86 software relatively seamlessly without a full VM), but x86 apps can't load ARM libraries, so x86 apps don't have direct rendering (which slows them down even more than they are already)

Portable
Is there any way to make this possible for the Shield Portable?

Great project,
Are you able to play any linux games with decent fps? I ask because ive found following video:
https://www.youtube.com/watch?v=hRBPeNzE558

thewolf16 said:
Great project,
Are you able to play any linux games with decent fps? I ask because ive found following video:
https://www.youtube.com/watch?v=hRBPeNzE558
Click to expand...
Click to collapse
Pretty much any game compiled for ARM will work, so Steam games won't work without QEMU (and so far I haven't been able to get Steam to actually start properly), which would mean some performance loss.

Thank you for your answer
Will this work with your build?:
https://www.youtube.com/watch?v=uVknjU7eGbI
https://www.youtube.com/watch?v=4GUP27TJ5w4
This would be much faster than qemu.
EDIT: And can you run the 2D adventure game "Edna & Harvey: The breakout". Its an windows game but because its made in java you can run it natively on linux with the java-installer:
java -jar ednaunpack.jar
Click to expand...
Click to collapse

thewolf16 said:
Thank you for your answer
Will this work with your build?:
https://www.youtube.com/watch?v=uVknjU7eGbI
https://www.youtube.com/watch?v=4GUP27TJ5w4
This would be much faster than qemu.
Click to expand...
Click to collapse
Probably. I'm not planning to pay for that anytime soon as I really dislike their licensing scheme, so I can't know for sure if it works or not.
EDIT: decided to buy it, apparently they don't give you the license automatically, so I might have to wait a day or so until I get it

Not Enabled Bluetooth...
Hi,
I have the SHIELD TABLET 16GB Wi-Fi model and succeeded to run Ubuntu with new_boot(123).img!
Recently, I try to the bluetooth configuration to use bluetooth keyboard. However I cannot enable bluetooth.
To enable bluetooth, I do the following commands on terminal.
Code:
sudo aptitude install bluetooth bluez-hcidump bluewho bluez-tools blueman
git clone https://code.google.com/p/broadcom-bluetooth/
cd broadcom-bluetooth
make brcm_patchram_plus
sudo cp brcm_patchram_plus /usr/local/bin
sudo brcm_patchram_plus -d --patchram /system/etc/firmware/bcm43241.hcd --baudrate 3000000 --enable_lpm --enable_hci --use_baudrate_for_download --no2bytes --tosleep 1000 /dev/ttyTHS2
After brcm_patchram_plus, these message is shown.
Code:
option patchram with arg /system/etc/firmware/bcm43241.hcd
option baudrate with arg 3000000
option enable_lpm
option enable_hci
option use_baudrate_for_download
option no2bytes
option tosleep with arg 1000
/dev/ttyTHS2
writing
01 03 0c 00
writing
01 03 0c 00
(...looping)
The last 2 lines are looping until do Ctrl-C on terminal.
So I try to change the bluetooth setting from "OFF" to "ON" on the Unity's System Setting Panel.
After that, I retry the brcm_patchram_plus command and its output message is changed as bellow.
Code:
...
writing
01 18 fc 06 00 00 c0 c6 2d 00
received 7
04 0e 04 01 18 fc 00
Done setting baudrate
writing
01 27 fc 0c 01 01 01 01 01 01 01 00 00 00 00 00
received 7
04 0e 04 01 27 fc 00
Done setting line discpline
the brcm_patchram_plus doesn't finish until Ctrl-C. In this state, I can open the "Bluetooth New Device Setup" Panel.
However, I cannot find any bluetooth devices...(attatched picture) So I open the other terminal and type some commands.
Code:
$ hciconfig -a
hci0: Type: BR/EDR Bus: UART
BD Address: 43:24:1B:00:00:00 ACL MTU: 1021:8 SCO MTU: 64:1
DOWN
RX bytes:642 acl:0 sco:0 events:36 errors:0
TX bytes:983 acl:0 sco:0 commands:38 errors:0
Features: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87
Packet type: Dm1 DM3 Dm5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy: RSWITCH SNIFF
Link mode: SLAVE ACCEPT
$ hcitool dev
Devices:
$ rfkill list
0: bluedroid_pm: Bluetooth
Soft blocked: yes
Hard blocked: no
1: phy0 Wreless LAN
Soft blocked: no
Hard blocked: no
2: brcmfmac-wifi: Wireless LAN
Soft blocked: no
Hard blocked: no
4: hci0: Bluetooth
Soft blocked: yes
Hard blocked: no
$ rfkill unblock all
$ rfkill list
0: bluedroid_pm: Bluetooth
Soft blocked: no
Hard blocked: no
1: phy0 Wreless LAN
Soft blocked: no
Hard blocked: no
2: brcmfmac-wifi: Wireless LAN
Soft blocked: no
Hard blocked: no
4: hci0: Bluetooth
Soft blocked: no
Hard blocked: no
$ hcitool scan
Device si no available: No such device
Please give me any advices!
Thanks,

How to make a keyboard and mouse work on it?
Thanks