Database Info

[REQ]Capture ELF/ELFIN Device ID and CID ID (to help CyZeek)

Hi Everyone
I'm posting this to help out CyZeek.
To capture ELF/ELFIN Device ID and CID ID using MTTY and USB Monitor Lite on XP SP2 and Vista x64
You will need:
1. A demo copy of USB Monitor Lite
http://www.hhdsoftware.com (the demo is fully functional for 14 days).​2. A Copy of MTTY (and you need to be basically familiar with it)
Put your Device into Boot Loader
Assuming your device is not already at the TSoD (Tricolour Screen of Death) - if it is skip this instruction and move on to the next section.
1. Press and hold your camera button
2. Press reset with stylus
3. Wait 5 seconds and release the camera button
Kill ActiveSync USB Connections - XP
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted Right Click the Active sync Icon in the system tray and select "Connection Settings"
3. Turn off USB
-or-
Kill ActiveSync USB Connections - Vista
Download and install MS Windows Mobile Device Centre from here: http://www.microsoft.com/windowsmobile/devicecenter.mspx
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted click Start -> All Programs -> Windows Mobile Device Centre
3. Hover over Mobile Device Settings and Click on Connection Settings.
4. Turn off Allow USB Connections
Connect Your Device to USB
1. Plug in the USB cable
Turn On Spoofing / packet capture
1. Install the demo version of USB Monitor Lite (DMS) and Start Device Monitoring Studio.
2. Connect your device which should be in TSoD (Tricolour Screen of Death) boot loader.
3. Click the item entitled "Pocket PC USB Sync" which activates the main screen
4. Double-Click the item entitled "Packet View" in the Session Configuration Screen.
5. Click the Start button in the selected processing region
You'll know you got this right because you will see two packets displayed:
PnP: Device Connected
Internal: Pipe Info Transfer​6. Leave the USB Monitor running
Run up MTTY, Log In and Issue “getdevinfo” Command
For details on downloading MTTY and recovering from the TSoD see this thread: http://forum.xda-developers.com/showthread.php?t=347700
1. In "Open Port Setting" Dialog Set to Port = USB
2. Flow Cont = RTC/CTS
3. Click OK
4. When a new communication page opens press Enter and the Cmd> prompt will be displayed
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID Locked​Check that USB Monitor is running (you may need to press the "continue 14 day trial" button to get the capture to continue)​6. Type getdevinfo and press <enter>
These commands are case sensitive!
Cmd>getdevinfo
HTCSELF030050œ=Ó HTCE​7. Leave MTTY running
Swap Back to USB Monitor
1. Starting at the last packet in the list, double click each row whose Direction is "Up"
2. The 12th packet from the end of the list when I did mine had the device ID and CID packet shown below.
45 4C 46 30 33 30 30 35 30 00 00 00 00 00 00 00 ELF030050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 2D 4D 4F 42 30 30 35 00 00 00 00 00 00 00 00 T-MOB005........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- -- ..............
Copy and paste the text into a text file and keep for future reference as the Device ID and CID ID are useful in determining the right ROM files to use as well as the wrong ones.
To Re-Enable Boot on a Good Device
Unless you tell the device where to boot from it will go back to boot loader every time so you need to re-enable boot from ROM.
These commands are case sensitive!​1. Swap back to MTTY session
2. Type ruurun 0 <enter>
3. Type ResetDevice <enter>
Hope this helps.
Yours
Leon

Thank you Leon, im gonna post a link to this post a the rom compilation thread ( Elf/Elfin Original Roms Model Id & Cid Id List ), for the people who wants to make a request.

Any time, CyZeek
The work you're doing on ROMs DevIDs and CIDs is very important indeed, glad to help.
Yours
Leon

Thank you
After a long tima trying i managed to get the CID!
It worked fine!
Thank you
Question:
Any one knows if a non original rom ends the warranty if the device is malfunctioning?

filiperod said:
After a long tima trying i managed to get the CID!
It worked fine!
Thank you
Question:
Any one knows if a non original rom ends the warranty if the device is malfunctioning?
Click to expand...
Click to collapse
Yes it's against warranty terms. But, if your are using a cooked rom, and need service from HTC, just reflash with your original rom and no prob.

g_cKeyCardSecurityLevel = o
what does it mean?

...
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID Locked​Check that USB Monitor is running (you may need to press the "continue 14 day trial" button to get the capture to continue)​...
no - in that case nothing happens, when I try to type in "getdevinfo" and execute - system tells me - "wrong password".
what can I try to do?

Just in case you misunderstood...
5.Type:> password BsaD5SeoA <=Don't copy/paste from here!
Press:> [ENTER]
...
...
&go on with Leon's process.
Regards!

did everything as stated however no success....each UP line basically has stuff similar this written only in it....
000079: Bulk or Interrupt Transfer (UP), 04.06.2008 18:34:21.699 +0.001. Status: 0x00000000
Pipe Handle: 0x846006ec (Endpoint Address: 0x82)
Get 0x1 bytes from the device

Dude you Rock
leondaphillips
you rock so hard that i feel the love here in Dunedin New Zealand
after harting round for days with vista drivers and all the random **** life(and computers) and now my phone hits me with i have acheaved CID nowing niss thanks to this thread here the sweet code:
45 4C 46 30 31 30 30 30 30 00 00 00 00 00 00 00 ELF010000.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
44 4F 50 4F 44 30 30 31 00 00 00 00 00 00 00 00 DOPOD001........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
phone is GSM vodafone Touch from singapore.thanks mate keep the howtos comeing.

Thankyou verymuch its a goodway

leondaphillips said:
Hi Everyone
I'm posting this to help out CyZeek.
4. When a new communication page opens press Enter and the Cmd> prompt will be displayed
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID Locked​
Click to expand...
Click to collapse
Mine is FF, CID locked?
These commands are case sensitive!
Cmd>getdevinfo
HTCSELF030050œ=Ó HTCE​
Click to expand...
Click to collapse
Cmd>getdevinfo
HTCSELF010050gUH¥HTCE
Cmd>
2. The 12th packet from the end of the list when I did mine had the device ID and CID packet shown below.
45 4C 46 30 33 30 30 35 30 00 00 00 00 00 00 00 ELF030050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 2D 4D 4F 42 30 30 35 00 00 00 00 00 00 00 00 T-MOB005........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- -- ..............
Copy and paste the text into a text file and keep for future reference as the Device ID and CID ID are useful in determining the right ROM files to use as well as the wrong ones.
Click to expand...
Click to collapse
Mine at the 12th packet too
45 4C 46 30 31 30 30 35 30 00 00 00 00 00 00 00 ELF010050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
48 54 43 5F 5F 45 31 31 00 00 00 00 00 00 00 00 HTC__E11........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............

leondaphillips
you are a genius, it worked, a million thanks. I tried other way with MTTY, snoopypro & Hexer loads of times without success & I'd given up hope!

thanks .....
good gob

elf0100050
bstar502
any one have it

where can I find rom
Where can i find rom for htc p3450 elfin
ELF010050
HTC__001

leondaphillips said:
Hi Everyone
I'm posting this to help out CyZeek.
To capture ELF/ELFIN Device ID and CID ID using MTTY and USB Monitor Lite on XP SP2 and Vista x64
You will need:
1. A demo copy of USB Monitor Lite
http://www.hhdsoftware.com (the demo is fully functional for 14 days).​2. A Copy of MTTY (and you need to be basically familiar with it)
Put your Device into Boot Loader
Assuming your device is not already at the TSoD (Tricolour Screen of Death) - if it is skip this instruction and move on to the next section.
1. Press and hold your camera button
2. Press reset with stylus
3. Wait 5 seconds and release the camera button
Kill ActiveSync USB Connections - XP
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted Right Click the Active sync Icon in the system tray and select "Connection Settings"
3. Turn off USB
-or-
Kill ActiveSync USB Connections - Vista
Download and install MS Windows Mobile Device Centre from here: http://www.microsoft.com/windowsmobile/devicecenter.mspx
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted click Start -> All Programs -> Windows Mobile Device Centre
3. Hover over Mobile Device Settings and Click on Connection Settings.
4. Turn off Allow USB Connections
Connect Your Device to USB
1. Plug in the USB cable
Turn On Spoofing / packet capture
1. Install the demo version of USB Monitor Lite (DMS) and Start Device Monitoring Studio.
2. Connect your device which should be in TSoD (Tricolour Screen of Death) boot loader.
3. Click the item entitled "Pocket PC USB Sync" which activates the main screen
4. Double-Click the item entitled "Packet View" in the Session Configuration Screen.
5. Click the Start button in the selected processing region
You'll know you got this right because you will see two packets displayed:
PnP: Device Connected
Internal: Pipe Info Transfer​6. Leave the USB Monitor running
Run up MTTY, Log In and Issue “getdevinfo” Command
For details on downloading MTTY and recovering from the TSoD see this thread: http://forum.xda-developers.com/showthread.php?t=347700
1. In "Open Port Setting" Dialog Set to Port = USB
2. Flow Cont = RTC/CTS
3. Click OK
4. When a new communication page opens press Enter and the Cmd> prompt will be displayed
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID Locked​Check that USB Monitor is running (you may need to press the "continue 14 day trial" button to get the capture to continue)​6. Type getdevinfo and press <enter>
These commands are case sensitive!
Cmd>getdevinfo
HTCSELF030050œ=Ó HTCE​7. Leave MTTY running
Swap Back to USB Monitor
1. Starting at the last packet in the list, double click each row whose Direction is "Up"
2. The 12th packet from the end of the list when I did mine had the device ID and CID packet shown below.
45 4C 46 30 33 30 30 35 30 00 00 00 00 00 00 00 ELF030050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 2D 4D 4F 42 30 30 35 00 00 00 00 00 00 00 00 T-MOB005........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- -- ..............
Copy and paste the text into a text file and keep for future reference as the Device ID and CID ID are useful in determining the right ROM files to use as well as the wrong ones.
To Re-Enable Boot on a Good Device
Unless you tell the device where to boot from it will go back to boot loader every time so you need to re-enable boot from ROM.
These commands are case sensitive!​1. Swap back to MTTY session
2. Type ruurun 0 <enter>
3. Type ResetDevice <enter>
Hope this helps.
Yours
Leon
Click to expand...
Click to collapse
ive followed your instruction and got the ff-cid locked data.
ive tried everything but cannot make the gold card.with or without usb.

Hi
I have s621 in 3 color mode not eset and open with cid lock.
I have done all but I can not see my cid and Id.
My mtty like that what is wrong. ?
Thank you.
Code:
Cmd>password BsaD5SeoA
Pass.
+ SD Controller init
- SD Controller init
+StorageInit
SDInit+++
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
CMD55 failed
+ SD Controller init
- SD Controller init
+StorageInit
SDInit+++
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
CMD55 failed
g_cKeyCardSecurityLevel = FF
Type (0x1)(Operation mode flag): cOpModeFlag=(0x0).
Type (0x2)(Back color flag): cBackColorShowFlag=(0x1).
Type (0x5)(Background color value): g_wBColor=(0xC618) (0xC0C0C0).
HTCST

Thank you OP. I used your method and found the Device ID and CID of Telus HTC Touch Dual (Neon400, Canada). See below:
4E 45 4F 4E 34 30 30 30 00 00 00 00 00 00 00 00 NEON4000........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 4C 53 30 00 00 00 00 00 00 00 00 00 00 00 00 TLS0............
00 00 00 00 ....

Hello i have cant find device id and cid can any one help me see log and also Device Monitoring give cid 000000000............
HTCST
Cmd>getdevinfo
GetDeviceCID: Error - InitDecoder
HTCSXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXh{Â&HTCE
Cmd>
leondaphillips said:
Hi Everyone
I'm posting this to help out CyZeek.
To capture ELF/ELFIN Device ID and CID ID using MTTY and USB Monitor Lite on XP SP2 and Vista x64
You will need:
1. A demo copy of USB Monitor Lite
http://www.hhdsoftware.com (the demo is fully functional for 14 days).​2. A Copy of MTTY (and you need to be basically familiar with it)
Put your Device into Boot Loader
Assuming your device is not already at the TSoD (Tricolour Screen of Death) - if it is skip this instruction and move on to the next section.
1. Press and hold your camera button
2. Press reset with stylus
3. Wait 5 seconds and release the camera button
Kill ActiveSync USB Connections - XP
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted Right Click the Active sync Icon in the system tray and select "Connection Settings"
3. Turn off USB
-or-
Kill ActiveSync USB Connections - Vista
Download and install MS Windows Mobile Device Centre from here: http://www.microsoft.com/windowsmobile/devicecenter.mspx
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted click Start -> All Programs -> Windows Mobile Device Centre
3. Hover over Mobile Device Settings and Click on Connection Settings.
4. Turn off Allow USB Connections
Connect Your Device to USB
1. Plug in the USB cable
Turn On Spoofing / packet capture
1. Install the demo version of USB Monitor Lite (DMS) and Start Device Monitoring Studio.
2. Connect your device which should be in TSoD (Tricolour Screen of Death) boot loader.
3. Click the item entitled "Pocket PC USB Sync" which activates the main screen
4. Double-Click the item entitled "Packet View" in the Session Configuration Screen.
5. Click the Start button in the selected processing region
You'll know you got this right because you will see two packets displayed:
PnP: Device Connected
Internal: Pipe Info Transfer​6. Leave the USB Monitor running
Run up MTTY, Log In and Issue “getdevinfo” Command
For details on downloading MTTY and recovering from the TSoD see this thread: http://forum.xda-developers.com/showthread.php?t=347700
1. In "Open Port Setting" Dialog Set to Port = USB
2. Flow Cont = RTC/CTS
3. Click OK
4. When a new communication page opens press Enter and the Cmd> prompt will be displayed
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID Locked​Check that USB Monitor is running (you may need to press the "continue 14 day trial" button to get the capture to continue)​6. Type getdevinfo and press <enter>
These commands are case sensitive!
Cmd>getdevinfo
HTCSELF030050œ=Ó HTCE​7. Leave MTTY running
Swap Back to USB Monitor
1. Starting at the last packet in the list, double click each row whose Direction is "Up"
2. The 12th packet from the end of the list when I did mine had the device ID and CID packet shown below.
45 4C 46 30 33 30 30 35 30 00 00 00 00 00 00 00 ELF030050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 2D 4D 4F 42 30 30 35 00 00 00 00 00 00 00 00 T-MOB005........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- -- ..............
Copy and paste the text into a text file and keep for future reference as the Device ID and CID ID are useful in determining the right ROM files to use as well as the wrong ones.
To Re-Enable Boot on a Good Device
Unless you tell the device where to boot from it will go back to boot loader every time so you need to re-enable boot from ROM.
These commands are case sensitive!​1. Swap back to MTTY session
2. Type ruurun 0 <enter>
3. Type ResetDevice <enter>
Hope this helps.
Yours
Leon
Click to expand...
Click to collapse

Boot from SD Card

On page 67 of the Service Manual, it mentions "Turn the device power off and insert Diagnostic SD card. Press and hold Capture button, then press Power button to enter Diagnostic mode."
I'm thinking that the camera + power button will make the G1 boot off the SD Card.. this may be a way to run a hacked rev 30 on a locked rev 30 phone...
I will try some stuff tonight...
-Nikropht

that does seem interesting... im going to try to flash JF's img after in finishes downloading... i'll post results... along with my attempt to flash a signed rc29 update... cross your fingers i dont brick the damned phone

The Artemis device had this so-called "Diagnostic SD" mentioned. Im asuming therefore we could dossibly create one and flash our device with whatever firmware, akin to the "Pandora Battery" for PSP.
Worth exploring, but difficult to pull of without bricking... If it is possibly to flash a signed RC30 at any point using the current SD method, then at least we know we cannot brick the phone

the SPL bootloader (engineering and original) look for NBH files on the SD card.
DREADIAG.nbh
and
DREAIMG.nbh
As you can see, their purpose is clear. One is for booting diagnostics and the other is for flashing the firmware.

^^^so are you saying flashing DREAIMG.nbh is possible with this method?

damien667 said:
the SPL bootloader (engineering and original) look for NBH files on the SD card.
DREADIAG.nbh
and
DREAIMG.nbh
As you can see, their purpose is clear. One is for booting diagnostics and the other is for flashing the firmware.
Click to expand...
Click to collapse
So could we create a dreadiag.nbh from RC29?

Yes indeedy. However, we don't know the format of said nbh files. We're working on it still.

richbayliss said:
The Artemis device had this so-called "Diagnostic SD" mentioned. Im asuming therefore we could dossibly create one and flash our device with whatever firmware, akin to the "Pandora Battery" for PSP.
Worth exploring, but difficult to pull of without bricking... If it is possibly to flash a signed RC30 at any point using the current SD method, then at least we know we cannot brick the phone
Click to expand...
Click to collapse
its possible to flash update.zip so we won't brick the phone... the issue is that each update checks for something on the one previously installed... like mentioned in one of my other posts its a endless loop... we can change whatit looks for but then loose the signature...

Can we not use the info here
http://wiki.xda-developers.com/index.php?pagename=Hermes_NBH
To go the other way!?

richbayliss said:
Can we not use the info here
http://wiki.xda-developers.com/index.php?pagename=Hermes_NBH
To go the other way!?
Click to expand...
Click to collapse
ok... HAs anyone tried to extract DREAIMG.NBH just to see how its formated or structured??? If so we could compare it to the data listed for the hermes nbh format just to compare differences(if any) to see how closely they match... just a thought

If I could get a copy of the file I would give it a whirl... but cannot find it anywhere.

Guys,
NBH files are a proprietary format. They are like the update.zip, but different. We don't know how, as this is embedded into the SPL code that is all in binary format at the time (it's not been disassembled). No one except HTC and/or T-Mo will have these original files anyway. This means we're going to have to build one from scratch with reverse engineering of the spl (at least that's what it looks like as of now). That being said, there is no NBH file that is "found" on any file system of the G1. The NBH file contains files within itself that are flashed onto the NAND flash of the phone, like update.zip. The difference is that NBH files are not signed (that we know of yet), and the format in which they have to be assembled.

richbayliss said:
If I could get a copy of the file I would give it a whirl... but cannot find it anywhere.
Click to expand...
Click to collapse
I cant find it either.... its out there though... too many people have posted their experiments with it... if any has it or know where it is is located please post... thank...

DREAIMG.nbh is nowhere. People are just creating empty files with that filename to see what the bootloader will do.

damien667 said:
DREAIMG.nbh is nowhere. People are just creating empty files with that filename to see what the bootloader will do.
Click to expand...
Click to collapse
Yup. Well to be correct there are probably true DREAIMG.NBH files somewhere out there (at a htc repair center most likely), but they have not yet made their way into the hands of the hacking community.

True.
I would rick messing if there was an update.zip of the OTA RC30 as is now. So I could rescue myself.
Looking at the WinMo phones, they have NBH for a few devices, and it is common for all of them to put the OS partition at header 0x0400, even on the latest Diamond device. So I would risk trying a file with this IF I knew I wouldnt be bricking for life.

richbayliss said:
True.
I would rick messing if there was an update.zip of the OTA RC30 as is now. So I could rescue myself.
Looking at the WinMo phones, they have NBH for a few devices, and it is common for all of them to put the OS partition at header 0x0400, even on the latest Diamond device. So I would risk trying a file with this IF I knew I wouldnt be bricking for life.
Click to expand...
Click to collapse
there is an official rc30 update.zip out... however it does not seem to alter the os... i re-flahed my rc30 with it and i didnt have to re log into google and nothing was missing... all of my text messages were even intact

When you flash with update.zip, it does not affect the data partition (where all your settings and installed apps are located). It only changes radio, system, and boot partitions.

formar of DREAIMG.nbh:
0x200 bytes header,
then N images one by one(radio, hboot, recovery, boot, splash, sysfs, userfs)
header:
000: 48 00 00 00 54 00 00 00 43 00 00 00 49 00 00 00 │H...T...C...I...
010: 4D 00 00 00 41 00 00 00 47 00 00 00 45 00 00 00 │M...A...G...E...
020: 44 52 45 41 31 30 30 30 30 00 00 00 00 00 00 00 │DREA10000.......
030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │................
seems like simple "magic"
+0x40: 32 DD's - IMHO type descriptor's (type of each image, 00 if not used)
+0xC0: 32 DD's - offset of images
+0x140: 32 DD's - size of each image
+0x1C0: version?
1C0: 31 31 31 31 31 31 31 31 00 00 00 00 00 00 00 00 │11111111........
1D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │................
1E0: 30 2E 30 35 2E 30 2E 30 00 00 00 00 00 00 00 00 │0.05.0.0........
1F0: 47 65 6E 65 72 69 63 00 00 00 00 00 00 00 00 00 │Generic.........

Booting from the SD card is probably how you enter the manufacturers test mode RE: FACTORY_TEST Run as a manufacturer test application, running as the root user. "android.permission.FACTORY_TEST"
http://code.google.com/android/reference/android/Manifest.permission.html

TUTORIAL: Remove *TAMPERED* & *RELOCKED* flag / HBoot w/o unlock_code.bin

FOR ALL K2 VARIANTS (K2_CL, K2_UL, K2_U, K2_PLC_CL)​
Advantages
- No more hassle with htcdev, tokens, or unlock codes
- No more submitting your phones personal info to htc
- The ability to get back to 100% stock without any visual traces or records of having been S-Off or unlocking your bootloader.
PLEASE PAY CLOSE ATTENTION TO THIS TUTORIAL AS I WILL SHOW YOU HOW TO CHANGE THE FLAG FOR LOCK, RELOCK, UNLOCK, AND TAMPERED!!
I INSIST THAT YOU READ ALL OF THIS BEFORE YOU TAKE FURTHER ACTION - IF YOU FAIL TO FOLLOW INSTRUCTIONS THE ONLY ONE TO BLAME IS YOURSELF. AFTER YOU HAVE READ THIS TUTORIAL AND COME TO UNDERSTAND THIS PROCEDURE THEN BY ALL MEANS GO AHEAD AND CARRY OUT THE NECESSARY STEPS TO ACCOMPLISH WHATEVER GOALS YOU MAY CURRENTLY HAVE AT THIS TIME.​
- This tutorial may be easier on the eyes if viewed by the actual web browser vice an app or phone device.
Many thanks to @old.splatterhand for being generous and providing me some files which allowed me to confirm this tutorial for all K2 variants.
Confirmed Working - Credits
Myself - K2_CL
@russellvone - K2_CL
Lordvincent 90 - K2_CL
@DrBassman - K2_CL
REQUIREMENTS FOR THIS TUTORIAL FOR THE PURPOSE OF LEARNING AND APPLYING IT
- This tutorial will be based on an already UNLOCKED Bootloader with TAMPERED flag
- Must be S-OFF
- Must be rooted
- Proper ADB and Fastboot files
- Hex editor (HxD)
- Knowledge of Hex and DD (aka - Data Destroyer)
If you do not know what DD is then please read the following which I extracted from WIKI for the simplicity of this tutorial - Otherwise, skip this and move along.
dd is a command on Unix and Unix-like operating systems whose primary purpose is to convert and copy a file.
On Unix, device drivers for hardware (such as hard disks) and special device files (such as /dev/zero and /dev/random) appear in the file system just like normal files; dd can also read and/or write from/to these files, provided that function is implemented in their respective driver. As a result, dd can be used for tasks such as backing up the boot sector of a hard drive, and obtaining fixed amount of random data. The dd program can also perform conversions on the data as it is copied, including byte order swapping and conversion to and from the ASCII and EBCDIC text encodings.
The name dd may be an allusion to the DD statement found in IBM's Job Control Language (JCL), where the initialism stands for "Data Description." The command's syntax resembles the JCL statement more than it does other Unix commands, so the syntax may have been a joke. Another explanation for the command's name is that "cc" (for "convert and copy", as in the command's description) was already taken by the C compiler.
The dd command is specified by IEEE Std 1003.1-2008, which is part of the Single UNIX Specification.
The command line syntax of dd differs from many other Unix programs, in that it uses the syntax option=value for its command line options, rather than the more-standard --option value or -option=value formats. By default, dd reads from STDIN and writes to STDOUT, but these can be changed by using the if (input file) and of (output file) options.
Usage varies across different operating systems. Also, certain features of dd will depend on the computer system capabilities, such as dd's ability to implement an option for direct memory access. Sending a SIGINFO signal (or a USR1 signal on Linux) to a running dd process makes it print I/O statistics to standard error once and then continue copying (note that signals may terminate the process on OS*X). dd can read standard input from the keyboard. When end-of-file (EOF) is reached, dd will exit. Signals and EOF are determined by the software. For example, Unix tools ported to Windows vary as to the EOF: Cygwin uses (the usual Unix EOF) and MKS Toolkit uses (the usual Windows EOF).
In spirit with the Unix philosophy, dd does one thing (and may be considered to do it "well" ). Unlike a sophisticated and highly abstracted utility, dd has no algorithm other than in the low-level decisions of the user concerning how to vary the run options. Often, the options are changed for each run of dd in a multi-step process to solve a computer problem.
The GNU variant of dd as supplied with coreutils on Linux does not describe the format of the messages displayed on standard output on completion. However, these are described by other implementations, e.g. that with BSD.
Each of the "Records in" and "Records out" lines shows the number of complete blocks transferred + the number of partial blocks, e.g. because the physical medium ended before a complete block was read, or a physical error prevented reading the complete block.
A block is a unit measuring the number of bytes that are read, written, or converted at one time. Command line options can specify a different block size for input/reading (ibs) compared to output/writing (obs), though the block size (bs) option will override both ibs and obs. The default value for both input and output block sizes is 512 bytes (the traditional block size of disks, and POSIX-mandated size of "a block"). The count option for copying is measured in blocks, as are both the skip count for reading and seek count for writing. Conversion operations are also affected by the "conversion block size" (cbs).
For some uses of the dd command, block size may have an effect on performance. For example, when recovering data from a hard disk, a small block size will generally cause the most bytes to be recovered. Issuing many small reads is an overhead and may be non-beneficial to execution performance. For greater speed during copy operations, a larger block size may be used. However, because the amount of bytes to copy is given by bs×count, it is impossible to copy a prime number of bytes in one go without going with one of two bad choices, bs=N count=1 (memory use) or bs=1 count=N (read request overhead). Alternative programs (see below) permit specifying bytes rather than blocks.
Click to expand...
Click to collapse
Let's get started shall we - the following commands highlighted in RED are your commands to execute:
- Go ahead and plug your device in to your PC with a USB cable.
- Open up CMD and change its directory to the location of your proper ADB and Fastboot files
- Establish a proper connection with your device. It should look something like this:
Code:
C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>[COLOR="Red"][B]adb devices[/B][/COLOR]
List of devices attached
HT3********* device
C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>
- If connection is established then direct to your devices' adb shell:
Code:
C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>[COLOR="Red"][B]adb shell[/B][/COLOR]
[email protected]:/ #
- Go ahead and gain superuser rights to your devices' adb shell:
Code:
C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>adb shell
[email protected]:/ # [COLOR="Red"][B]su[/B][/COLOR]
su
[email protected]:/ #
- Now we need to copy a partition (mmcblk0p7) to your sdcard using DD. Insure you do not make a typo:
Code:
C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>adb shell
[email protected]:/ # su
su
[email protected]:/ # [COLOR="Red"][B]dd if=/dev/block/mmcblk0p7 of=/sdcard/mmcblk0p7.img[/B][/COLOR]
dd if=/dev/block/mmcblk0p7 of=/sdcard/mmcblk0p7.img
31155+0 records in
31155+0 records out
15951360 bytes transferred in 2.259 secs (7061248 bytes/sec)
[email protected]:/ #
- Now we need to pull this image (mmcblk0p7) to our pc:
Code:
C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>adb shell
[email protected]:/ # su
su
[email protected]:/ # dd if=/dev/block/mmcblk0p7 of=/sdcard/mmcblk0p7.img
dd if=/dev/block/mmcblk0p7 of=/sdcard/mmcblk0p7.img
31155+0 records in
31155+0 records out
15951360 bytes transferred in 2.259 secs (7061248 bytes/sec)
[email protected]:/ # [COLOR="Red"][B]exit[/B][/COLOR]
exit
[email protected]:/ # [COLOR="Red"][B]exit[/B][/COLOR]
exit
C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>[COLOR="Red"][B]adb pull /sdc
ard/mmcblk0p7.img[/B][/COLOR]
2523 KB/s (15951360 bytes in 6.172s)
C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>
- Go ahead and repeat these steps for (mmcblk0p3).
- At this time go ahead and open up your hex editor (HxD) and at the top right change from hex in the drop down bar to dec - you will do this (if necessary) for all images pertaining to this tutorial.
- Drag\drop (mmcblk0p3.img) in to the hex editor (HxD).
- Now hit ctrl+F or go to the Search tab, then click on Find.
- Search for HTCU. You will see the following:
Code:
Offset(d) 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15
000033728 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000033744 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000033760 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000033776 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[COLOR="Red"][B]000033792[/B] 00 00 00 00 [B]48 54 43 55[/B] 01 00 00 00 00 00 00 00 ....[B]HTCU[/B]........[/COLOR]
000033808 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000033824 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000033840 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000033856 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- Drag\drop (mmcblk0p7.img) in to the hex editor (HxD).
- Now hit ctrl+G or go to the Search tab, then click on Goto....
- Search for DEC OFFSET 4265984.
- You will see something like this:
Code:
Offset(d) 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15
04265920 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04265936 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04265952 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04265968 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[COLOR="Red"][B]04265984[/B] [B]68 25 32 C6 02[/B] 00 00 00 00 00 00 00 00 00 00 00 [B]h%2Æ.[/B]...........[/COLOR]
04266000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04266016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04266032 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04266048 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- Now that we have what we needed loaded and prepped we want to see what needs adjustment regarding lock, unlock, relock, and tampered.
- These two partitions are already stamped with the bootloader being unlocked as well as being tampered so finding what we are looking for makes it easy as seen above.
- mmcblk0p3 is the partition which determines if our device is locked, unlocked, or relocked.
- mmcblk0p7 is the partition which determines if our device is tampered with or not.
- Let's look at mmcblk0p3. We see in red, HTCU, which we already know means Unlocked, because as I mentioned in the beginning, this tutorial is based on an already unlocked bootloader and tampered device.
Code:
[COLOR="Red"][B]000033792[/B] 00 00 00 00 [B]48 54 43 55[/B] 01 00 00 00 00 00 00 00 ....[B]HTCU[/B]........[/COLOR]
- We want to lock or relock our device. To relock is, "HTCL". To Lock is, "00 00 00 00".
- Our goal is creating a dd command which will implement these changes for us to our partition already on our device.
- To lock:
Code:
echo -ne '\x00\x00\x00\x00' | dd of=/dev/block/mmcblk0p3 bs=1 seek=33796
- To relock:
Code:
echo -ne "HTCL" | dd of=/dev/block/mmcblk0p3 bs=1 seek=33796
- To unlock:
Code:
echo -ne "HTCU" | dd of=/dev/block/mmcblk0p3 bs=1 seek=33796
- The command for seek is what determines the decimal search of that partition when implementing the echo command from start to finish, from left to right as it writes it out. This is why earlier I told you to change it from hex to dec in your hex editor. If you look at seek=33796 and go back to your hex editor you will notice the dec offset says 33792 then underneath that it says 33808.
Code:
Offset(d) 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15
000033792 00 00 00 00 48 54 43 55 01 00 00 00 00 00 00 00 ....HTCU........
000033808 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- To determine the exact decimal location where the dd command will start writing to you must first look at the top of your hex editor where it shows '00 01 02 03 04 05, etc'. You will take the offset for 33792 and look at where HTCU begins then scroll to the top which in this case it aligns to '04', so we add 04 to the offset of 33792 which gives us a total of 33796. This becomes our seek (our starting point).
- Now that we have established this concept with mmcblk0p3.img, lets go and take a look at mmcblk0p7.img.
- We already know our device has been tampered with. If you search for tamper or tampered you will find results and these results eventually bring you to where we already are as mentioned above and if following along then what you are currently looking at on your pc.
- This one is really simple. Either your device is tampered or it is not. In this case we notice '02' which signifies the setup for being tampered.
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00411800 68 25 32 C6 02 00 00 00 00 00 00 00 00 00 00 00 h%2Æ............
- Let's go ahead and change it to '00' with the following dd command:
Code:
echo -ne '\x00' | dd of=/dev/block/mmcblk0p7 bs=1 seek=4265988
- To restore back to tampered you will just replace 00 with 02.
(FOR K2_PLC_CL USERS, REPLACE 00 WITH 04, INSTEAD OF 02 - Credit goes to @DOrtego for notifying me of this)
- Now to show you how to execute these commands. I will only use one command for this example since it will be the same for all of them. The following in RED will be your commands to execute. A lot of these will be due to insuring you are set up prior to executing the dd command itself, so if you are already good to go then just seek for the dd command and follow along:
Code:
C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>[COLOR="Red"][B]adb devices[/B][/COLOR]
List of devices attached
HT********** device
C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>[COLOR="Red"][B]adb shell[/B][/COLOR]
[email protected]:/ # [COLOR="Red"][B]su[/B][/COLOR]
su
[email protected]:/ # [COLOR="Red"][B]echo -ne '\x00' | dd of=/dev/block/mmcblk0p7 bs=1 seek=4265988[/B][/COLOR]
ock/mmcblk0p7 bs=1 seek=4265988 <
1+0 records in
1+0 records out
1 bytes transferred in 0.012 secs (83 bytes/sec)
[email protected]:/ # [COLOR="Red"][B]exit[/B][/COLOR]
exit
[email protected]:/ # [COLOR="Red"][B]exit[/B][/COLOR]
exit
C:\Users\*******\Desktop\Android_tweak_software\HTC_fastboot_files>
I will also show you how to go back to S-ON, but you BETTER make sure you have your stock HBoot.img flashed, Stock Boot.img flashed, etc OR YOU WILL BRICK YOUR DEVICE INDEFINITELY!!!
YOU MUST FIRST BE IN FASTBOOT - THERE WILL BE NO USING ADB NOR A TERMINAL EMULATOR FOR THIS STEP
To go from radio S-OFF to radio S-ON enter the following :
Code:
[B]fastboot oem writesecureflag 3[/B]
To go from HBoot S-Off to HBoot S-On just flash a stock HBoot to remove the modified version.
Code:
[B]adb reboot bootloader[/B]
// booting in to bootloader
[B]fastboot devices[/B]
// establishing connection between device and PC
[B]fastboot oem rebootRUU[/B]
// booting in to RUU
[B]fastboot flash zip filename.zip[/B]
// .zip with stock HBoot image
[B]fastboot reboot-bootloader[/B]
// confirm mod S-Off HBoot now reads new S-On from stock HBoot
[B]fastboot reboot[/B]
// boot OS
So, there you have it everyone! Enjoy, and profit!
--- Happy Hunting!

Other users, what I did to confirm this was by pulling mmcblk0p3 and mmcblk0p7 for both versions and compared the results with a hex editor to determine these steps are valid for the K2_CL variant. Enjoy.
EDIT: Confirmed for ALL K2 variants
Sent from my C525c using XDA Premium 4 mobile app

And yes, I used my device as a guinea pig so of course it works
Sent from my C525c using XDA Premium 4 mobile app

Modding.MyMind said:
And yes, I used my device as a guinea pig so of course it works
Sent from my C525c using XDA Premium 4 mobile app
Click to expand...
Click to collapse
What if we wish to put *tampered* back?
Lol

Hmmm, I would have to look at that as I did not consider that as an option. However, having 'tampered' being displayed leaves traces so why would you want to lol.
Sent from my C525c using XDA Premium 4 mobile app

Complete joke, very well done sir.
Awesome find!

Yea, I knew it was ha! And thanks. Would like to see if this works for the other variants as well but I do not have what I need from them so either they will need to figure it out or become very brave with trying my steps lol.
Sent from my C525c using XDA Premium 4 mobile app

+sorry for the off topic+
but I decided to do a complete factory restore of my phone and accept an ota update to see if I could get to that clockworkmod like screen in stock recovery.
and it let me
first attempt it just installed the update without letting me into the clockworkmod like..........
so I simply deleted a system app accepted the next update, allowed to boot into recovery,
then once it got to the hated /!\ Red triangle, I just held volume+ then pressed power and it let me see the reason for the fail.
thought you would like to play with it

Awesome! Thanks.
Sent from my C525c using XDA Premium 4 mobile app

Maybe @old.splatterhand could look in to this with the K2_U and K2_UL variants .
And possibly add this finding to his index *cough**cough* haha
Sent from my C525c using XDA Premium 4 mobile app

Modding.MyMind said:
Awesome! Thanks.
Sent from my C525c using XDA Premium 4 mobile app
Click to expand...
Click to collapse
alrighty, just got into it again, used an app called quick boot and booted into recovery, again it would not let me in to CWM-like until it showed red triangle then had to hold volume+ then power, tried to apply a different zip (crossbreeder)
aborted,
I'm gonna do some playing myself!

I have added it to my Index, but i have to add much more, when its time.

@Modding.MyMind
confirmed working......
thanks again sir, very proud of your hard work!

Yea, will be uploading pictures soon enough so people can see it on my phone. Unfortunately, I won't be able to get a pic where it shows *tampered* because I already removed it lol (but hey, if it isn't there that is evidence in itself). But I can atleast provide pics where it shows locked (not relocked) and unlocked with S-Off.
I got other projects I am looking into as well. Hopefully, they too will be just as satisfying as this.
Sent from my C525c using XDA Premium 4 mobile app

Modding.MyMind said:
I got other projects I am looking into as well. Hopefully, they too will be just as satisfying as this.
Sent from my C525c using XDA Premium 4 mobile app
Click to expand...
Click to collapse
Just helped a fellow with the handle
Lordvincent 90
over on AndroidForums
sent him this way so he could use your find so he could his phone in for hardware repair.......
with out any traces of s-off!!!!
#already_awesome
oh yeah.... I'm on edge waiting for more!
very impressed with what you've brought so early in the game.
I'm rooting for ya \ /*_*\ /

russellvone said:
Just helped a fellow with the handle
Lordvincent 90
over on AndroidForums
sent him this way so he could use your find so he could his phone in for hardware repair.......
with out any traces of s-off!!!!
#already_awesome
oh yeah.... I'm on edge waiting for more!
very impressed with what you've brought so early in the game.
I'm rooting for ya \ /*_*\ /
Click to expand...
Click to collapse
I have added him to the OP under credits
Glad this served him well and soon others when it calls for it
Sent from my C525c using XDA Premium 4 mobile app

Reserved....
Sent from my C525c using XDA Premium 4 mobile app

russellvone said:
very impressed with what you've brought so early in the game.
Click to expand...
Click to collapse
Newbie on XDA forums, but as for androids... Especially K2_CL... Pretty much got the experience needed to get by and to grow. I focus most on mods, hence my name. Something about modding gets me pumped haha.
That's my Bio and I'm sticking to it.
Sent from my C525c using XDA Premium 4 mobile app

Modding.MyMind said:
Newbie on XDA forums, but as for androids... Especially K2_CL... Pretty much got the experience needed to get by and to grow. I focus most on mods, hence my name. Something about modding gets me pumped haha.
That's my Bio and I'm sticking to it.
Sent from my C525c using XDA Premium 4 mobile app
Click to expand...
Click to collapse
THAT'S WHAT I'M SCREAMING!
:beer: «--one for you
:beer: «--one for me
cheers!
#EDIT#
for some reason my beers look like smiley faces on tapatalk?¿

Pictures uploaded in OP. Take additional note that in both pictures you do not see *tampered* nor do you see *relocked*. Enjoy.
Sent from my C525c using XDA Premium 4 mobile app

Calculating the CRC values in the commands send by LG Flashtool to Nexus-5

Hello All,
I am trying to understand the commands send by LG Flashtool to Nexus-5 phones while flashing the device with new firmware.
I looked at the USB log while flashing the firmware and I found that the commands are starting with a 4 byte header (OPEN, HELO, READ, WRTE, etc), followed by data payload, 2 byte checksum (I think CRC-16) and a 4 byte tail. For example a READ command looks like the following:
52 45 41 44 11 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 5B 87 00 00 AD BA BE BB
Splitting the command into sections
52 45 41 44 11 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 5B 87 00 00 AD BA BE BB
READ ID Start address Size to read CRC-16? TAIL FLAG
The TAIL and the HEADER (READ) does not change as the commands data payload changes, but the CRC-16 value changes.
I am wondering if anyone can throw some light on how the check sum bytes are calculated? Are they using CRC-16? I tried some basic CRC-16 algorithm but I am not getting the same values. If CRC-16 is used then what is the polynomial and initial values used?
I hope someone knows how it works.
Thank you.
Cheers!

Can I just ask why you wanna know, like what are you trying to achieve?
Sent from my XT1526 using Tapatalk

soupysoup said:
Can I just ask why you wanna know, like what are you trying to achieve?
Sent from my XT1526 using Tapatalk
Click to expand...
Click to collapse
Hello XT1526,
I am working on a hobby project to use download mode commands to dump Nexus phone memories.
So, I am trying to generate custom commands that can be sent to the phone that will enable reading from and writing to sectors that I want to.
For Nexus-4 phones all the commands use an HDLC format (starting and ending with a 0x7e flag), so it was comparatively easy to figure out the command including the CRC-16 value. My assumption that the 2 bytes should be CRC values comes from the experience from Nexus-4.
When I looked at the Nexus-5 commands (from Flashtool log), there are commands that use HDLC format and then commands with headers like READ and HELO. And I cannot understand the CRC calculation and am kind of stuck!
Any help would be great !!
Cheers!

As a software engineer u have me interested...... I'll take a look
Sent from my XT1526 using Tapatalk

soupysoup said:
As a software engineer u have me interested...... I'll take a look
Sent from my XT1526 using Tapatalk
Click to expand...
Click to collapse
Hello soupysoup,
Thank you for spending your time on this!
Cheers.

[GUIDE] How to install Android 10 internal update for Nokia 5.1 Plus

WARNING: This package is never meant for non-experienced members!
Chinese translation of this guide is on the way. (本教程的中文版仍在编写中)
Code:
#include <std_disclaimer.h>
/*
* Your warranty is now void. *
* I am not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed.
Please do some research if you have any concerns about features included in this ROM before flashing it! YOU are choosing to make these modifications, and if you point the finger at me for messing up your device, I will laugh at you.
*/
We changed the flashing procedure this time, so it will:
- Prevent noobs without any experiences
- Avoid installing many dumb security updates
Target: PDA-311A-0-00WW-B02
Now it's available for public.
Please download and install this to your phone via ADB sideload of 874 command: https://android.googleapis.com/pack.../ace851ea59294177f677018648d6c0614317510e.zip
To Chinese Nokia X5 owners: Please convert your phone to Global Nokia 5.1 Plus before flashing, and don't forget to change SKUID to 600WW.
What's the requirement for flashing?
- Nokia 5.1 Plus X5 with Global Android one firmware installed (any version)
- Rooted phone (either MTK-SU or regular root method are OK)
Or:
- The Bootloader is Unlocked
Here's how (if rooted):
Due to the spelling error of the script, the correct one is attached below.
Please replace it to the one inside package, if you want to use "Click_Me_To_Flash.cmd"..
Click to expand...
Click to collapse
- Download the package and extract it. You'll get 17 img files, and 6 other files.
- Create one directory called "pda-3110" on your phone's internal storage. THIS IS CASE SENSITIVE, so don't use uppercase "PDA".
- Copy all the img files to the pda-3110 directory.
- Execute this under command prompt:
Code:
adb shell
- Check what's your current slot:
Code:
getprop ro.boot.slot_suffix
Take a note whether the slot is "_a" or "_b".
- Grant root permission:
Code:
su
If necessary, grant root permission on the phone. If grant successful, you'll see the dollar ($) symbol will become into hash (#) symbol.
If your phone is rooted with MTK-SU, you must do this:
- Open Magisk Manager and install Magisk on another slot.
After installation complete, stay at installation complete screen and don't reboot.
- Now execute following commands.
If current slot is "_a", then execute these:
Code:
dd if=/storage/emulated/0/pda-3110/boot.img of=/dev/block/bootdevice/by-name/boot_b
dd if=/storage/emulated/0/pda-3110/cam_vpu1.img of=/dev/block/bootdevice/by-name/cam_vpu1_b
dd if=/storage/emulated/0/pda-3110/cam_vpu2.img of=/dev/block/bootdevice/by-name/cam_vpu2_b
dd if=/storage/emulated/0/pda-3110/cam_vpu3.img of=/dev/block/bootdevice/by-name/cam_vpu3_b
dd if=/storage/emulated/0/pda-3110/cda.img of=/dev/block/bootdevice/by-name/cda_b
dd if=/storage/emulated/0/pda-3110/lk.img of=/dev/block/bootdevice/by-name/lk_b
dd if=/storage/emulated/0/pda-3110/logo.img of=/dev/block/bootdevice/by-name/logo_b
dd if=/storage/emulated/0/pda-3110/md1img.img of=/dev/block/bootdevice/by-name/md1img_b
dd if=/storage/emulated/0/pda-3110/odmdtbo.img of=/dev/block/bootdevice/by-name/odmdtbo_b
dd if=/storage/emulated/0/pda-3110/preloader.img of=/dev/block/bootdevice/by-name/preloader_b
dd if=/storage/emulated/0/pda-3110/scp.img of=/dev/block/bootdevice/by-name/scp_b
dd if=/storage/emulated/0/pda-3110/spmfw.img of=/dev/block/bootdevice/by-name/spmfw_b
dd if=/storage/emulated/0/pda-3110/sspm.img of=/dev/block/bootdevice/by-name/sspm_b
dd if=/storage/emulated/0/pda-3110/system.img of=/dev/block/bootdevice/by-name/system_b
dd if=/storage/emulated/0/pda-3110/systeminfo.img of=/dev/block/bootdevice/by-name/systeminfo_b
dd if=/storage/emulated/0/pda-3110/tee.img of=/dev/block/bootdevice/by-name/tee_b
dd if=/storage/emulated/0/pda-3110/vendor.img of=/dev/block/bootdevice/by-name/vendor_b
If current slot is "_b":
Code:
dd if=/storage/emulated/0/pda-3110/boot.img of=/dev/block/bootdevice/by-name/boot_a
dd if=/storage/emulated/0/pda-3110/cam_vpu1.img of=/dev/block/bootdevice/by-name/cam_vpu1_a
dd if=/storage/emulated/0/pda-3110/cam_vpu2.img of=/dev/block/bootdevice/by-name/cam_vpu2_a
dd if=/storage/emulated/0/pda-3110/cam_vpu3.img of=/dev/block/bootdevice/by-name/cam_vpu3_a
dd if=/storage/emulated/0/pda-3110/cda.img of=/dev/block/bootdevice/by-name/cda_a
dd if=/storage/emulated/0/pda-3110/lk.img of=/dev/block/bootdevice/by-name/lk_a
dd if=/storage/emulated/0/pda-3110/logo.img of=/dev/block/bootdevice/by-name/logo_a
dd if=/storage/emulated/0/pda-3110/md1img.img of=/dev/block/bootdevice/by-name/md1img_a
dd if=/storage/emulated/0/pda-3110/odmdtbo.img of=/dev/block/bootdevice/by-name/odmdtbo_a
dd if=/storage/emulated/0/pda-3110/preloader.img of=/dev/block/bootdevice/by-name/preloader_a
dd if=/storage/emulated/0/pda-3110/scp.img of=/dev/block/bootdevice/by-name/scp_a
dd if=/storage/emulated/0/pda-3110/spmfw.img of=/dev/block/bootdevice/by-name/spmfw_a
dd if=/storage/emulated/0/pda-3110/sspm.img of=/dev/block/bootdevice/by-name/sspm_a
dd if=/storage/emulated/0/pda-3110/system.img of=/dev/block/bootdevice/by-name/system_a
dd if=/storage/emulated/0/pda-3110/systeminfo.img of=/dev/block/bootdevice/by-name/systeminfo_a
dd if=/storage/emulated/0/pda-3110/tee.img of=/dev/block/bootdevice/by-name/tee_a
dd if=/storage/emulated/0/pda-3110/vendor.img of=/dev/block/bootdevice/by-name/vendor_a
- Now back to Magisk Manager.
If your phone is rooted with MTK-SU:
Tap Reboot on installation complete screen now, and enjoy Android 10.
If your phone is rooted with regular method (which is, latest Magisk installed properly):
- Open Magisk Manager and install Magisk on another slot.
After installation complete, reboot immediately. Then you should be able to enjoy Android 10 with rooted state.
And here's how (if bootloader unlocked and prefer flashing via fastboot):
- Download the package and extract it. You'll get 17 img files, and 6 other files.
- Use some hex editor (e.g. HxD) to open preloader.img file, and remove the content from 0x0-0x7FF, save it.
Because fastboot will flash preloader.img file you inputted to the offset 0x7FF of actual fastboot partitions, so we must remove header from preloader.img dump, otherwise it will kill the phone.
- After removing header, file size should be 284,672 bytes (278 KiB).
Content range for reference:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 45 4D 4D 43 5F 42 4F 4F 54 00 00 00 01 00 00 00 EMMC_BOOT.......
00000010 00 02 00 00 FF FF FF FF FF FF FF FF FF FF FF FF ....ÿÿÿÿÿÿÿÿÿÿÿÿ
00000020 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000007E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000007F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000800 4D 4D 4D 01 38 00 00 00 46 49 4C 45 5F 49 4E 46 MMM.8...FILE_INF
00000810 4F 00 00 00 01 00 00 00 01 00 05 05 10 0F 20 00 O............. .
And here's after removed:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 4D 4D 4D 01 38 00 00 00 46 49 4C 45 5F 49 4E 46 MMM.8...FILE_INF
00000010 4F 00 00 00 01 00 00 00 01 00 05 05 10 0F 20 00 O............. .
00000020 44 4E 04 00 00 00 08 00 F0 00 00 00 6C 06 00 00 DN......ð...l...
00000030 F0 00 00 00 01 00 60 C2 4D 4D 4D 01 0C 00 01 00 ð.....`ÂMMM.....
00000040 01 00 00 00 4D 4D 4D 01 64 00 07 00 90 00 00 00 ....MMM.d.......
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- Use img2simg to convert system.img and vendor.img into sparse images.
If you're Windows user, please find img2simg binaries yourself.
This is known available by default on Ubuntu and Debian (sudo apt install img2simg).
Code:
img2simg system.img system.simg
img2simg vendor.img vendor.simg
- Check current slot:
Code:
fastboot getvar current-slot
In this case, the current slot is a.
- Flash these partitions (including modified preloader) to the slot you currently have (slot a in this case):
Code:
fastboot flash boot_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/boot.img
fastboot flash cam_vpu1_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/cam_vpu1.img
fastboot flash cam_vpu2_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/cam_vpu2.img
fastboot flash cam_vpu3_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/cam_vpu3.img
fastboot flash cda_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/cda.img
fastboot flash lk_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/lk.img
fastboot flash logo_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/logo.img
fastboot flash md1img_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/md1img.img
fastboot flash odmdtbo_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/odmdtbo.img
fastboot flash preloader_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/preloader_header_removed.img
fastboot flash scp_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/scp.img
fastboot flash spmfw_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/spmfw.img
fastboot flash sspm_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/sspm.img
fastboot flash system_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/system.simg
fastboot flash systeminfo_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/systeminfo.img
fastboot flash tee_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/tee.img
fastboot flash vendor_a /path/to/HCTSW_PDA-3110-0-00WW-B01_600WW_10_20200405.fdump.lzma2/vendor.simg
fastboot -w reboot
- After reboot, enjoy Android 10.
Download link:
AFH: https://www.androidfilehost.com/?fid=4349826312261767469
SHA256 Checksum: f000263c677ff7f0963a34ece67ecaa2ceb16089e3aa1887dddbbe20d46d590c

FAQ​
Q1: Why you don't just leak OTA packages like before?
A1: This time I don't want to make my life harder in the future.
Q2: When Android 10 will be pushed to my country?
A2: I don't know. I even don't know when HMD Chinese localization team will be back. So no hope for localized Android 10 for Nokia X5 now.
Q3: How can I rollback to Android 9 if not satisfied?
A3: If not bootloader unlocked, switch the slot back to A under fastboot mode, then flash the phone with SP Flash Tool (Download only). Always backup the whole emmc to for the worst case.
If unlocked, use NFT featured on Nokia 7.2 forum: https://forum.xda-developers.com/nokia-7-2/development/tool-nft-1-0-1-nokia-flash-tool-to-t4003267
Q4: How can I unlock the bootloader?
A4: It's paid method and how to request cannot be disclosed here, or it will violate the rules of XDA.
Q5: My phone is bricked!
A5: I'm not responsible at all. We tested it on Nokia X5 sold in China already.
Q6: Can I use GCam?
A6: No. Nokia 5.1 Plus X5 doesn't support Camera2API at all, so no GCam.
Q7: What does HCTSW stand for?
A7: Hikari Calyx Tech SoftWare.

Reserved #2

Can I roll back to android 9 if I change my active partition to a if installed android 10 on b ??

bx2_nero said:
Can I roll back to android 9 if I change my active partition to a if installed android 10 on b ??
Click to expand...
Click to collapse
Probably yes, but you need to perform factory reset under stock recovery before switching slot.

Any reported bug by your tester?

bx2_nero said:
Any reported bug by your tester?
Click to expand...
Click to collapse
CTS probably cannot be passed which expected.
After that, didn't see any bug so far.

One known issue:
- This Android 10 build seems cannot be rooted with regular procedure of Magisk Manager.

hikari_calyx said:
One known issue:
- This Android 10 build seems cannot be rooted with regular procedure of Magisk Manager.
Click to expand...
Click to collapse
That means no payment app will work because of SafetyNet and no magisk so no bypassing that.

hikari_calyx said:
One known issue:
- This Android 10 build seems cannot be rooted with regular procedure of Magisk Manager.
Click to expand...
Click to collapse
In MTK-SU thread it says that any update after March 20 will block temp root , so I think April security patch fixed the MTK-SU method and it is included in the Android 10 build.

Tips to users who want to downgrade the phone:
- You must perform a regular factory reset on settings (Don't do factory reset on recovery or you will get stuck at FRP lock that requires you to install further updates)
After reset done, don't connect the phone to Internet and just reboot to fastboot mode.
- Switch the slot to A under fastboot mode right after factory reset.
Code:
fastboot --set-active=a
- Use SP Flash Tool to flash any Android 9 firmware on following website:
https://fih-firmware.hikaricalyx.com/hmd_en.html#pda
Any PDA-2***-0-00WW-B** (excluding PDA-209B-0-00WW-B06) are OK. I recommend PDA-214A-0-00WW-B01.
- Skip wifi connection at first boot, or you'll be asked to install latest updates and MTK-SU will be blocked.
- root the phone and follow the guide on topic.
I strongly recommend you, don't login Google account until everything is done.

Three Bugs noticed So far in Android™ 10 beta
1◆ Swiping left (The back button should appear on left) toggles back button on Right side
2◆Accent color: Color changes for text and not. bar but not in settings
3◆A white bar appearing above when using apps

To subscribers of this topic:
PDA-311A-0-00WW-B01 minor patch released!
What's new? I don't know - I don't have access to their changelog at all.
But, to install it, you must have PDA-3110-0-00WW-B01 installed and install the package via external SD card. ADB Sideload is unavailable.
https://www.androidfilehost.com/?fid=4349826312261794057

Cannot run su in adb
i have acquired root in phone with mtksu and suboot with magisk , but getting permission denied output when trying to run su in cmd. Shouldi I run mtksu through cmd? I tried doing that but I was getting cannot find su command.

xdriv3r said:
i have acquired root in phone with mtksu and suboot with magisk , but getting permission denied output when trying to run su in cmd. Shouldi I run mtksu through cmd? I tried doing that but I was getting cannot find su command.
Click to expand...
Click to collapse
Make sure that you have acquired root access buy using any root checker , then change the installation to inactive slot in magisk and wait on the same screen after it is successful, it will prompt to reboot..don't reboot open cmd and flash A10 beta , 'su' command should give a prompt on your phone to allow root access in adb , allow that then only you will be able to use the dd commands.
Dm me if you need further assistance.

bx2_nero said:
Make sure that you have acquired root access buy using any root checker , then change the installation to inactive slot in magisk and wait on the same screen after it is successful, it will prompt to reboot..don't reboot open cmd and flash A10 beta , 'su' command should give a prompt on your phone to allow root access in adb , allow that then only you will be able to use the dd commands.
Dm me if you need further assistance.
Click to expand...
Click to collapse
Successfully flashed Android 10 Beta. Thank you all so much.

Is it possible to factory reset the device?

xdriv3r said:
Is it possible to factory reset the device?
Click to expand...
Click to collapse
After the installation of A10 beta ... absolutely....and it will make it more stable.

bx2_nero said:
After the installation of A10 beta ... absolutely....and it will make it more stable.
Click to expand...
Click to collapse
I'll factory reset from the Android settings?

xdriv3r said:
I'll factory reset from the Android settings?
Click to expand...
Click to collapse
Yes you can.