Warning: This is dangerous! Even if you do everything according to the following description, your phone may end up damaged! There are no warranties!!
You may want to have a look at this thread: [GUIDE] to enable DualSim on SingleSim Moto Z by xequtor.
It also describes a way to enable dual-sim capability for devices that are shipped with just single-sim capability. Based on the research by -=MoRpH=- for another MOTO device, xequtor adapted the hack for the MOTO Z - nice work!
That method requires you to perform modifications on files within the FSG partition and setup a persistent variable. This is considerably safe, since this basically affects pretty generic data. Stick with this, if you want to keep the risks of what you're doing (to your device) rather low!
Note: if you did the changes as descibed in xequtor's guide and you now want to try out this method - you first need to revert those changes, e.g. restore your backup of the original fsg partiton (TWRP)!
There is another way. I initially wanted to post it into xequtor's thread. However, I decided against it in order to avoid confusion that can easily result in irreparable data loss if done wrong! The required modification is considerably simple, even much simpler than the other approach, but it bears a different kind of risk: you're operating on per device individual data. These are usually not part of "nandroid" backups. Device-individual data is stored in the various partitons of the sdc flash drive. The following approach makes a tiny modification to the HW partition. However, we first make backups - and only with those in hand, the potential risks are severely mitigated, almost eleminated!
unlock bootloader
perform dualsim mod patch <-- here we go!
re-lock bootloader
Advantages: persistent: with patch applied, you phone will remain a dual-sim phone, regardless of OTA-/fastboot-updates and restored backups. relock-safe: with a stock rom properly installed, you can relock the bootloader and keep the dual-sim feature. It doesn't vanish after OTA-updates etc. You have to manually revert the mod to get back to single-sim mode.
Issues: IMEI-1: as with all dualsim mods: IMEI-1 will display as 0 (invalid), a carrier possibly may not let you connect. Detectable modification:Though this mod does in no way affect the security of this device, is is detectable. In the unlikely event, that this causes problems, you can still undo the changes and go back to single-sim mode. Unlocked bootloader:If you unlocked your bootloader just for this mod, as we cannot do the mod without, you can lock it again afterwards. However, the warranty-void bit keeps being set.
You need:
USB-Stick (either native or via USB-C-Hub/Adapter) ... or ... microSD card ...or... do it all via fastboot & adb
have fastboot & adb drivers installed.
have the bootloader unlocked
If you have just only unlocked the bootloader and changed nothing else then make a backup of your current recovery image! For this you can boot TWRP from ram:
Code:
fastboot boot twrp-3.1.0-0-griffin.img
Then you have to flash TWRP in order to be able to write the mod to flash - afterwards, you still can restore the original recovery and then relock the bootloader.
Code:
fastboot flash recovery twrp-3.1.0-0-griffin.img
Mod via USB-stick / microSD-card & update_signed.zip: [Note: this is experimental and risky! For now, I recommend the manual option described below]
copy the attached update_signed.zip to your USB stick (or microSD card)
connect USB-Stick/microSD card to your MOTO-Z
boot into TWRP recovery
install --> go to usb/sdcard and select the update_signed.zip
in order to activate the mod, you still need to erase the partitions modemst1, modemst2 and cache: reboot into bootloader...
Code:
fastboot oem hw
fastboot erase modemst1
fastboot erase modemst2
fastboot erase cache
fastboot reboot
Modding details / diy via fastoot & adb:
boot into bootloader mode
Code:
fastboot oem hw
you'll see the dualsim: false entry. That's what we are want to change...
boot recovery from flash (ram boot = no write access)
Code:
adb shell "dd if=/dev/block/sdc3 of=/tmp/sdc3.bin"
adb pull /tmp/sdc3.bin
Look for the dualsim entry via hex editor. There you will find the pattern "dualsim [...] \06 [..] false \00". The update script changes that to "dualsim [...] \06 [..] true \00 \00". It should be \05, but that requires proper checks of the absolute address boundaries - you might need to rearrange all the following tags. A sting with two terminating zeros keeps the structure and has no negative effect. (See hex editor screenshots below).
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Afterwards, upload the modified file back to the phone and dd it back into flash:
Code:
adb push sdc3_mod.bin /tmp/sdc3_mod.bin
adb shell "dd if=/tmp/sdc3_mod.bin of=/dev/block/sdc3"
adb reboot bootloader
in bootloader mode you may want to check whether it worked.. & erase modemst1, modemst2 & cache!
Code:
fastboot oem hw
fastboot erase modemst1
fastboot erase modemst2
fastboot erase cache
fastboot reboot
Here are some pictures from my re-locked dualsim-modded stock rom - as you can see, full dualsim support is present. However, no IMEI for the second sim card. At least here in Germany and many other countries that's (currently) not an issue.
I didn't upgrade to the latest nougat version in order to keep my current bootloader version... (I'm running LineageOS anyway..)
Links:
https://dl.twrp.me/griffin/twrp-3.1.0-0-griffin.img.html
reserved
It is blocked on bootloader unlocked message after the installation of the update zip
I have the lastest bootloader
EDIT: I installed Lineage OS and it works but the sim 2 has not network
chucky91 said:
It is blocked on bootloader unlocked message after the installation of the update zip
I have the lastest bootloader
EDIT: I installed Lineage OS and it works but the sim 2 has not network
Click to expand...
Click to collapse
Did you erase modemst1, modemst2 & cache after you applied the mod?
If so, perhaps IMEI=0 actually is an issue for you... (which country, which carrier?)
I erased modemst1, modemst2 & cache after I applied the mod. I saw that it works fine when I choose the sim 1 by default for data but when I choose sim 2, I lose network from sim 2, my carrier are Free and Bouygues (France) in roaming with Rogers and Telus (Canada)
chucky91 said:
I erased modemst1, modemst2 & cache after I applied the mod. I saw that it works fine when I choose the sim 1 by default for data but when I choose sim 2, I lose network from sim 2, my carrier are Free and Bouygues (France) in roaming with Rogers and Telus (Canada)
Click to expand...
Click to collapse
In case you did the dualsim modifications to the fsg partition (deleting/renaming files) as suggested in the other guide, you need to revert them!
Just flash back the original fsg partition (twrp). Then, erase modemst1/2+cache and reboot...
How I restore the original fsg partition?
chucky91 said:
How I restore the original fsg partition?
Click to expand...
Click to collapse
Get the unmodified fsg.mbn from a recent rom update...
Code:
fastboot flash fsg fsg.mbn
fastboot erase modemst1
fastboot erase modemst2
fastboot erase cache
But your guide is my fisrt modification on my moto Z, I never modified nothing before. I revert and reflash but same problem.
I have the lastest bootloader updated with Nougat OTA, the problem can be this?
And the data works for you with the sim 2?
chucky91 said:
I have the lastest bootloader updated with Nougat OTA, the problem can be this?
And the data works for you with the sim 2?
Click to expand...
Click to collapse
You are currently roaming in france with your canadian sim cards is that right? I have no idea how IMEI=0 is handled there in general and perhaps for roaming customers in particular.
From what you are describing it sounds like they are kicking you out just because you're trying to connect with IMEI=0...
Are there any other dualsim-modder aliens roaming in france willing to testify?
Lol i'm roaming in Canada with french sim, yes i think that the imei doesn't allow me to have netorwk when I want to use my data from my sim 2
Thanks. Did manual method on reteu device with latest official software ( NPLS25.86.30-8 ). Dual sim options now available. At the moment I have no second nano sim available, but do not expect any problems as I'm also in Germany.
I put a Sim from Telus and the 2nde sim works when I choose it to use data...The issue is probably the roaming.
chucky91 said:
I put a Sim from Telus and the 2nde sim works when I choose it to use data...The issue is probably the roaming.
Click to expand...
Click to collapse
Thanks for the feedback... that makes you an ideal candidate for testing (Not that I currently have anything for you to test, though)
Currently, we are lucky that dualsim works at all! That may easily change with a non-reversible bootloader update that for instance enforces a more restrictive modem firmware.
The problem you're experiencing is likely connected to the 2nd IMEI showing an invalid number ("0"). A properly configured setup has an ID-block for each sim slot. Since our model is shipped with single-sim configuration, the second ID-block is missing. (I say it again: we are lucky that it generally works at all.. !)
Faking the second ID block would be the next step. However, the data is digitally signed and bound to the processor's serial number. Only those ID blocks with a valid signature are accepted.
In "engineering mode" that signature verfication is/can be skipped. While this was said about a different MOTO phone model, I'd expect that it also applies for our MOTO Z.
If this is true, then this means: a) engineering mode is a bootloader thing, b) the bootloader is allowed to install unsigned modem firmware/data.
However: a) the engineering mode fuse is blown during commercial production. There is no way to officially re-enable engineering mode.
Re: b) the bootloader (aboot) code is available for reverse-engineering, which is good. In the past, there have been possibilities (trust zone kernel exploit).. but moto has done some (non-reversible) patching meanwhile.
Can we duplicate the imei from 1st modem to 2nd modem? And for the restrictions, Actually, i'm using the lastest Bootloader and it works fine !
chucky91 said:
Can we duplicate the imei from 1st modem to 2nd modem? And for the restrictions, Actually, i'm using the lastest Bootloader and it works fine !
Click to expand...
Click to collapse
There is a bit (or rather a number) in the signed(!) data block indicating the sim slot... So no, that doesn't work. (Modifying the data would invalidate the signature and thus get the whole block rejected).
Will this work with moto z play? In a permanent way
Sent from my STV100-1 using Tapatalk
So, as I understand, you need an original dual-sim manufactured mobile phone, but there are nobody who have one... or is afraid to share the IMEI to you, isn't it?
Nevertheless, in addition there is a digital signature which is not easy to analyze... or to understand. Therefore I think there is no way to get a second IMEI into the single-SIM mobile phone
---------- Post added at 01:06 PM ---------- Previous post was at 01:05 PM ----------
benzinerwin said:
There is a bit (or rather a number) in the signed(!) data block indicating the sim slot... So no, that doesn't work. (Modifying the data would invalidate the signature and thus get the whole block rejected).
Click to expand...
Click to collapse
So, as I understand, you need an original dual-sim manufactured mobile phone, but there are nobody who have one... or is afraid to share the IMEI to you, isn't it?
Nevertheless, in addition there is a digital signature which is not easy to analyze... or to understand. Therefore I think there is no way to get a second IMEI into the single-SIM mobile phone
b0mmel said:
So, as I understand, you need an original dual-sim manufactured mobile phone, but there are nobody who have one... or is afraid to share the IMEI to you, isn't it?
Nevertheless, in addition there is a digital signature which is not easy to analyze... or to understand. Therefore I think there is no way to get a second IMEI into the single-SIM mobile phone
Click to expand...
Click to collapse
I've obtained and analyzed such an ID-block. It's linked to the phone's serial number. You would have to change it to your serial number, but changing any tiny bit inside the ID block immediately renders the signature invalid. So there's nothing you can do besides looking for a loophole... (I'm not that confident, though. Research in that matter would require a lot of effort - probably too much for something that works (with IMEI=0) well enough for most/many).
I'm in France actually with 2 french sim cards (no roaming) and it works fine. The first 20min, it didn't work, i has to reboot 4-5 times
Related
[RC-FAQ] >> Frequently Asked Questions for Motorola Moto G [Updated : 2015/09/23]
[SIZE=+3]Frequently Asked Questions[/SIZE]
[SIZE=+2] Motorola Moto G
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
[/SIZE]
Read Before Asking Please
[SIZE=+1]This a short list of frequently asked questions in this device forum and the answers often given as a response. It should serve as a starting point for gathering knowledge and finding solutions to many common problems. Please only post in this thread with feedback on how to improve this document. Do not post "Thank you" type responses. If you have additional questions or require more help, try to find an existing thread or create your own. Do not use this as a general help thread.[/SIZE]
To Browse quickly the FAQ and find what you need, Ctrl+F is the key feature
You may search in Motorola help topics too
Table of content :
FAQ part 1
General advices about debugging
Unlocking Bootloader
Rooting your device :
- Option 1, using SuperBoot [external thread, on MoDaCo]
- Option 2, using a customized recovery [external thread, on MoDaCo]
- Option 3, for 4.4.2 using SuperSU [external thread, on swedroid.se]
Useful Links
build.prop collection
Refer to :
@Perseus71 Ressource Guide for tech specifications, ROMs, Kernels, Root ...
@Mr hOaX Tips and Tricks thread for more Up-To-Date informations
@72off Android related terms and abreviations
@pinguijxy FAQ, for CM11 related issues.
THIS FAQ IS MADE FOR Moto G 'old' editions (NOT FOR 4G/LTE MODEL or 2d Gen [aka 2014])
FAQ
[SIZE=+1]Q1: What are Moto G tech specs ?[/SIZE]The Motorola Moto G is named XT1032/XT1033/XT1034/XT1035/... aka Falcon
XT1028: Verizon US CDMA - 8GB/16GB
XT1031: Boost US CDMA - 8GB/16GB
XT1032: EU/Global GSM/GPe - 8GB/16GB. (GPe = Google Play edition)
XT1033: Brazil - 8GB/16GB (Colors Edition) (Dual Sim) + Moto G (Music edition) (Dual Sim) (16GB Only)
XT1034: US GSM - 8GB/16GB.
XT1035: Brazil - 8GB/16GB (Colors Edition) (Unconfirmed)
Moto G 4G/LTE aka peregrine : ==> /!\ Roms made for standard edition (non-4G) are not compatible with these devices!
XT1045: Moto 4G - 8GB
XT1039: Moto 4G - 8GB UK/EU
XT1040: Moto 4G - 8GB Brazil
Complete specifications available in @Perseus71 Guide or @Mr hOaX Tips and Tricks thread
[SIZE=+1]Q2: What is the .................................................. .................................................. ....?[/SIZE][...]
[SIZE=+1]Q3: Why doesn't the LED work ?[/SIZE]maybe you disabled LED on you older device (or it didn't even have one) setting up you google account disabled the LED on you new Motot G use Notification Light Widget From Motorola to fix this issue (more info)
[SIZE=+1]Q4: How to access Fastboot?[/SIZE]Hold PowerButton and VolDown during boot.
[SIZE=+1]Q5: How to unlock Bootloader?[/SIZE]Boot to Fastboot and follow this guide
or Motorola guide on Motorola's website
[SIZE=+1]Q6: How do i get adb and fastboot drivers ?[/SIZE]For windows, follow this guide or this one
although, it seems Motorola Device Manager works ok for win7x86-32 (but not for win7x64-64?) i cannot answer this i'm under linux
other USB drivers if first method failed, source
For Linux, get fastboot files here also, adb and fastboot can be installed using repos for ubuntu-based distros packages needed are : android-tools-adb and android-tools-fastboot (android-tools-fsutils may be useful too)
eg:
Code:
sudo apt-get install android-tools-fastboot
[SIZE=+1]Q7: How to flash Stock Firmware?[/SIZE]For windows, follow this guide or this video
The above is for non-4G devices, for Moto G 4G version refer to this thread
[SIZE=+1]Q8: How to Root my device ?[/SIZE]Until now,you first need to unkock your bootloader,
Option 1 : then follow this guide [original thread - on MoDaCo]
Option 2 : via a customized recovery [original thread, on MoDaCo]
paulobrien said:
The first method is recommended as it doesn't mess with the recovery. But the second is there as a backup.
Click to expand...
Click to collapse
==> Option 1 seems not to work properly for some users, in that case : Try Both.
After you get root, please read Q19
[SIZE=+1]Q9: Why dosen't my .apk get installed manually?[/SIZE]
Until i get a better solution, here are some workaround :
Check you've enabled Unknown sources (settings>security>unknown sources)
If you did so, there are some workaround :
At the phone first set-up (you may need to factory-reset to get that) - When Motorola assistant asks for data safety (just before the Google accounts question comes up), don't click accept, but tap on "data safety guidelines" and tick both settings to off. Then accept.
Use adb :
Code:
adb install packagename.apk
Use google drive to download the app (gdrive has an antivirus scanner that checks the app, since then it is considered as "safe" for the device and is correctly installed
other workaround
[SIZE=+1]Q10: Where can i find a Custom recovery ?[/SIZE]
TWRP Recovery ported by @a1Pha
CWM recovery ported by @a1Pha
CWM Advanced Edition PhilZ Touch by @Phil3759
TWRP 2.7.1.0 by @TeamMex
[SIZE=+1]Q11: How to access bootloader?[/SIZE]- Via ADB :
Code:
adb reboot bootloader
- The hard(ware) way :
With the phone powered off, press the VOL DOWN KEY for 2-3 seconds then POWER key then release.
The device will display different BOOT OPTIONS
Use the VOL DOWN Key to SCROLL to Recovery and VOL UP Key to select
[SIZE=+1]Q12: How to access recovery?[/SIZE]
using terminal, if the device is already rooted
Code:
su
reboot recovery
via adb
Code:
adb reboot recovery
via bootloader
boot to bootloader (see Q11) and select recovery (use Use the VOL DOWN Key to SCROLL to Recovery and VOL UP Key to select)
via external app
[SIZE=+1]Q13: How to force reboot my frozen device?[/SIZE]
Press and hold the Power button for 10 - 20 seconds, the device will restart and go through the boot-up sequence [source]
(VOL DOWN hold + a quick tap on POWER should force reboot when in bootloader) [source]
[SIZE=+1]Q14: How to charge my device and extend battery life?[/SIZE]Follow Motorola tips:
How do I properly charge my device?
How can I extend my battery life?
[SIZE=+1]Q15: Does rooting/unlocking your phone invalidate its warranty? (In EU)[/SIZE]In short: No. Just the fact that you modified or changed the software of your device, is not a sufficient reason to void your statutory warranty. As long as you have bought the device as a consumer in the European Union.
[source]
[SIZE=+1]Q16: What to do if my battery is fully discharged and not re-charging?[/SIZE]
Motorola said:
If your battery is completely discharged, it may take several minutes for the device to begin charging. The battery needs to charge to a minimum voltage before the system can boot up, and this may take a few moments to achieve.
Click to expand...
Click to collapse
You may have experienced the 'sudden battery drop' : go to Q25 [source]
Also refer to Moto G will not power up (Q28)
[SIZE=+1]Q17: OMG i really bricked my device... Any chance getting it back to life ?[/SIZE]If your device is apparently dead, and does not look like a phone when connected to PC, then have a look at this guide by @Boss442
[SIZE=+1]Q18: How to flash Stock Radio (aka Baseband) / Kernel and why?[/SIZE]Flashing the latest Radio may help if you have problems with poor signal or wifi coverage. Flashing the SS (Single Sim) radio on a Dual Sim device may cause one or both Sims to stop working. Likewise, flashing the radio from a non-CDMA device to a CDMA one, is a very bad idea.
Flashing a newer / different Radio or Kernel may improve battery-life and general performance
ClockWorkMod Recovery or TWRP is required to flash these images.
http://forum.xda-developers.com/showthread.php?t=2649763
[SIZE=+1]Q19: Lost IMEI ? : How to backup / restore PDS partition and why?[/SIZE]On Motorola devices the 'pds' partition contains information specific to your machine: IMEI, MAC address, serial number, etc. This partition can be lost by accidental format or over time due to filesystem corruption. If you have made a backup, there is a good chance you can bring your handset back to life.
==> PDS backup will help to restore lost IMEI. It is a situation when the phone reports that the IMEI is unknown. ; This works like a vaccine, apply before having issue with IMEI, after it will be too late !
Instructions:
**Root Required**
Using ADB you can make a copy of the partition and move it to a safe place (Google Drive?):
adb shell
su
dd if=/dev/block/platform/msm_sdcc.1/by-name/pds of=/sdcard/pds.img
To restore in the event of corruption or loss:
adb shell
su
dd if=/sdcard/pds.img of=/dev/block/platform/msm_sdcc.1/by-name/pds(assuming you've pushed pds.img to internal SDcard storage first)
If for some reason this doesn't work, maybe your IMEI isn't destroyed but only not "readable" by system (file system issue? misread cluster reading frame ? no idea), in that case you may read the following story : http://forum.xda-developers.com/showthread.php?p=52648789
[SIZE=+1]Q20: HOw to disable/enable auto On/Off screen with Flip Shell?[/SIZE]
for stock rom : (disabling, since it's enabled by default)
install Xposed framework (and reboot)
install and enable MotoMagnetOff (and reboot)
for CM11: (enabling, since it doesn't work by default)
Follow this FAQ
[SIZE=+1]Q21: how to remove the 'unlocked warning' message?[/SIZE]Follow @ffosilva method and default Motorola logo will be back
[SIZE=+1]Q22: Why and How convert Moto G GPe to non-GPe ?[/SIZE]GPe uses EXT4 for it's 'userdata' filesystem, non-GPe uses f2fs. The GPe kernel expects an EXT4 partition and gives an encryption error if there isn't one. So just flashing a custom ROM won't work on GPe.
Converting a GPe MOTO G to a non-GPe Moto G:
(we would need someone to approve this method, and if you made it a different way, please, tell us)
1) Fastboot flash retail US XT1032 stock firmware found here:
http://sbf.droid-developers.org/phone.php?device=14
2) This will wipe the device, replace GPe kernel and radio with stock non-GPe versions and create a new partition table with f2fs filesystem for 'userdata.'
3) Custom ROMs will now work and as will all Motorola Moto G apps.
[SIZE=+1]Q23: How to reboot into 'safe mode'?[/SIZE]
Press power button, on the pop up, either keep pressing 'shut down' [stock] or 'reboot' [AOSP based]
more infos about this feature
[SIZE=+1]Q24: How to keep backups on my 8GB device without loosing space?[/SIZE]
To backup :
Use a micro USB-OTG adapter and a USB-storage
boot to recovery
go to backup and storage > backup to /storage/usbdisk
wait (it is really slower than when done to /sdcard ==> especially when generating md5sum!)
reboot your system
To restore your backup :
Use a micro USB-OTG adapter and the USB-storage where the backup is located
boot to recovery
go to backup and storage > restore from /storage/usbdisk
wait (it is really slower than when done to /sdcard)
reboot your system
Enjoy !
You now have a way to keep all your backups, without over flooding your device's storage ! (make sure you won't loose the external storage and keep it safe!)
[SIZE=+1]Q25: Abrupt Drop Battery Issue (Battery suddenly drops to 0%)[/SIZE]
Description: This issue appears to affect all versions of Moto G; while some people never experience it, others have it frequently. Most likely to occur when tethering / using USB cable. Android versions 4.3 and 4.4.2 are vulnerable.
Solution: Issue fixed in Android 4.4.3.
Kirk Stromberg said:
If anyone else experiences this abrupt drop on your Moto G *after* updating to 4.4.3, we'll need your serial number/IMEI for further investigation and may need to be in more direct contact. Please send an email to:
[email protected]
- with the title "Abrupt Drop" and
-include your serial number (Settings>About Phone>Status) and
- note to please forward to me (Kirk Stromberg).
We'll obviously keep working this here in the forums as well but want to isolate anyone still having this on 4.4.3, especially if it is repeats with some frequency. I know it is reproducible fairly reliably for some of you (tethering/USB cable).
Click to expand...
Click to collapse
https://forums.motorola.com/comment/785885
[SIZE=+1]Q26: Isssues with MMS on boost mobile with Moto G ?[/SIZE]
Apply the following changes :
apns-config.xml
Code:
<apn carrier="Boost Mobile" mcc="311" mnc="870" apn="n.boost.ispsn"
mmsproxy="68.28.31.7" mmsport="80" mmsc="http://mm.myboostmobile.com"
type="default,supl,mms,fota,dun" carrier_enabled="false" protocol="IPV4V6"
roaming_protocol="IPV4V6" bearer="13" />
build.prop
Code:
ro.cdma.home.operator.numeric=311870
ro.cdma.home.operator.alpha=Boost Mobile
ro.telephony.default_network=13
telephony.slteOnCdmaDevice=1
get more here
[SIZE=+1]Q27: Miracast / TV Screen-mirroring / DNLA app not working?[/SIZE]
Description: Android 4.4.2 added a 'Settings > Display > Cast screen' (Miracast) option, but it does not function - missing settings menu.
Solution: (Root Required)
This feature now works correctly with Android 4.4.3. However, you still need to enable the 'Cast screen' settings menu by adding the following line (if not already present) to /system/build.prop:
persist.debug.wfd.enable=1
For quick access to the feature, install: Miracast Widget.
Additionally, 4.4.3 improves compatibility with Allcast and BubbleUPnP, along with other DNLA apps that did not operate correctly in 4.4.2
Simultaneous Internet connection and Screen-mirroring is not possible in Stock Motorola Firmware 4.4.3 or 4.4.4. This may change with a future update or with the release of Android 'L.' Most Custom ROMs do however support this ability.
The utility SecondScreen (root required) allows Moto G's screen resolution to be easily changed when Screen-mirroring - e.g. 720p or 1080p. The app has several additional features such as turning the phone's screen off and disabling haptic feedback in order to save battery usage while Screen-mirroring.
[SIZE=+1]Q28: Moto G will not power up (addition to Q16 and Q25)[/SIZE]
Plug it into the charger
Hold the VOL DOWN key
While still holding the VOL DOWN key, press and hold the POWER key
Hold both keys down for over 120 seconds. This is more than two minutes and will seem like a long time. You might want to time yourself to make sure you hold it longer than two minutes.
After holding the keys down for more than two minutes, release them.
The Flash Boot screen will display, and the Normal Reboot option will be highlighted
Press the VOL UP key and the device will start a normal reboot.
If you have tried the above and it didn't work, try this:
Plug in the phone for 15 minutes.
Proceed to Step 2 above.
Source: https://forums.motorola.com/posts/3d5eadc25d
[SIZE=+1]Q29: 4.4.3 / 4.4.4 update issues[/SIZE]If after getting the update to 4.4.3 / 4.4.4 you encounter some problem, there are several options:
App-specific issues: Some apps may simply not be compatible with the latest version of Android and you have to wait until they are. You could always mention it to the App developer via Google Play.
Anything else: Could be solved be doing a Factory reset: (Back up anything important!)
Setting > Backup & reset > Factory data reset (erase all data on phone)
The best and cleanest way to get to 4.4.4 from a previous version of Android; is to Fastboot flash a Motorola Stock Factory Firmware Image. This can avoid any potential issues that may arise when upgrading via an Over the Air (OTA) update. Also see: "Q7: How to flash Stock Firmware?" in this FAQ.
Stock Factory Firmware Images are available here:
http://sbf.droid-developers.org/phone.php?device=14
When new images are available they are announced here:
http://forum.xda-developers.com/showthread.php?t=2546251
[SIZE=+1]Q30: i encounter '(bootloader) Preflash validation failed' error message when flashing Firmware Image[/SIZE]You may have updated to Android 4.4.4 via firmware image or OTA update. In this case you now also have the latest version of the Bootloader. That is why you get the above output when attempting to flash a 4.4.2 firmware image. ==> simply flash 4.4.4 images instead.
If the error still occurs, even with a 4.4.4 firmware image, then unlocking bootloader will be necessary.
[SIZE=+1]Q31: Various way to fine tune your Moto[/SIZE]Greenify : prevent unwanted apps from awaking device or runing in background (works on both rooted and not devices, but best performances are with rooted+Xposed.
MinFree settings : if you think the moto G (4.4.4) is too aggressive about killing apps to free memory so that you can't switch between two large apps without it killing one app and restarting it. then try tuning MinFree settings, rooted devices only.
[SIZE=+1]Q32: What can i do with my Notification LED?[/SIZE]Actually your device has 2 LEDs [source] and here is how to play with it : http://forum.xda-developers.com/moto-g/development/led-moto-g-led-custom-controls-t2951463
it can be used as a eMMC activity monitoring, or for charging or USB connected!
[SIZE=+1]Q33: Spare space needed? using /cache partition[/SIZE]Moving /data/dalvik-cache to /cache/dalvik-cache to use the 600MB of /cache for something useful
==> only using Dalvik.
==> http://forum.xda-developers.com/moto-g/general/mod-save-data-space-cache-partition-t2942765 (by @Bert98)
[SIZE=+1]Q34: How can I add init.d Support to Stock ROM without using a Custom Kernel?[/SIZE]This can be done by adding the following to: /system/etc/init.qcom.post_boot.sh
Code:
# init.d support
busybox run-parts /system/etc/init.d/
Busybox also required. (Don't know what it is? search a little, it won't hurt you
[SIZE=+1]Q35: I reduced brightness to 0 and got stuck with a black screen?[/SIZE]This appears to be a bug in 'Adaptive brightness.' Turning it off and on should stop this happening.
If you are in this situation, try shining a torch light on the screen at an angle to make out the very dim display. You can also try swiping down the 'quick toggle' notification menu and changing brightness via the sliding bar. [Source]
[SIZE=+1]Q36: I flashed a ROM and GPS has stopped working?[/SIZE]
Flash this 'no-GPS' fix zip via custom recovery.
Alternatively, enter Fastboot mode and type the following commands:
Code:
fastboot erase modemst1
fastboot erase modemst2
[SIZE=+1]Q37: How can i update my bootloader ?[/SIZE]Understand the risks and simply choose between an automated process (for Windows users only) or the step by step one (for Linux users mainly) here
[SIZE=+1]Q35: [?][/SIZE][...]
[SIZE=+1]Q35: [?][/SIZE][...]
[SIZE=+1]Q35: [?][/SIZE][...] *
Forum Rules | New Users Guide | XDA Tour | Report Posts
This FAQ is part of a Recognized Contributor Group Initiative. Please look for a similar FAQ thread when visiting another device forum. A special thanks to everyone who contributed to the production of this FAQ
Reserved for part 2
Stock firmware links for a bunch of Moto devices :
http://goo.gl/Qa5WRW
some usefull lines of commands for any user wanting to know what's going on:
requirements :
On Windows : install Moto G drivers and
On Linux : set your rules following that guide (3. Set up your system to detect your device.) : add to /etc/udev/rules.d/51-android.rules the following code
Code:
#motog normal mode
SUBSYSTEM=="usb", ATTR{idVendor}=="22b8", ATTR{idProduct}==”2e82″, MODE="0666"
#motog debug mode
SUBSYSTEM=="usb", ATTR{idVendor}=="22b8", ATTR{idProduct}==”2e76″, MODE="0666"
#motog fastboot mode
SUBSYSTEM=="usb", ATTR{idVendor}=="22b8", ATTR{idProduct}==”2e80″, MODE="0666"
For specific access by one group of users, add GROUP="[groupname]"
______________________________
______________________________
______________________________
Let's start ! :
in terminal, just type the lines,
in ADB, add "adb" before the commands
if you want not to display the output in terminal, specify the path :
Code:
command > /where_you_want_your_output_to_be_stored/name_you_want_for_the_log
to know if KSM is really turned on : KSM means Kernel Samepage Merging, may not exist on Moto G stock or custom roms
Code:
cat /sys/kernel/mm/ksm/run
to know what modules are running :
Code:
lsmod
install an app from terminal :
Code:
pm install /sdcard/app1.apk
from adb :
Code:
adb install /home/user/app1.apk
(if your .apk is located there )
your kernel crashed?
Code:
cat /proc/last_kmsg
ex : from adb, and stored in /home/user/last_kmsg1
Code:
adb cat /proc/last_kmsg > /home/user/last_kmsg1
an app crashed, you want to know why?
Code:
logcat
ex : from adb and stored in /home/user/myfirstlogever
Code:
adb logcat > /home/user/myfirstlogever
don't have an USB cable ?or adb "other the air" :
connect to your home wifi network (both device and pc)
in settings/dev options/ enable adb on TCP/IP
Code:
adb connect xxx.xxx.xxx.xxx:5555
(the IP is the one displayed in the option you choose previously
and then, since it is connected, catch the log :
Code:
adb logcat > /home/user/myfirstlogever
All commands and syntax used for ADB can be found here
__________________
More is coming
enjoy !
Unlocking Bootloader
Rusty! said:
Code:
#include <std_disclaimer.h>
/*
* Your warranty is now void.
*
* I am not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed.
* YOU are choosing to make these modifications, and if
* you point the finger at me for messing up your device, I will laugh at you.
*/
Click to expand...
Click to collapse
>>> Unlocking Bootloader will overwrite any data stored on your device, backup your files before proceeding <<<
For 4.4.2, an updated guide is available here
For real GPe devices (not ones with a GPe ROM added on it after the purchase), NO code is needed, simply skip to "3. Unlock"
1- Register to Motorola website
2- get your Device ID
Put your device in fastboot mode (power off, then press the power and volume down buttons simultaneously).
On your desktop, open a command prompt or terminal, and go to the directory where you installed the Android SDK tools (or make sure fastboot is in your $PATH)
At the prompt, type
Code:
$ fastboot oem get_unlock_data
The returned string will be used to retrieve your unlock key.
Example: On a Windows Desktop, the returned string format would be
Code:
$ fastboot oem get_unlock_data
(bootloader) 0A40040192024205#4C4D3556313230
(bootloader) 30373731363031303332323239#BD00
(bootloader) 8A672BA4746C2CE02328A2AC0C39F95
(bootloader) 1A3E5#1F53280002000000000000000
(bootloader) 0000000
On a Mac OS Desktop, the returned string format would be
Code:
INFO0A40040192024205#4C4D3556313230
INFO30373731363031303332323239#BD00
INFO8A672BA4746C2CE02328A2AC0C39F95
INFO1A3E5#1F53280002000000000000000
INFO0000000
Paste together the 5 lines of output into one continuous string without (bootloader) or ‘INFO’ or white spaces. Your string needs to look like this:
Code:
0A40040192024205#4C4D355631323030373731363031303332323239#BD008A672BA4746C2CE02328A2AC0C39F951A3E5#1F532800020000000000000000000000
3- Unlock
Check if your device can be unlocked by pasting this string in the pecific field on the Motorola website, and clicking “Can my device be unlocked?”
NOTE: If your device is unlockable, a "REQUEST UNLOCK KEY" button will now appear at the bottom of that page.
after you got the code type the following :
Code:
fastboot oem unlock <code>
or for GPe devices :
Code:
fastboot oem unlock
and wait your device to reboot !
4- Enjoy
5- to relock, (pointless, isn't it?)
First you'll need a stock firmware for your specific device [make sure the device number is the right one at least...]
Then follow these steps:
Open the zip
Find 'flashfile.xml'
Make sure to check integrity of EACH img/bin files in the stock firmware zip before proceeding (to do that, look at the flashfile.xml)
e.g.:
Code:
<step MD5="daae9a555a3789558ee44f9e1fddc8c5" filename="gpt.bin" operation="flash" partition="partition"/>
check that gpt.bin MD5 is really daae9a555a3789558ee44f9e1fddc8c5 and has not been corrupted during download/unpacking
Prepare your device (boot to fastboot) and start relocking:
Code:
fastboot oem lock begin
Flash in the order:
Code:
mfastboot flash partition gpt.bin
mfastboot flash motoboot motoboot.img
mfastboot flash logo logo.bin
mfastboot flash boot boot.img
mfastboot flash recovery recovery.img
mfastboot.exe flash system system.img_sparsechunk.0 // note that you may have more or less sparsechunks, FLASH THEM ALL
mfastboot.exe flash system system.img_sparsechunk.1 // alternatively the files could be named system.img_sparsechunk[1-3] instead
mfastboot.exe flash system system.img_sparsechunk.2
mfastboot.exe flash system system.img_sparsechunk.3
mfastboot flash modem NON-HLOS.bin
mfastboot erase modemst1
mfastboot erase modemst2
mfastboot flash fsg fsg.mbn
mfastboot erase cache
mfastboot erase userdata
Finish relocking:
Code:
mfastboot oem lock
Done!
having all this, do you know of anyone who is already working on cyanogenmod and other custom roms and kernels?
toby913 said:
having all this, do you know of anyone who is already working on cyanogenmod and other custom roms and kernels?
Click to expand...
Click to collapse
i don't know, but if the community is cool, calm, willing to work and contribute, thankful and "not flaming people that try to build something" then maybe there will be some devs coming for some work around here
matmutant said:
i don't know, but if the community is cool, calm, willing to work and contribute, thankful and "not flaming people that try to build something" then maybe there will be some devs coming for some work around here
Click to expand...
Click to collapse
well then i'll ask differently do you think that the device needs something like a custom-rom or kernel?
what do you think generally about it?
toby913 said:
well then i'll ask differently do you think that the device needs something like a custom-rom or kernel?
what do you think generally about it?
Click to expand...
Click to collapse
With custom kernels (they generaly are better optimised than stock) we'll get overclock (some extra performance but mostly useless) ; Undervolt (extremely efficient for getting higher battery life when the device is idle ie: nearly no drain in deep sleep contrary to non undervolted device) ; other IO shedulers (that can give better perf in IO : i made some work about this on my old device see here and here and many otehr cool features.
With Custom roms like CM, PA, AOKP, PAC ... we'll get many features as personalizations, theming, performances settings... and many things you could get on stock rooted rom + Xposed, but that's better when things are in the code
But at first, i mean when a kernel/rom is young we'll get instabilities, crashes, maybe some soft bricks : That's the price for cool and fully working Customs
All is based on what you want :
stability (mostly) and simpleness = stay on stock
performance, long lasting battery, fully optimised kernel, extra features, BUT instabilities or littles crashes/drawback = go on Customs
So are you already cooking a kernel for the moto g
Sent from my LG-E610 using xda app-developers app
toby913 said:
So are you already cooking a kernel for the moto g
Sent from my LG-E610 using xda app-developers app
Click to expand...
Click to collapse
No, because i am neither a cooker, nor a developer... Only a Contributor
Code:
adb install packagename.apk
Is going to be easier than using package manager via adb shell.
Rusty! said:
Code:
adb install packagename.apk
Is going to be easier than using package manager via adb shell.
Click to expand...
Click to collapse
thx,
is that full syntax ? no path for app name ?
I'm summing adb in the same location as the apk, or (as I have it) in the path.
Also unlocking your bootloader does still void your warranty, it's only the developer versions that it doesn't.
Rusty! said:
I'm summing adb in the same location as the apk, or (as I have it) in the path.
Also unlocking your bootloader does still void your warranty, it's only the developer versions that it doesn't.
Click to expand...
Click to collapse
ok thx,
i'll correct this.
matmutant said:
ok thx,
i'll correct this.
Click to expand...
Click to collapse
you should remove that part its confusing and unneeded.
also what is falcon_umts
can you or anyone with the device pull the build.prop and post it here.
Dark Passenger said:
you should remove that part its confusing and unneeded.
also what is falcon_umts
can you or anyone with the device pull the build.prop and post it here.
Click to expand...
Click to collapse
Ok, removed.
about falcon_umts : i don't know, but Falcon was one of Motorola's series (i1 was part of the Falson series) but Moto G is part of the XT series ... maybe a codename ; and UMTS is a network system based on GSM
is that what you wanted ?
edit : regarding the build.prop, Falcon is MotoG codename
matmutant said:
Ok, removed.
about falcon_umts : i don't know, but Falcon was one of Motorola's series (i1 was part of the Falson series) but Moto G is part of the XT series ... maybe a codename ; and UMTS is a network system based on GSM
is that what you wanted ?
Click to expand...
Click to collapse
kind of though it would be awesome if you could attach your build.prop here
adb pull
No need for image dumps, the factory images are available here: http://sbf.droid-developers.org/falcon/list.php
Stock firmware
Rogers B05 Firmware
https://www.androidfilehost.com/?fid=1395089523397891291
Separate Firehose download
https://www.androidfilehost.com/?fid=1395089523397891292
ZTE Kernel source mirror (We are codenamed Helen)
https://www.androidfilehost.com/?fid=1395089523397891289
Here is a step by step guide on how to flash the stock rom with QFIL and by extension any image.
Download and install the Qualcomm drivers from here
Download the firmware from above
Extract the firmware to a folder that you can easily access them from like your desktop
Download and install QPST from here
Open the QFIL application (Find it in your start menu)
In the "Select Build Type" field select Flat Build
In the "Select Programmer" field navigate to the folder you extracted the firmware and support files to and select the prog_emmc_firehose_8909.mbn file
Select the "Load XML" button and navigate to the folder you extracted the firmware and support files to and select the rawprogram0.xml and then the patch0.xml when prompted.
Plug in your tablet
Run the following adb command "adb reboot edl" (Now the screen should be blank but the led light should be red)
If the text at the top of the QFIL application says "No Port Available" click the "Select Port..." option and pick your device. If your device isn't showing up there you didn't install the drivers properly.
Click the Download Button to begin flashing your device
So the above explains how to flash everything if you want to flash just boot or recovery use the tool in the 2nd post it is a lot easier
Warning
This is a dangerous tool. It can render your device permanently unusable. If you use it, your warranty will likely be void. You accept all responsibility for the consequences.
Acknowledgments
Special thanks to @tdm for taking the firehose I got and creating the k81tool with it!
Note Well
The first rule of intelligent tinkering is to save all the parts.
Always backup your partitions before writing new contents, so that you can get back to where you started.
Never write both boot and recovery in one session. Always make sure that you can boot into the other partition in case something fails.
Preparation
Download magisks patched boot.img from here.
Download k81tool from here.
Setup your computer.
Setup for Windows
Download zadig.
Boot your device in EDL mode (see below).
Windows will want to install the Qualcomm USB driver. We won't be using it so cancel.
Run zadig. Find device 05c6:9008 and install the WinUSB driver for it.
Reboot your device and rerun steps to go back to EDL mode
Booting in EDL mode
Code:
adb reboot edl
Usage
Code:
k81tool.exe <read|write> <boot|recovery> <filename>
Example:
Code:
k81tool.exe read boot stock-boot.img
Code:
k81tool.exe write boot patched_boot.img
Multiple Operations
This is a "one-shot" tool. After performing an operation, it will reset the device with a 5 second countdown. If you wish to perform multiple operations (eg. backup, flash), simply re-enter EDL mode.
Common Problems
Device was not found
First enter EDL mode, then run the tool.
Device is visible in device manager but cannot be found by the tool.
Connect directly to the PC, not through a hub.
Windows says bad file descriptor
The WinUSB driver is not installed.
Once you flash the patched_boot.img all you need to do is install the magisks manager and you will have root enjoy!
Proof of root:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Place Holder for TWRP
bad links??
Hi
First, thank-you, thank-you, thank-you x 100. I've been looking for a method to root this device from the day I got it as an add on to my cell plan. Not sure if I am missing something but when I click on the androidfilehost links I get taken to a home page but there is no file to download for all three links. Initially I thought I might have to register so I did that but the links still just take you to the Home advert page Could you update the links when you get a chance - thanks !!
edit - I have a couple of questions -As you have been the first to root the device there are obviously no custom firmware builds available so we stick with stock, correct? We will be able to remove the bloatware on stock because it's rooted though, correct? I also use tasker and the AutoApps suite for automation and I need root for some of my tasks so this is a huge step in the right direction. Lastly in order to root the device do we need to do follow all steps in the first post and then complete the steps in the second post? Or is the second post just a different way to do what was done in post 1? I'm excited to root this so thanks for fixing those links! Thanks again for all your work.
ryanoc75 said:
Hi
First, thank-you, thank-you, thank-you x 100. I've been looking for a method to root this device from the day I got it as an add on to my cell plan. Not sure if I am missing something but when I click on the androidfilehost links I get taken to a home page but there is no file to download for all three links. Initially I thought I might have to register so I did that but the links still just take you to the Home advert page Could you update the links when you get a chance - thanks !!
Click to expand...
Click to collapse
Sorry about that somehow the links broke, I have updated them so now they are proper.
Hey guys. Having a little trouble. I keep on running into "Failed: unknown error" when I try to flash the patched boot.img that was provided. I managed to read the stock boot image with no problems, but writing just runs into this error.
Thoughts?
I am using the Bell variant so I hope that isn't the source of it
Post Root questions
Hi
I'm about to try to root the device, assuming it goes according to plan, can we then install SuperSU? Do we need a TWRP for the device if we want to install another ROM and are there generic ROMS out there that would work on this tablet? Sorry if these are noob questions, I've been an apple jailbreaker for years and just bought and rooted and installed a custom ROM on a Samsung Galaxy S4. I installed a new android tablet NAV in my BMW and I needed a device to act as a hotspot, so I use Tasker and AutoApps with it to automate the process and it works really well. When I rooted the Galaxy S4 there are a ton of ROMS available for every variant so it was easy to follow the instructions. However, this is totally new territory for me. This device isn't nearly as popular so I wondered what options are available to us once we have it rooted?
same issue failed unknown error
Hi
I am using the Rogers K81 and I am encountering the same failed unknown error when I try to write the patched boot file. I also was able to read the firmware file without issue. I rebooted into edl mode and then tried to write the patched file -
NB - for those who have yet to try, move the k81tool.exe and the patched boot file to your c drive and make sure your at the root of c and then remove the B05 in the patch file name so that it can find the file if you are just cutting and pasting the command line instructions above, otherwise you'll get an error that it can't find the file. If the k81tool.exe isn't in the current directory you are in you will get an error saying k81tool.exe is not a known command ..etc.etc. This might seem obvious to some but for those with little command line experience, it will save you from having to post questions about your errors.
There is a product ZTE primetime K92 which is a successor of a ZTE K81.
Do you plan to support root for ZTE Primetime K92?
huaji2333 said:
There is a product ZTE primetime K92 which is a successor of a ZTE K81.
Do you plan to support root for ZTE Primetime K92?
Click to expand...
Click to collapse
A friend of mine has the k92, and currently it has a locked bootloader even with the firehose and all. So he is working to find an exploit to allow it to be unlocked. But no ETA at this time.
Sent from my iPhone using Tapatalk
Thank you for providing this. I have the Virgin Mobile device currently. Just a question before I try this. My past experience with a tablet from Rogers a few years ago was that whenever you put a different sim card in, it would force you to reset the entire device. To get around this, I was lucky that there were other generic firmware available for that device. Does the Rogers firmware that you provide force a reset if you change the sim? I'd ideally like to have the option to change sims when traveling. Thanks.
I own a Virgin Mobile Canada ZTE K81 tablet. As much as I like a rooted device, my goal, if possible, is to replace the Bell firmware with the Rogers firmware. The reason I would want to do this is because Bell has done some nasty things with this tablet. The SIM card is IMEI locked to this tablet, I cannot use the SIM card on anything else. So I decided this tablet could be used as a wifi hotspot. Unfortunately, Bell did something to the firmware to make wifi and bluetooth tethering impossible.
I guess the other question I have is will the IMEI lock still work on this Bell tablet after the Rogers firmware is installed?
wow i didn't think development for this device would've gotten this far already. we're gonna need our own device forum soon
---------- Post added at 12:20 PM ---------- Previous post was at 12:19 PM ----------
bridonca said:
I own a Virgin Mobile Canada ZTE K81 tablet. As much as I like a rooted device, my goal, if possible, is to replace the Bell firmware with the Rogers firmware. The reason I would want to do this is because Bell has done some nasty things with this tablet. The SIM card is IMEI locked to this tablet, I cannot use the SIM card on anything else. So I decided this tablet could be used as a wifi hotspot. Unfortunately, Bell did something to the firmware to make wifi and bluetooth tethering impossible.
I guess the other question I have is will the IMEI lock still work on this Bell tablet after the Rogers firmware is installed?
Click to expand...
Click to collapse
imei locks are independent of the device itself. you need to get the carrier to give you an unlock code
Online Gravy said:
wow i didn't think development for this device would've gotten this far already. we're gonna need our own device forum soon
---------- Post added at 12:20 PM ---------- Previous post was at 12:19 PM ----------
imei locks are independent of the device itself. you need to get the carrier to give you an unlock code
Click to expand...
Click to collapse
I got Bell to IMEI lock the SIM to another, better tablet, a LG G Pad IV 8.0 FHD (LGV533) from Fido. The SIM works perfectly, I can now wifi tether!
That makes it an easier choice to hack at the Bell K81, now that the IMEI lock is not tied to this K81 tablet anymore. If the Bell K81 works with the Rogers firmware, bonus. If it bricks, not the end of the world. My data plan will still work. I just need to find the time to do the hack!
bridonca said:
I got Bell to IMEI lock the SIM to another, better tablet, a LG G Pad IV 8.0 FHD (LGV533) from Fido. The SIM works perfectly, I can now wifi tether!
That makes it an easier choice to hack at the Bell K81, now that the IMEI lock is not tied to this K81 tablet anymore. If the Bell K81 works with the Rogers firmware, bonus. If it bricks, not the end of the world. My data plan will still work. I just need to find the time to do the hack!
Click to expand...
Click to collapse
I have flashed my Bell k81 with Rogers firmware and it works properly.
Sent from my iPhone using Tapatalk
any chance of getting Pie GO installed on this thing, mine lags to even tap and the stock settings leave only 400mb free of ram
I can't successfully flash the rogers firmware on the VM (Bell) device. When the flashing process gets to 'reading through the sparse file' for the userdata.img file, I get an error. The log reads:
{ERROR: sparse_open:1939 Didn't properly read the sparse_header!
If I delete this file as a test (not sure if that was a good idea), it continues on to reading the ddr.img file, but halts again and the error refers to this file being 0 bytes.
I may have missed a step. When is the kernel file used? Is the Rogers firmware file complete?
s_021 said:
I can't successfully flash the rogers firmware on the VM (Bell) device. When the flashing process gets to 'reading through the sparse file' for the userdata.img file, I get an error. The log reads:
{ERROR: sparse_open:1939 Didn't properly read the sparse_header!
If I delete this file as a test (not sure if that was a good idea), it continues on to reading the ddr.img file, but halts again and the error refers to this file being 0 bytes.
I may have missed a step. When is the kernel file used? Is the Rogers firmware file complete?
Click to expand...
Click to collapse
Delete DDR as well and any of the ones it complains about that are empty. When I have sometime I'll upload a new package with those removed.
Decided to try the k81tool to just root instead, but I'm getting the same Failed:unknown error as others have posted.
(Using VM stock firmware)
---------- Post added at 11:20 PM ---------- Previous post was at 11:14 PM ----------
If you put in a Rogers sim, does it attempt to do a hard reset or just the usual reboot?
thanks
deadman96385 said:
I have flashed my Bell k81 with Rogers firmware and it works properly.
Sent from my iPhone using Tapatalk
Click to expand...
Click to collapse
deadman96385 said:
Delete DDR as well and any of the ones it complains about that are empty. When I have sometime I'll upload a new package with those removed.
Click to expand...
Click to collapse
Deleting the files also fails. The error is {ERROR: handleProgram:8615 'ddr.img' not found. You could possibly try --notfiles=ddr.img,OtherFileToSkip.bin (note, exiting since you specified --noprompt)
Adding back ddr.img, the error is
{ERROR: handleProgram:8666 Filesize is 0 bytes. This is usually a mistake!! Please check 'C:\ZTE\rogers\ddr.img'
Here is a rooting method for the Plam Phone either the US variant or the Vodafone variant this has not been tested or confirmed working on any other device. This root method may break in the future because it is using a tool that isn't designed for the public i tried getting the firehose packaged with the tool to work in other edl flashing tools but was not able to get it working. So this is all we have for now. There is minimal risk in doing this it just has a lot of steps and it requires a pc running windows.
Note: This will wipe your device so anything stored on it will be lost please backup anything important like photos/contacts/etc
Download and install Sugar QCT from here (Be sure to install the usb drivers as well)
Included in the zip is the username and password that you will need to use to run the program please do not post it here.
Boot the device into recovery by turning the device off and then holding the power button until it restarts 3-4 times and boots to recovery
Select the option to go into emergency download mode
Now plug the device into your computer and open Sugar QCT
From the list select pepito/PVG100 (US) or pepito_vdf (Vodafone)
Now select Upgrade this will download the palms firmware package and flash it to the device
When it finishes do not close sugar
Unplug your device and hold the power button for a few minutes so it will restart out of EDL mode, use a rubber band or something to apply pressure to it so you don't have to hold it
Go to where Sugar QCT is installed (C:\Program Files (x86)\SUGAR QCT_SP_Gotu2\bin\)
In there you should see a folder called PVG100-xxxx (The x's are your serial number)
Copy that to your desktop or anywhere else that you like
In the folder, there should be some random looking mbn files these are actually the firmware files just names are randomized to make using them harder.
There should be a file called B1AMD0D0CV00.mbn if not look for a file that starts with a B it will be the boot.img
You will need to push that to an android device and patch it with magisk manager.
Once that is done replace the B1AMD0D0CV00.mbn in your copy of the firmware with the patched boot.img
Boot it back into emergency download mode as previously stated
Close and reopen sugar
Copy your firmware copy back into C:\Program Files (x86)\SUGAR QCT_SP_Gotu2\bin\ be sure it is the same folder structure
Now select your model again and then press the upgrade button in sugar this will now flash your modified firmware to the device.
Once it finishes hold the power button for a few minutes so it will restart out of EDL mode, use a rubber band or something to apply pressure to it so you don't have to hold it
When it restarts and powers up then go through setting the phone up and install magisk manager and you're rooted.
Thanks to @StormSeeker1 for telling me about holding the power button for a few minutes to get out of EDL previously you had to let the phone die to get out of it which is a pain.
Interesting, shall do it tomorrow.
Curious, this doesn't use the root exploit discussed in other threads? Where is (7) downloading from?
snoopy20 said:
Interesting, shall do it tomorrow.
Curious, this doesn't use the root exploit discussed in other threads? Where is (7) downloading from?
Click to expand...
Click to collapse
It doesn't use any root exploit, it's downloading the firmware directly from TCL servers, the tool used is designed for service centers.
If they are the same hardware, it should be possible to flash Vodaphone over the top?
snoopy20 said:
If they are the same hardware, it should be possible to flash Vodaphone over the top?
Click to expand...
Click to collapse
They are signed with different keys, so it will probably cause the device to boot loop and or not startup. I would not recommend trying it.
Is it possible to dump the radio files from an network unlocked device, and use these files to unlock Verizon network.
Any other ideas to unlock network?
Current findings:
1. Remove the Verizon sim warning.
Simply edit the /vendor/build.prop and modify line "ro.product.vzw=true" to false. However, it has a side effect, causing the contacts in dailer FC while browsering.
2. Enable diag, serial and QMI
One method is dialing "###2324#", another approach is launching "EngineerMode" through apps like quickshortcutmaker, then navigate to Connectivity - DiagProtector.
3. Boot animation path
/Vendor/JRD_custres/media/
4. Most garbage apps path
/Vendor /priv-app/
Every time I try to replace the MBN files after being patched the utility keeps redownloading the originals. Any advice?
xswxm said:
Is it possible to dump the radio files from an network unlocked device, and use these files to unlock Verizon network.
Any other ideas to unlock network?
Current findings:
1. Remove the Verizon sim warning.
Simply edit the /vendor/build.prop and modify line "ro.product.vzw=true" to false. However, it has a side effect, causing the contacts in dailer FC while browsering.
2. Enable diag, serial and QMI
One method is dialing "###2324#", another approach is launching "EngineerMode" through apps like quickshortcutmaker, then navigate to Connectivity - DiagProtector.
3. Boot animation path
/Vendor/JRD_custres/media/
4. Most garbage apps path
/Vendor /priv-app/
Click to expand...
Click to collapse
I put my t-mobile sim into mine and it worked fine no edits needed and mine is officially locked to verizon.
kotaKat said:
Every time I try to replace the MBN files after being patched the utility keeps redownloading the originals. Any advice?
Click to expand...
Click to collapse
Are you postive that the folder structure is the same?
deadman96385 said:
I put my t-mobile sim into mine and it worked fine no edits needed and mine is officially locked to verizon.
Are you postive that the folder structure is the same?
Click to expand...
Click to collapse
I am using another carrier, not USA ones, and it has problems with 4G network.
it works, thanks
Just began mind. So far it's stuck on 2%.
Regarding flashing Vodaphone over Verizon, if the ROM files are signed with different keys then modifying the boot.img will surely break the signage?
snoopy20 said:
Just began mind. So far it's stuck on 2%.
Regarding flashing Vodaphone over Verizon, if the ROM files are signed with different keys then modifying the boot.img will surely break the signage?
Click to expand...
Click to collapse
Are you still stuck at 2%? Of downloading, or of flashing?
deadman96385 said:
I put my t-mobile sim into mine and it worked fine no edits needed and mine is officially locked to verizon.
Are you postive that the folder structure is the same?
Click to expand...
Click to collapse
tapa_t said:
Are you still stuck at 2%? Of downloading, or of flashing?
Click to expand...
Click to collapse
Tried flash pvg100e over pvg100, it will stuck at the beginning and the program won't flash.
xswxm said:
Tried flash pvg100e over pvg100, it will stuck at the beginning and the program won't flash.
Click to expand...
Click to collapse
Doesn't that empirically prove that different versions have different signatures, or at least ROM's are different enough to prevent switching over? Maybe we are just so lucky that boot.img is not checked as rigorously.
Is pvg100e for Vodafone? Where did you get the ROM if your device is pvg100?
Does it finish flashing if you do pvg100 over pvg100?
tapa_t said:
Doesn't that empirically prove that different versions have different signatures, or at least ROM's are different enough to prevent switching over? Maybe we are just so lucky that boot.img is not checked as rigorously.
Is pvg100e for Vodafone? Where did you get the ROM if your device is pvg100?
Does it finish flashing if you do pvg100 over pvg100?
Click to expand...
Click to collapse
The tool deadman provided definitely works if u follow the instruction and choose the right version.
For the signature issue, maybe u can find the answer in another thread about temporary root.
As to the version problems, pvg100 is for Verizon.
To my knowledge, the pvg100e is for many other vendors, such as Vodafone, and the UK version maybe share the same model name. There is another version pvg100eu, for European. U can find more evidence in the temporary root thread.
So far the following:
Windows 10 64 - goes to 2% then after a few seconds a 5002 error.
Windows 7 64 inside Virtualbox - goes to 2% and then doesn't move.
I've tried the drivers and others on the web although the latest is around 2014/15.
xswxm said:
The tool deadman provided definitely works if u follow the instruction and choose the right version.
For the signature issue, maybe u can find the answer in another thread about temporary root.
As to the version problems, pvg100 is for Verizon.
To my knowledge, the pvg100e is for many other vendors, such as Vodafone, and the UK version maybe share the same model name. There is another version pvg100eu, for European. U can find more evidence in the temporary root thread.
Click to expand...
Click to collapse
Checked last night, mine, pvg100, is snapdragon 430, and the China mainland version is pvg100c with snapdragon 435.
deadman96385 said:
It doesn't use any root exploit, it's downloading the firmware directly from TCL servers, the tool used is designed for service centers.
Click to expand...
Click to collapse
I'm not looking to root right now, but if I'm understanding this correctly this should mean that I can use SugarQCT to pull the latest version (1AMD) firmware for my Palm that doesn't show any OTA's available and is still on the original 1AGL firmware. Is that correct?
Thanks for making this happen, deadman96385!
tapa_t said:
Doesn't that empirically prove that different versions have different signatures, or at least ROM's are different enough to prevent switching over? Maybe we are just so lucky that boot.img is not checked as rigorously.
Click to expand...
Click to collapse
No need for empirical proof, I did the analysis here.
The difference is: the early part of boot is Qualcomm code using Qualcomm security. These are the "pbl", "sbl/edl" and "aboot/fastboot" programs (and also "modem", "tz" and other bits). These were the parts that I was looking at in the link above.
When "aboot" completes, it hands over to the late part of boot, which is Android code using Google security. These are the "boot.img/Linux kernel" programs, "recovery", "system", "vendor", "data", etc. They use a different security model. That's what this root method targets. You are correct when you say "Maybe we are just so lucky that boot.img is not checked as rigorously".
It does imply that you can mix the PVG100 Qualcomm partitions for "early boot" with the PVG100E Android partitions for "late boot" and vice-versa. But someone with motivation needs to test this... (No, you can't unlock cellular bands this way; the "modem" partition is from Qualcomm and must match your hardware.)
A good diagram is below; Source (and explanation): https://blog.quarkslab.com/analysis-of-qualcomm-secure-boot-chains.html -- I recommend studying this article.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
ssuds said:
I'm not looking to root right now, but if I'm understanding this correctly this should mean that I can use SugarQCT to pull the latest version (1AMD) firmware for my Palm that doesn't show any OTA's available and is still on the original 1AGL firmware. Is that correct?
Click to expand...
Click to collapse
This should work. Keep in mind that whilst 1AMD seems to be fine, future versions may (permanently) close the vulnerabilities that allow you to get root, modify system partitions or use the current version of SugarQCT. I don't think this will happen but we should all keep the possibility in mind.
Which Windows version are people using? I've tried W10 and also W7 through a virtualbox but with the above errors.
I finally got my cubot pocket. I like my devices without GAPPS so I unlocked the bootloader and finally managed to flash a GSI.
This post contains: observations and general hints for this level of development, a guide to unlock the bootloader and what I did so far to flash a GSI.
Unlocking the bootloaderThis works similar to other Spreadtrum/Unisoc-based devices.
The crucial thing is to issue get_identifier_token from fastboot -> reboot to bootloader. If you issue it in adb reboot fastboot, it will say OKAY and may also print a four character string, but this is not the token you're looking for.
Also, when you flash the unlock_bootloader signature.bin, it will prompt you on the phone, but you have to react differently than described on the phone - see below.
enable Android developer mode (Settings -> About Phone -> tap "build number" >= 7x)
enable OEM unlocking (Settings -> System -> Developer Options -> OEM unlocking)
enable ADB (Settings -> System -> Developer Options -> USB debugging)
adb reboot fastboot
choose "reboot to bootloader"
Code:
$ fastboot oem get_identifier_token
proceed as described here
finally:
Code:
$ fastboot flashing unlock_bootloader signature.bin
this prompts you to press volume up to cancel, volume down to confirm.
But volume down and power don't have any effect, instead volume up starts wiping user.
wiping takes a bit longer than I'd expect, for me 433 s.
Congratulations, you now own your phone a bit more than before!
Flashing GSIs (probably applies to ROMs in general)It's a Treble-enabled arm64 A/B device. Flashing GSIs should be possible.
It looks to me like the A/B is crippled as all the _b partitions are 0-sized, probably to save space.
get and unpack necessary files as necessary: boot.img, vbmeta-sign.img, a ROM that you want, p.ex. AndyYan's Lineage GSI
fastboot resize-logical-partition product_a 38000
fastboot flash system [unpacked ROM file]
I also factory reset it afterwards
General/random notes
there are two different things reachable as "bootloader":
in fastboot switch to bootloader. The device displays the Cubot splash and from the display it looks stuck, but it exposes a fastboot interface -> useful
$ adb|fastboot reboot bootloader
shows the droid with open service door, saying "no command". It also exposes adb, but I don't see a way how to authorise it. Maybe via the debug UART? I didn't yet read the UART when I stumbled upon this. Currently it seems useless to me.
there are test points for the debug UART easily reachable once you disassemble it.
I didn't see anything with a 3.3V USB UART adapter, but a logic analyser with 1.4 V threshold works -> it probably uses 1.8 V logic level. UART-wise it's 115200 8n1.
I think I don't have anything to hook up to the TX currently.
UART log of boot
it's easy to softbrick this device, and I haven't found a nice way out of softbricked yet. Two not-so-nice-ways
- drain the battery, which obviously requires lots of patience
- disassemble the device and disconnect the battery
then flash the original ROM from the cubot site following the instructions there.
Once it bootloops, I didn't manage to power it off or get into fastboot / recovery using the device's keys.
the device reconfigures it's USB during boot and there's a limited time for the SPDFlashTool's mode that flashes complete firmwares. That means that it's not really feasible to run SPDFlashTool inside a VM.
the phone actually does something with the battery detached but USB power attached. For example, it's possible to flash it with the SPDFlashTool. However, it doesn't boot the linux kernel / Android, this seems to be inhibited.
This is in contrast to many other devices that are not laptops for which the PMIC does not provide power to the system when the battery is disconnected.
Old notes / how not to do it: Flashing GSIs (probably applies to ROMs in general)
it's a Treble-enabled arm64 A/B device. Flashing GSIs should be possible.
It looks to me like the A/B is crippled as all the _b partitions are 0-sized, probably to save space.
system_a is a bit below 1 GB ( 0x3CF5D000 B) which is likely smaller than any interesting GSI.
attempting to flash yields
Code:
Resizing 'system' FAILED (remote: 'Not enough space to resize partition')
There's the general hint to delete the product partition by running
fastboot delete-logical-partition product
then it's actually possible to flash a GSI, however:
the device bootloops -> log
From the log I realised I need to modify vbmeta, so:
it does android verified boot / AVB which from my understanding the easiest way forward is to disable it by:
creating a vbmeta.img with
Code:
$ avbtool make_vbmeta_image --flags 2 --padding_size 4096 --output vbmeta_disabled.img
the padding necessary might be 16384 instead, according to the hovatek thread below.
it might be necessary to pad it additionally. There's a tutorial and a script here
when I flash both the hovatek-unpadded avbtool-4096-padded and hovatek-padded avbtool-16384-padded vbmeta, the device bootloops -> log
I guess the next step would be to unpack the vendor PAC ROM and check how the vbmeta image looks there.
Since with the original vbmeta it looks like it's restarting when it's already running linux / android, another way to go at this might be to change the kernel cmdline: instruct it to not do verity - Does anyone know how this is possible?
reserved for future use
dead ends (so far...)
didn't manage to find what image header magic number was wrong with the vbmeta.img (was already in the starting post)
the vbmeta actually doesn't chain to system, but there's a vbmeta_system partition (and vbmeta_vendor.img, vbmeta_system_ext.img, vbmeta_product.img) - I flashed the empty vbmeta disabling checking to vbmeta_system... and it bootloops again
this time the error is:
Code:
sprd_get_all_imgversion: ab_slot_flag is 0
read successed
sprd_get_all_imgversion: rpmb read blk 16382 successful
invalid sprd imgversion magic 0 exp a50000a5
uboot_vboot_verify_img() return error:param->a0=3
could be that it's just necessary to write the magic number to the correct offset, but I coulnd't figure out where this offset is - the images in the PAC don't have this number, so I guess it's embedded on-the-fly while flashing.
searching for imgversion+spreadtrum gets 0 relevant results - I guess it's very unusual that people hook up to the debug uart
I didn't manage to disassemble uboot.img - At least the disassemble doesn't look like a bootloader to me. Not an expert with disassemblies though!
modifying boot.img with magisk also results in invalid sprd imgversion, so no root or disabled verity through this route
I didn't manage to read back from flash through SPD ResearchDownload, I get the error "incompatible partition" for userdata - and I can't deselect it :/
(I thought it might be possible to get the sprd imgversion magic throught this route
Partial successI managed to boot a GSI by signed by google through Dynamic System Updates (DSU).
It kind of looks like it's running in emulation though: settings say "About emulated device" and it gets an own userdata.img
the DSU page also says it will only run GSIs signed by google or the vendor (not sure which key that would be, but I doubt there are any) - I haven't tried flashing anything this route
Open Ends:reverse engineering the imgversion thingIt should be possible to figure out how this imgversion business works, ultimatively from the u-boot.img / PAC content. Anyone has any idea how to proceed there? I tried:
binwalk: doesn't look useful to me, nothing got extracted -> here
arm-none-eabi-objdump -b binary -D u-boot-sign.bin -m armv8-a -Mforce-thumb
(also without -Mforce-thumb and with -m armv7)
I'm pretty sure it's actually U-boot: there is the U-boot version string matching the one printed to uart and also the printf-string for the imgversion
requested U-boot source code from CubotI requested source for all GPL'ed parts of the Pocket from Cubot, but especially U-Boot and the kernel. I'd be a pleasantly surprised if something comes out of this though
reading back the flashDoes anyone have an idea how to do that? without root no access to /dev/block/mmcblk* and I didn't get SPD ResearchDownload to read it.
It's nice that you could unlock the bootloader! I'll try to do it soon (maybe in some months, but ok lol)
Anyway, which GSI did you try? And about the vbmeta, I think it should be enough to flash the blank vbmeta.img from google. Maybe we could use the original vbmeta.img from stock ROM with the --disable-xxxxx flags.
This is the tutorial from phhusson's group (the man behind the treble project):
0. Get an up-to-date fastboot on your computer (fastboot —version should give version >= 29)
1. Get vbmeta.img from https://dl.google.com/developers/android/qt/images/gsi/vbmeta.img
2. Get A/B GSI (I'm guessing you need ARM64), don't forget to uncompress it
3. From running Android, do adb reboot bootloader
4. fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img
5. fastboot reboot fastboot
6. fastboot flash system system-xxxx.img
6bis. If fastboot tells you there isn't enough place, do fastboot delete-logical-partition product, fastboot delete-logical-partition product_a, fastboot delete-logical-partition product_b and run the fastboot flash command again
7. On your phone, the screen should have a button "go back to recovery", select it, then select "factory reset / wipe data"
8. Reboot and enjoy
Thanks for your work. I got my Cubot Pocket unlocked too. I have booted LineageOS 19 via DSU Sideloader. It runs like a charm but there is no way to flash the GSI permanent.
@changer86 with the DSU I have the navigation bar not showing, back-gesture not functioning and no automatic display brightness - do these work for you?
wori said:
@changer86 with the DSU I have the navigation bar not showing, back-gesture not functioning and no automatic display brightness - do these work for you?
Click to expand...
Click to collapse
I tried it. My Navigation Bar is showing and working normal.
Automatic Display Brightness is working too.
I dont use gestures, but if you tell me how to do it, i will check that too.
Image: lineage-19.1-20220719-UNOFFICIAL-arm64_bvS.img.xz
and DSU-Sideloader 1.03 from Github. Default Settings
thanks for trying!
You can change it in Settings->System->Navigation->System Navigation->check Gesture Navigation
So: interesting that you got a lineage build working, maybe that's the important difference! From google's doc I understand that there's some verifcation, but looks like it's not. Since I actually don't want the google build, I'll try with lineage next. Did you also try with the built-in DSU way, like described in googles doc?
wori said:
Did you also try with the built-in DSU way, like described in googles doc?
Click to expand...
Click to collapse
As I understood, the app is doing exactly the same like the Google Doc say. It seems like unlocking the Bootloader is enough to boot a custom-DSU.I have read something about signed Images that will boot without unlocking the Bootloader, but i didnt try it. I just want to get rid of all the Google-Stuff before using the Pocket Hope we can get it working.
btw: Gestures seem to work. swipe from right to middle closes Apps. from middle to up opens Menue
After a Weekend of fails i flashed Lineage 19 to my old KingKong mini and its working on the first try. Problem seems to be the Unisoc T310. The success-rate of flashing GSI to T310 seems to be really low. Does anybody know another Android 11 Device with Unisoc T310 that is working with GSI-Roms?
changer86 said:
Does anybody know another Android 11 Device with Unisoc T310 that is working with GSI-Roms?
Click to expand...
Click to collapse
GSI on Unisoc device
My tablet is unisoc t310 T803 with oem android 11 here is were im stuck I reflashed oem super.img and the system booted fine so i can start fresh i erased product and system, and flashed lineage 17.1
www.hovatek.com
seems this guy has succeeded and his device looks pretty similar to pocket in treble info
im unisoc tablet has oem stock A11 and no GSI A10 was to boot. my oem system is system as root AB arm64. so I have no choice but to use Arm64 AB GSI A11 because A10 will not boot
Click to expand...
Click to collapse
Hi, can you help me with this situation? I can't unlock bootloader on cubot pocket.
I tried to unlock on my ubuntu and windows devices.
FAILEN ( Flashing Lock Flag is locked. Please unlock it first)
I don't know that I will do for this problem
Spoiler: image
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
@raary did you enable OEM unlocking in the Android settings?
wori said:
@raary did you enable OEM unlocking in the Android settings?
Click to expand...
Click to collapse
Yes of course
raary said:
Yes of course
Click to expand...
Click to collapse
Did you use the modified fastboot ? Under Ubuntu start a Terminal from the extracted Folder and use ./fastboot instead of fastboot. Ensure that fastboot in the folder is executable. Check this guide: How to unlock Unisoc
Be warned: Unlocking the Bootloader ist working but flashing vbmeta like you tried leads to bootloop. I think the cubot pocket needs signed Images for flashing. there is a guide for custom signed Images but i did not get it to work for now.
changer86 said:
Did you use the modified fastboot ? Under Ubuntu start a Terminal from the extracted Folder and use ./fastboot instead of fastboot. Ensure that fastboot in the folder is executable. Check this guide: How to unlock Unisoc
Be warned: Unlocking the Bootloader ist working but flashing vbmeta like you tried leads to bootloop. I think the cubot pocket needs signed Images for flashing. there is a guide for custom signed Images but i did not get it to work for now.
Click to expand...
Click to collapse
Thank you, I will be try to unlock
@wori any updates on flashing gsi?
@badcodelab not from my side. I got frustrated and also had some other things to do. Hopefully find some time + energy to continue working on this.
I can't stay in stock OS, my GSI on cubot pocket have only 16 Gb via DSU sideload less for me, correct custom not exist for this, sad
@wori, @changer86 i didn't get clear from your posts if you tried to use signed vbmeta from the stock rom
also i haven't manage to make research tool to unpack boot.img nor super.img
by some reasons they stay listed as zero-sized .flag files in the target folder
Assurance Wireless
KonnectONE Moxee m2160
4G-LTE Smartphone
Model No. MH-T6000
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Unbricking & Factory
Firmware Restoration Guide
OVERVIEW:
This guide outlines detailed instructions on restoring the KonnectONE Moxee MH-T6000 smartphone to its stock factory state by flashing firmware via the Qualcomm Flash Image Loader (QFIL) software for Windows. The firmware provided is official and signed by the manufacturer. This procedure can be used to restore either a soft or hard bricked device. In addition, this guide would benefit device owners who are rooted or running a custom OS who wish to revert to an unmodified stock state. This firmware will remove any root binaries, custom recoveries, custom kernels, system-level mods, and will restore your smartphone with the unmodified stock Android OS.
DISCLAIMER:
Due to the invasive nature of this procedure, there is an inherent risk that you could damage or otherwise render your device inoperable. By proceeding further, you are assuming sole responsibility for the integrity and operability of your smartphone, thus absolving me of any civil liability in the event things go bad. The steps in this guide have been thoroughly tested. Follow the instructions carefully, pay attention to detail, and things should go smoothly. Nevertheless, you have been cautioned. In the event you are attempting to recover from a hard brick, your device is already unresponsive and inoperable. Thus, the risk involved in such a scenario is virtually inconsequential.
PREREQUISITES:
First and foremost, you will need a PC or laptop running Windows 7/8.1/10/11; the Qualcomm USB device drivers (link provided below); the factory supplied or a quality equivalent USB-A to USB-C charging/syncing cable; the Qualcomm Flash Image Loader (QFIL) v2.0.0.0 software (link provided below); and a factory firmware package for the Assurance Wireless KonnectONE Moxee MH-T6000 smartphone (link provided below). This procedure can be carried out regardless of the locked/unlocked state of your bootloader. Moreover, if your bootloader is in an unlocked state, it will remain in an unlocked state once the factory firmware is installed. Likewise, if your bootloader is locked, flashing the factory firmware will not alter its locked state.
FIRMWARE INFO:
OS/Version: Android 11 (Go Edition)
Build No. MH-T6000V1.0.0B010
Build Date: February 20, 2023
Build Type: User
API Level: 30
Security Patch: March 5, 2023
Radio Version:
MPSS.JO.3.4-00044-SDM439_GENNS_PACK-1
Kernel Version: 4.19.157-perf
Partition Scheme: Dynamic (Non-A/B)
Project Treble: Supported
Arch: armv7l (32-bit)
Java VM: ART 2.1.0
Widevine Version: 16.0.0
Widevine Security Level: L3
LTE Band Support: 2/4/5/12/25/26/41
LTE HPUE Bands: 66/71
QUALCOMM FLASH IMAGE LOADER:
For those members unfamiliar, the Qualcomm Flash Image Loader, or QFIL, is a portable software application used for flashing factory firmware to devices powered by Qualcomm chipsets. QFIL is a proprietary flashing protocol, developed by Qualcomm Technologies, Inc., and is also an inbuilt application to the Qualcomm Program Support Tool (QPST). The flashing protocol utilizes Qualcomm's proprietary Emergency Download Mode (EDL), one of the only solutions capable of fully restoring a completely hard bricked mobile device. This flashing method can restore a device in which the partition table has been corrupted or is missing entirely. It is also worth noting that QFIL is integrated with a QCN (Qualcomm Calibration Network) backup and restore feature. The QCN is a binary file which encompasses all calibration data for the various hardware components and sensors within the device. It also stores the baseband radio and network configuration settings, including unique identifiers such as your IMEI/MEID numbers. This valuable feature can be used to restore these settings and values if they become corrupted or lost due to a system-level issue or a botched user-end system modification.
For purposes of simplicity and efficiency, and because this procedure does not require the entire QPST software suite (which includes service programming tools, port configuration monitor, baseband radio diagnostic tools, and QFIL), we will be using the portable standalone version of the QFIL software application.
INSTRUCTIONS:
Download the Qualcomm USB drivers installer from the below link and save it to a convenient location on your PC or laptop. Double click on the .exe installer and follow the prompts for installation. On the Setup Type window, select the first option for WWAN-DHCP then select Next. Now accept the terms of the license agreement and compete the installation. Once completed, reboot your computer;
Download QFIL v2.0.0.0 and extract the contents of the archive to a folder on your desktop, or to another convenient directory on your PC or laptop;
Download the Moxee MH-T6000 firmware from the below link and extract the contents of the archive to a folder on your desktop, or to another convenient directory on your PC or laptop;
Double click QFIL.exe inside the QFIL folder (referenced in Step 2) to open the flashing utility. In the upper-left area of the QFIL interface, select the Flat Build option. Next click the Build tab, which will open the Windows File Explorer. Navigate to the extracted firmware folder you created in Step 3. Select the firmware file named prog_emmc_firehose_8917_ddr.mbn, then click Open. Next, click the Load XML... tab which will once again launch Windows File Explorer. Select the file named rawprogram_unsparse.xml, then click Open. On the next screen select patch.0.xml and select Open once more. The firmware package is now loaded and ready to flash;
Now you must initiate Emergency Download Mode (EDL) on your phone. EDL mode is a Qualcomm proprietary firmware flashing & diagnostic protocol To do this, first ensure your device is powered off (unless, of course, your device is hard bricked, in which case it will be completely unresponsive and, for all intents and purposes, is already in a powered off state). Connect one end of your data syncing cable to your PC or laptop, but not yet to your phone. On your smartphone, hold Volume Up and Volume Down simultaneously while connecting the Type-C end of the data syncing cable to your phone. If your phone is being properly recognized, you will see Qualcomm HS USB QLOADER 9008 at the top of the QFIL interface, followed by your active port number. If you do not see this indicator on the QFIL interface, try using another data syncing cable, change USB ports, and/or reinstall the Qualcomm USB device drivers by repeating Step 1;
Once a proper connection is verified, click on the blue Download tab to commence the flashing process. A progress bar on the interface will indicate the status of the flashing process. This can take a few minutes, so just remain patient until the Status window indicates flashing success;
Now simply power up your device. It may be necessary to briefly remove and reinsert the battery to exit EDL mode. That's it. Your device should now be reverted to its factory stock state.
DOWNLOADS:
• Qualcomm USB Drivers Installer
• QFIL v2.0.0.0
• MH-T6000V1.0.0B010 Firmware
• OTA MH-T6000V1.0.OB011
THANKS & MENTIONS:
Thanks to @omb714.1980 for donating the device that made this guide possible. Thanks also to KonnectONE Support representative, Faith Flores, for providing me with the factory signed firmware for this phone.
I ended up removing various system apks by using some ro2rw magisk module etc but upon rebooting it kept going to fastboot. I flashed stock super img with fastboot then reflashed patched boot img and restored firmware that way. Lol I'm trying to recreate what I did idk maybe I needed to disable dfe. I had other magisk modules installed like an overlay to make ro rw partition for read only devices etc so idk yet
I need to try disable avb dm verity. Can someone upload the file I need to fastboot flash disable verity etc please? I successfully edited a super.img and just deleted various apps like outlook, fb installer, my account etc but left the folders etc. I used that ro2rw magisk. Pretty cool but after flashing the edited super.img it boots to fastboot mode. I'd like to try disabling verity.
Argonon said:
I need to try disable avb dm verity. Can someone upload the file I need to fastboot flash disable verity etc please? I successfully edited a super.img and just deleted various apps like outlook, fb installer, my account etc but left the folders etc. I used that ro2rw magisk. Pretty cool but after flashing the edited super.img it boots to fastboot mode. I'd like to try disabling verity.
Click to expand...
Click to collapse
You need vbmeta.img. You'll find it in the firmware package. To flash vbmeta.img and disable verity/AVB, use this command:
Code:
fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img
You can copy and paste this command to make it easier. All the hyphens are a bit tricky.
Thanks. Now just boots to black screen. Lol. I'll keep playing
Argonon said:
Thanks. Now just boots to black screen. Lol. I'll keep playing
Click to expand...
Click to collapse
I finally got super.img rw and was able to debloat directly from the booted device! I used a magisk module called RO2RW test version. It uses android terminal like termux to pull the super.img then extract it. Once Product, System etc are extracted you use the mount script that makes it able to edit the imgs from MT file manager. Then terminal prompt recompiles it along with a new boot.img. its hard to explain as im not a pro lol. Here's the xda link where I got the ro2rw magisk module. https://forum.xda-developers.com/t/...system-partitions-to-read-write-mode.4521131/
Argonon said:
I finally got super.img rw and was able to debloat directly from the booted device! I used a magisk module called RO2RW test version. It uses android terminal like termux to pull the super.img then extract it. Once Product, System etc are extracted you use the mount script that makes it able to edit the imgs from MT file manager. Then terminal prompt recompiles it along with a new boot.img. its hard to explain as im not a pro lol. Here's the xda link where I got the ro2rw magisk module. https://forum.xda-developers.com/t/...system-partitions-to-read-write-mode.4521131/
Click to expand...
Click to collapse
Nice work. I have the CRB Kitcen for Windows which performs similar operations to super.img. My only dilemma has been a lack of free time. I'll check out the method you linked. I'm not familiar with that Magisk module and I will definitely check it out. Again, nice work. I admire your persistence and determination.
Latest OTA update package
MH-T6000V1.0.0B011
Viva La Android said:
Latest OTA update package
MH-T6000V1.0.0B011
Click to expand...
Click to collapse
Does this change the Security Patch? What have you noticed different?
Argonon said:
Does this change the Security Patch? What have you noticed different?
Click to expand...
Click to collapse
It bumps the security patch level and fixes a couple of bugs in the cellular radio firmware resulting in dropped calls during node switching.
To install it, the simplest way is to revert to an unmodified stock state by flashing the factory firmware in my restoration guide. Once restored, you can install the update.zip via stock recovery mode.
Awesome. Oh btw firmware is now available for the mtk blu view 3 android 11 now!!
Argonon said:
Awesome. Oh btw firmware is now available for the mtk blu view 3 android 11 now!!
Click to expand...
Click to collapse
This is excellent news.
I need to unlock sim for this phone . what is the unlock method pleassss?
Mohammed Alqadri said:
I need to unlock sim for this phone . what is the unlock method pleassss?
Click to expand...
Click to collapse
I unlocked mine simply by flashing the factory firmware via QFIL, using the exact steps outlined in this guide. After initial setup following firmware restoration, the preinstalled network unlock app indicated that my device was permanently unlocked for use with other carriers.
I'm not exactly sure as to the reason why this worked, nor have I researched the possible mechanics behind the occurrence.
Viva La Android said:
I unlocked mine simply by flashing the factory firmware via QFIL, using the exact steps outlined in this guide. After initial setup following firmware restoration, the preibstakked network unlock app indicated that my device was permanently unlocked for use with other carriers.
I'm not exactly sure as to the reason why this worked, nor have I researched the possible mechanics behind the occurrence.
Click to expand...
Click to collapse
When flashing the firmware, is it necessary to have the lock status of the bootloader unlocked or not ?
Mohammed Alqadri said:
When flashing the firmware, is it necessary to have the lock status of the bootloader unlocked or not ?
Click to expand...
Click to collapse
The state of the bootloader has no relevance to firmware restoration. The firmware will be installed in exactly the same manner regardless of whether the device is bootloader locked or unlocked.
For any members interested, my modified stock ROM for this device is complete. The full installation guide can be found here https://forum.xda-developers.com/t/...e-moxee-m2160-mh-t6000-4g-lte.4596393//unread
Viva La Android said:
For any members interested, my modified stock ROM for this device is complete. The full installation guide can be found here https://forum.xda-developers.com/t/...e-moxee-m2160-mh-t6000-4g-lte.4596393//unread
Click to expand...
Click to collapse
I have a question, why when I insert the sim card into the phone, it appears that there is no service, since the service is available on any other device. will the modified ROM solve the problem or the official ROM? please answer......
Mohammed Alqadri said:
I have a question, why when I insert the sim card into the phone, it appears that there is no service, since the service is available on any other device. will the modified ROM solve the problem or the official ROM? please answer......
Click to expand...
Click to collapse
This ROM does not have any effect on the network locked or unlocked state of the device. You may need to configure your network settings or APN configuration for the carrier of the SIM card. But, out of curiosity, what carrier is linked to your SIM card, and has your Moxee phone been network unlocked? By default, the Moxee m2160 is locked to Assurance Wireless and, as such, will only work on their network.
I
Viva La Android said:
This ROM does not have any effect on the network locked or unlocked state of the device. You may need to configure your network settings or APN configuration for the carrier of the SIM card. But, out of curiosity, what carrier is linked to your SIM card, and has your Moxee phone been network unlocked? By default, the Moxee m2160 is locked to Assurance Wireless and, as such, will only work on their network.
Click to expand...
Click to collapse
I use the carrier of GSM. the coverage towers do not appear on the phone. there is no service that has nothing to do with settings or APN