Database Develop

Trinity bootloader

i'm using the hermes/artemis reference to see what works and not
first: almost every other commands give the "Command Error"
the wdata exists and gives: Command is Locked!
The first thing will be to get into the radio bootloader - seems that the password is fixed. As far as the bootloader I hope that it can be downgraded.
---
info 2:
HTCSHTC__102Ã;¿HTCE
info 3:
HTCST
info 4:
IsAllBytesTheSame-: dwLength=8, bResult=0
HTCSHTC__102Ã;¿HTCE
info 6:
HTCST ÚÈÒHTCE
info 7:
HTC Integrated Re-Flash Utility, Common Base Version : 1.51b
Device Name: TRIN100, Bootloader Version : 1.06.0000
Built at: Oct 19 2006 20:31:29
Copyright (c) 1998-2006 High Tech Computer Corporation
CPU ID=0x41129200
Main CPLD version=0xA
Main Board version=0x5
info 8:
Block 0x0(0) is Reversed block
Block 0x1(1) is Reversed block
Block 0x2(2) is Reversed block
Block 0x3(3) is Reversed block
Block 0x4(4) is Reversed block
Block 0x5(5) is Reversed block
Block 0x6(6) is Reversed block
Block 0x7(7) is Reversed block
Block 0x8(8) is Reversed block
Block 0x9(9) is Reversed block
Block 0xA(10) is Reversed block
Block 0xB(11) is Reversed block
Block 0xC(12) is Reversed block
Partition[0], type=0x20, start=0x2, total=0x18FE
Partition[1], type=0x23, start=0x1900, total=0x1700
Partition[2], type=0x25, start=0x3000, total=0x18700
Partition[3], type=0x4, start=0x1B700, total=0x1F100
CE Total Length(with sector info) = 0x37BB800
CE CheckSum Length(without sector info) = 0x36E0000
-----
task 32 : Level FF
-----
checkimage
IPL CRC checksum = 0x96BE3C47
SPL CRC checksum = 0xBA45D40C
CE CRC checksum = 0xE86D6EC6
ExtROM CRC checksum = 0x3FBE8D13
Radio Image CRC checksum = 0xAB599ED8
-----
progress - shows bar

SD Upgrade
I tried the SD upgrade method.
I placed an nbh file on it called TRINIMG.nbh but after cheking gaves me "NOT ALLOW" 00028002
Any ideea ?

As your seclevel is FF, the CID on the NBH should be the same on your device. info 2 shows your CID = HTC__102 (HTC Germany), so you need to put an HTC german rom in the TRINIMG.nbh file or CID unlock your device.
Nice work on the bootloader

I've just decoded Trinity radio, it is very very similar to Hermes radio (Same Qualcomm JNAND Identification block), so radio bootloader commands should be the same in Trinity as on Hermes (and radio patch for SIM/CID unlock too!).
Normal bootloader commands should be quite similar too, but not necessarily the same, this is what I found on Trinity's SPL:
getdevinfo
ResetDevice
progress
ruustart
rbmc
password
info
task
emapi
btrouter
wdata
lnbs
erase
checkimage
checksum
wdata
wdatah
Click to expand...
Click to collapse
There's also the static password: BsaD5SeoA
Can you add all this info to the wiki?

pof said:
I've just decoded Trinity radio, it is very very similar to Hermes radio (Same Qualcomm JNAND Identification block), so radio bootloader commands should be the same in Trinity as on Hermes (and radio patch for SIM/CID unlock too!).
Normal bootloader commands should be quite similar too, but not necessarily the same, this is what I found on Trinity's SPL:
There's also the static password: BsaD5SeoA
Can you add all this info to the wiki?
Click to expand...
Click to collapse
excellent. i'm in office only with my trusted Universal (i'll fill up all the info tonight).

from artemis Wiki:
Artemis Bootloader Password
Seems that artemis bootloader password is static: BsaD5SeoA
If you enter this password in mtty terminal, you may not be able to boot device into Windows, only in bootloader. Be carefull.
It's meaning that Artemis has the same bootloader (or similar) with trinity.
The question: why it cannot get out from the bootloader ??

decebal said:
It's meaning that Artemis has the same bootloader (or similar) with trinity.
Click to expand...
Click to collapse
No, if you compare SPL they are very different one from the other.
Trinity's SPL is more similar to Hermes SPL, but Artemis SPL is different.
decebal said:
The question: why it cannot get out from the bootloader ??
Click to expand...
Click to collapse
probably you just need to 'set 14 0' or hard reset to go back to OS, I don't know... the wiki edit was done by fdp24, he can probably explain

pof said:
I've just decoded Trinity radio, it is very very similar to Hermes radio (Same Qualcomm JNAND Identification block), so radio bootloader commands should be the same in Trinity as on Hermes (and radio patch for SIM/CID unlock too!).
Normal bootloader commands should be quite similar too, but not necessarily the same, this is what I found on Trinity's SPL:
There's also the static password: BsaD5SeoA
Can you add all this info to the wiki?
Click to expand...
Click to collapse
Cmd>getdevinfo
GetDevInfo: Get CID OK
HTCSTRIN100HTCE
--
Reset Device - works
--
Progress - works
--
ruustart - blocked - hard reset needed
--
rbmc - not working
--
password works with the password BsaD5SeoA
--
info - works as in wiki
--
task - works as in wiki
--
emapi and btrouter - blocks the device
--
wdata - works with the password provided
--
lnbs - not working
--
erase - working
HTCST ÚÈÒHTCE
--
checkimage - working as in wiki
--
checksum - seems working
--
wdatah - not working

seems that the 1.06 is somehow limited as bootloader. how can we get the 1.04 or other upgrade solution ??
thanks

Nice work on the wiki decebal
Answers to your comments:
rbmc and lnbs - probably only work on SuperCID devices.
emapi and btrouter - I think it switches to wlan or bluetooth and disables USB connection.
wdata and wdatah - In hermes wdatah is for flash NBH and wdata for flash NBF in preproduction devices. Have you captured a full ROM upgrade using USB monitor?? which one it uses the RUU? Probably it has a dynamic password which enables wdatah for NBH files. Does 'info 3' works as in Hermes (you need to watch usb monitor output, can't see in mtty generally).
decebal said:
seems that the 1.06 is somehow limited as bootloader. how can we get the 1.04 or other upgrade solution ??
Click to expand...
Click to collapse
Generally by flashing a ROM matching your CID with bootloader 1.04.

rbmc is not in spl in Artemis device. On Trinity probably too.
These are some commands for Artemis:
Could be similarity for Trinity
CASE SENSITIVE!
Cmd>fm
Wrong parameters of FM Command!!
Usage:
fm [command] [frequency]
where:
if[command] = i Initialize FM.
if[command] = o Power on FM.
if[command] = f Power off FM.
if[command] = t Tune FM channel to [frequency].
if[command] = a FM auto seek test.
if[command] = m Mono(1) or Stereo(0).
if[command] = v Volume (0x00 - 0x0F).
if[command] = u Mute(0)
if[command] = g AGC(1)
if[command] = h Set seek threshold (0x00 - 0xFF).
if[command] = s Seek Up(1) or Down(0).
if[command] = r Get RSSI (0x00 - 0xFF).
if[command] = c Get current channel [frequency].
if[command] = d Get RDS data (1 - 10 groups of data).
*****************************************************************************************************
Cmd>cpldver
xsvfExecute - CpldType=1
SUCCESS - Completed XSVF execution.
CPLD Ver[0]=1
CPLD Ver[1]=FC
CPLD Ver[2]=26
CPLD Ver[3]=5
SetDsbDBGMSGT
Unknown yet.
*****************************************************************************************************
Cmd>ReadExtROM
Dump Ext ROM to MTTY terminal
*****************************************************************************************************
Cmd>WLANReset
Usage:
WLANReset 1(or0)
set SDIO: 0-WLAN ;1-SDMC.
Cmd>WLANReset 0
WLANReset(FALSE)
Cmd>WLANReset 1
WLANReset(TRUE)
*****************************************************************************************************
Cmd>SDSelect
Usage:
SDSelect 1(or0)
set SDIO: 0-WLAN ;1-SDMC.
Cmd>SDSelect 1
Select SD Card
*****************************************************************************************************
Cmd>emapiWlanMac
Notice: This MAC address takes effect only when your platform is EEPRON-less configuration. Please use (emapiTest) to verify it !
Copying GSM DATA image to SDRAM:00004000
Wlan data header ++++++++++++++++++++
Signature : 0xEE1250
UpdateStatus : 0x2
UpdateCount : 0xA
BodyLength : 0x1A1
BodyCRC : 0x4349311B
Wlan data header --------------------------
0x00000000
0x00000009
0x0000002D
0x000000D2
0x000000D5
0x000000FB
*****************************************************************************************************
Cmd>emapiTest
+emapiTest
1. Power on WLAN
2. Reset WLAN
3. Switch MUX to WLAN
4. Enable WLAN clock
5. Init WLAN SDIO interface
6. DeviceID Test
DeviceID = 4030xxx
EEPROMless configuration!
-emapiTest
*****************************************************************************************************
Cmd>emapiPwrDwn
*****************************************************************************************************
Cmd>emapiRead
Parameter Wrong!!
*****************************************************************************************************
Cmd>getdevinfo
Need password!
*****************************************************************************************************
Cmd>wdata
Usage:
wdata [StartAddr Len]
Write data to memory(if write to ROM, need erase first).
StartAddr : Start address of memory.
Len : How many bytes will be written.
Length must not more than 0x10000 bytes(buffer limitation).
Write to RAM: 4 bytes(CRC checksum limitation).
1 byte(in user mode).
Write to ROM: 4 bytes(CRC checksum limitation).
2(16-bit)/4(32-bit) bytes(in user mode).
Write to ROM(16-bit data bus): 32 bytes(writebuffer mode).
Write to ROM(32-bit data bus): 64 bytes(writebuffer mode).
Length must be 4 bytes boundary(CRC checksum) if not in user mode.
After command execute, then send out the data to terminal.
Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).
*****************************************************************************************************
Cmd>password
Usage:
password [String]
Enter the password string to enable wdata, erase and rbmc functions.
*****************************************************************************************************
Cmd>set
Usage:
set [Type Value]
Set control flags.
Type(hex) : Control function types.
Value(hex) : Setting values for types.
Type 1(Operation mode): 1(auto) and 0(user).
Type 2(Back color on/off): 1(on) and 0(off).
Type 4(Front color value): 16 bits data
Type 5(Background color value): 16 bits data
Type 6(Set color of screen): Fill color to whole screen one time.
Current flag settings:
Type 1(Operation mode flag): g_cOpModeFlag=(0x0).
Type 2(Back color flag): cBackColorShowFlag=(0x0).
Type 4(Front color): g_dwFColor24bit=(0x0).
Type 5(Background color): g_dwBColor24bit=(0xFFFFFF).
Type 6(Set color of screen): None.
Type 32: Unlock Flash Command
Set control flags.
*****************************************************************************************************
Cmd>SetDebugMethod
Copying GSM DATA image to SDRAM:00004000
Default DebugTransport Value =00000000
Current Usage:
0 No Debug
A UART MTTY Output Debug Message
B USB MTTY Output Debug Message
*****************************************************************************************************
Cmd>checksum
Usage:
checksum addr len
Return CRC checksum of memory.
In user mode: Show 4 bytes of CRC checksum value on display of terminal.
In auto mode: Send 4 bytes of CRC checksum value to terminal with data format.
*****************************************************************************************************
Cmd>ResetDevice
no comments
*****************************************************************************************************
**When CID is locked.
Cmd>ls
clean up the image temp buffer at 0x8C100000 Length 0x03A00000
BOOTLOAD_PAGE_TABLE_BASE_C_VIRTUAL= 0x8C080000
Clear image temp buffer done .
MTTYDownloadImage
Not allow operation!
Error : DownloadImage return error (code = 0xFFFFFFFF)
**When CID is locked.
*****************************************************************************************************
**When CID unlocked
Cmd>ls
clean up the image temp buffer at 0x8C100000 Length 0x03A00000
BOOTLOAD_PAGE_TABLE_BASE_C_VIRTUAL= 0x8C080000
Clear image temp buffer done .
MTTYDownloadImage
start download
==CreateFile err==
**When CID unlocked
*****************************************************************************************************
Cmd>GPSRouting
Dump code to mtty console.
*****************************************************************************************************
Cmd>BTRouting
Dump code to mtty console.
*****************************************************************************************************
Cmd>BTRouting
+GSM_Modem_Init : include DAGON
Copying GSM DATA image to SDRAM:00004000
GSM - dwSize = 3479D
GSM Page0
GSM - dwSize = 45457
GSM Page1
GSM - dwSize = 4B768
GSM Page2
GSM - dwSize = 4E0A9
GSM Page3
GSM - dwSize = 4B4C4
GSM Page4
GSM - dwSize = 4C71F
GSM Page5
GSM - dwSize = 2958E
GSM Page6
GSM - dwSize = E8D8
GSM Page7
Copying GSM CODE image to SDRAM:00000000
ARMBOOT = 1 --> boot from CS3
Reset ARM 7 -- ok
Please close MTTY USB connection and open BT Testing program...
*****************************************************************************************************
*****************************************************************************************************
*****************************************************************************************************
*****************************************************************************************************
*****************************************************************************************************
*****************************************************************************************************
password BsaD5SeoA - this is static password used during flashing device. (USB sniffer)
battery seems to be charging during bootloader.
If you stuck at bootloader during manipulations with commands, try this:
password BsaD5SeoA
ruurun 0
Alternatively, you can run rom flasher even on CID locked device. It will give you error message about Device ID or something, but your device will be back to normal and boot normally.

HTC Trinity Stack Overflow exploit - how to unbrick any Trinity stuck in bootloader!!

I'd like to introduce Trinity splxploit, a tool that expolits an stack overflow bug in Trinity SPL discovered by stepw.
This bug is present in ALL Trinity SPL versions up to now (from 1.00 to 3.03) allows downloading and running arbitrary unsigned code on the SPL itself, once exploited one can load a modified/patched SPL (such as Olipro's HardSPL or Des crashproof SPL) and unbrick any bricked device stuck in bootloader mode.
UPDATE: Code compiles on linux x86, and windows XP using cygwin, I have not tested other platforms.
To compile run 'gcc splxploit.c -o splxploit'.
To run use './splxploit -F YourSPL.nb'
To run under windows just double click on the file named "unbrick.bat"
Usage:
Code:
=== Trinity splxploit by pof - pof[at]eslack[.]org
=== Exploits stack overflow on HTC Trinity SPL
Usage: splxploit -F SPLfilename.nb [options]
SPLfilename.nb:
custom/patched SPL to load on device
options:
-c [1|2|3] call 1:wdata 2:emapi 3:emapi ds (default:autodetect)
-s [serial] use another serial device (default:/dev/ttyUSB0)
-v verbose mode
-d show debug information
-h shows this help message
This exploit will autodetect the current SPL version with some predefined values, if it is unknown the memory and stack layout detection will take more time, and probably you'll need to use '-c' command line argument to call a funciton with entry point properly aligned.
Example output:
Code:
# ./splxploit -F TRIN_SPL105.nb
=== Trinity splxploit by pof - pof[at]eslack[.]org
=== Exploits stack overflow on HTC Trinity SPL
[] SPL file: TRIN_SPL105.nb
[] Detecting IPL & SPL versions...
* Detected Trinity IPL-1.00
* Detected Trinity SPL-2.04.0000
[] Detecting memory layout...
* Trinity SPL-2.04 found (0x8C030D90)
* We need to fill the stack until address 0x8c030d90
[] Detecting stack layout...
* Send === pattern
* Found pattern === crc=0x98ea7ae2 at address 0x8c08db90 with offset 0x0
* Switch to ruustart command mode...
* Send ~~~ pattern
* Found pattern ~~~ crc=0x91aefc33 at address 0x8c08da40
* Send *** pattern
* Found pattern *** crc=0x709a5411 at address 0x8c08d960
[] Loading unsigned code... (wdata buffer at 0x80b00000)
[] We need to overflow 0x5cad5 bytes on the stack...
* Sent 0x4d8c0 bytes - stack overflow reached the SPL end at 0x8c040000
* Sent shellcode - we will jump here later
* We need to send 275 ruustart calls more, containing relative jumps to our shellcode
* Sent 0x5ca40 bytes
[] We need to call a properly aligned function above patch limit now
* Calling emapi...
[] Done, Trinity 0wn3d!!!
* If device is not responding, soft reset and try again!
For details on the stack overflow itself, see the source code
All credits go to stepw, everybody should thank him for this, he discovered the bug and was the first to exploit it, but his computer was stolen and lost all his work he was very kind to share the vulnerability details with me and I implemented the exploit.
UPDATE:
splxploit available in 3 flavors:
- Download Linux version
- Download Windows Cygwin version
- Download Windows .NET version (thanks Shadowmite!)
Enjoy

Hermes & Breeze users see here for technical discussion:
http://forum.xda-developers.com/showthread.php?t=308707

make this sticky

Thank you pof.
This is great news

incredible! thanks pof!

Pof, please help!!!
Splxploit write "can't open spl.nb". Why?
[[email protected] root]# gcc /splxploit.c -o splxploit
[[email protected] root]# ./splxploit -v -F spl.nb
=== Trinity splxploit by pof - pof[at]eslack[.]org
=== Exploits stack overflow on HTC Trinity SPL
[] Verbose mode enabled
[] SPL file: spl.nb
Cmd>set 1E 1
PassWord: BsaD5SeoA
[] Detecting IPL & SPL versions...
Cmd>checksum 98000020 20
CRC checksum=0x174D3750
* Detected Trinity IPL-0.50
Cmd>checksum 8C001004 2C
CRC checksum=0xF8926210
* Detected Trinity SPL-1.07.0000
[] Detecting memory layout...
Cmd>checksum 8C030D90 8
CRC checksum=0xE077FABC
Cmd>checksum 8C03115C 8
CRC checksum=0x396D5CD9
* Trinity SPL-1.07 found (0x8C03115C)
* We need to fill the stack until address 0x8c03115c
[] Detecting stack layout...
* Send === pattern
Cmd>===============================================================================================================================================================================================================================================================
Cmd>checksum 8c08db90 80
CRC checksum=0x98EA7AE2
[] Trying to find checksum 0x98ea7ae2 at address 0x8c08db90
* Found pattern === crc=0x98ea7ae2 at address 0x8c08db90 with offset 0x0
* Switch to ruustart command mode...
Cmd>ruustart
* Send ~~~ pattern
CRC checksum=0x91AEFC33
[] Trying to find checksum 0x91aefc33 at address 0x8c08da40
* Found pattern ~~~ crc=0x91aefc33 at address 0x8c08da40
* Send *** pattern
CRC checksum=0x4BE594DA
[] Trying to find checksum 0x709a5411 at address 0x8c08d8f0
CRC checksum=0x9A6B393E
[] Trying to find checksum 0x709a5411 at address 0x8c08d8f4
CRC checksum=0x9DCC423D
[] Trying to find checksum 0x709a5411 at address 0x8c08d8f8
CRC checksum=0x600439FC
[] Trying to find checksum 0x709a5411 at address 0x8c08d8fc
CRC checksum=0xF918358C
[] Trying to find checksum 0x709a5411 at address 0x8c08d900
CRC checksum=0x78D344D8
[] Trying to find checksum 0x709a5411 at address 0x8c08d904
CRC checksum=0xBAC0B36F
[] Trying to find checksum 0x709a5411 at address 0x8c08d908
CRC checksum=0xAFDBA039
[] Trying to find checksum 0x709a5411 at address 0x8c08d90c
CRC checksum=0xD33A4B51
[] Trying to find checksum 0x709a5411 at address 0x8c08d910
CRC checksum=0x8F8BEC0F
[] Trying to find checksum 0x709a5411 at address 0x8c08d914
CRC checksum=0x23B3F837
[] Trying to find checksum 0x709a5411 at address 0x8c08d918
CRC checksum=0xD0AE7249
[] Trying to find checksum 0x709a5411 at address 0x8c08d91c
CRC checksum=0xCE9BCE55
[] Trying to find checksum 0x709a5411 at address 0x8c08d920
CRC checksum=0x2826E07C
[] Trying to find checksum 0x709a5411 at address 0x8c08d924
CRC checksum=0x18FDFAC0
[] Trying to find checksum 0x709a5411 at address 0x8c08d928
CRC checksum=0xD1BDDE0E
[] Trying to find checksum 0x709a5411 at address 0x8c08d92c
CRC checksum=0x66DA457E
[] Trying to find checksum 0x709a5411 at address 0x8c08d930
CRC checksum=0x6676F4D9
[] Trying to find checksum 0x709a5411 at address 0x8c08d934
CRC checksum=0x18C9CB9A
[] Trying to find checksum 0x709a5411 at address 0x8c08d938
CRC checksum=0xBF6A0F53
[] Trying to find checksum 0x709a5411 at address 0x8c08d93c
CRC checksum=0xF4FF9DA5
[] Trying to find checksum 0x709a5411 at address 0x8c08d940
CRC checksum=0x7271123
[] Trying to find checksum 0x709a5411 at address 0x8c08d944
CRC checksum=0x4A6FF691
[] Trying to find checksum 0x709a5411 at address 0x8c08d948
CRC checksum=0x6F081D70
[] Trying to find checksum 0x709a5411 at address 0x8c08d94c
CRC checksum=0xCBB87EBE
[] Trying to find checksum 0x709a5411 at address 0x8c08d950
CRC checksum=0xB1160185
[] Trying to find checksum 0x709a5411 at address 0x8c08d954
CRC checksum=0x7981A80F
[] Trying to find checksum 0x709a5411 at address 0x8c08d958
CRC checksum=0xF0A09E2F
[] Trying to find checksum 0x709a5411 at address 0x8c08d95c
CRC checksum=0x709A5411
[] Trying to find checksum 0x709a5411 at address 0x8c08d960
* Found pattern *** crc=0x709a5411 at address 0x8c08d960
[] Loading unsigned code... (wdata buffer at 0x80b00000)
spl.nb: No such file or directory
cannot open spl.nb
[[email protected] root]#

You don't seem to have spl.nb file in current folder.
Extract OliPro's HSPL and copy to the same dir renaming to spl.nb

Stepw,
spl.nb is in the same directory where and splxploit.c. But for some reason writes "no such file or directory", "cannot open spl.nb"

Yes it's my error, spl and splxploit in different folders, but upgrade only spl-MFG, at others spl (for example HARD-spl) the black screen on Trinity and it is not overloaded?

And now, as i can dump ROM with information about ID device ("TRINITY100", i crashed it, now "TRINITY")from ROM as I can what further to copy it anew in ROM. What commands and addresses in MTTY? Please, pof and stepw.

All thanks all has turned out.

telemix, you may want to share your experience with the community?

I dont have a c compiler has anyone a compiled version thanks

YES!!! Success.
This afternoon i thought my trinity had died for good. But thanks you this great tool I managed to bring it back to live
At first I renamed RUU_signed.nbh (in the hard-spl zip) to spl.nb but off-course that didn't work. After extracting the spl file with NBHExtract all went well.
Thanks very much stepw and pof!

steveecourt said:
I dont have a c compiler has anyone a compiled version thanks
Click to expand...
Click to collapse
And... can anyone tell me what does that all technical blahblah mean? I've got m700 stuck in bootloader. Being a noob, have I got any chance to do anything about it myself? If not, what to do? Cheers!

And now, as i can dump ROM with information about ID device ("TRINITY100", i crashed it, now "TRINITY")from ROM as I can what further to copy it anew in ROM. What commands and addresses in MTTY?
-------------------------------------------------------------
same as i want to...pls answer !!!

some1 ever try compiller on windows xp with msys???

sorry for annoying. But i got error like that when try to run ,to compiler "splxploit.c"
$ gcc splxploit.c -o splxploit
splxploit.c: in function getchecksum':
splxploit.c:602: parse error before 'char'
splxploit.c:604: 'str' underclared<first use in this function>
splxploit.c:604: <each underclared identifier is reported for once
splxploit.c:604: for each function it appear in .>
seem i used mingw and msys to compiler. thank you for any advise......

@tuannghia1985: don't think it will work with Windoze / mingw... get a Linux LiveCD, should be easier

thank you, i get spring one live cd,and it's work very good.
But after all, file ***.nb after you guy extract, must unlock all access to this file, or else it say "not permission"...can't find such file or directory or else can't open file ***.nb
It's my experience for this time.
Dear all. Thank you pof.
It's return to live, and now i enjoy wm6 ^_^

Help cant unlock boot loader "adb out of date"

Hello ill post the log here
process requires standard 2.x android firmware.
Press any key to continue . . .
Getting ROOT rights.
* daemon not running. starting it now *
* daemon started successfully *
error: protocol fault (no status)
* daemon not running. starting it now *
* daemon started successfully *
695 KB/s (585731 bytes in 0.823s)
adb server is out of date. killing...
* daemon started successfully *
adb server is out of date. killing...
* daemon started successfully *
error: protocol fault (no status)
Waiting ...
error: protocol fault (no status)
Removing NAND MPU restrictions via SEMC backdoor. Permanent. Require ROOT righ
.
* daemon not running. starting it now *
* daemon started successfully *
error: device not found
adb server is out of date. killing...
* daemon started successfully *
error: device not found
adb server is out of date. killing...
* daemon started successfully *
error: device not found
adb server is out of date. killing...
* daemon started successfully *
error: device not found
Waiting ...
adb server is out of date. killing...
* daemon started successfully *

Jeasus please help me somebody via tv i cant do this **** it wont go 807 286 319 pass is 123456 ILL KEEP IT ON

nikolai4os said:
Jeasus please help me somebody via tv i cant do this **** it wont go 807 286 319 pass is 123456 ILL KEEP IT ON
Click to expand...
Click to collapse
check your antivirus

nikolai4os said:
Jeasus please help me somebody via tv i cant do this **** it wont go 807 286 319 pass is 123456 ILL KEEP IT ON
Click to expand...
Click to collapse
Open Task Manager on PC. Just Ctrl+Alt+Del and END process “ADB.exe”; if its running.
As CnC-ROCK said as above..Turn of all kind of Antivirus. Anything. Even a malware checker should be turned off..
These can help..step by step tutorial
http://ijustutter.com/guide-flashing-naa-kernel-custom-rom-x8-w8-x10-mini-pro
http://ijustutter.com/step-by-step-guide-to-unlock-bootloader-of-x8-w8-x10-mini-x10-mini-pro

CnC-ROCK said:
check your antivirus
Click to expand...
Click to collapse
I dont use any.

Try to get new versions of ADB

Do it thought flashtool
Install drivers
Go to plugin/unlock/then the program it will ask you to connect your device(disabled) in flash mode with pressed back button in usb port/then will ask you to switch on your device/then when the Sony Ericsson logo appears connect again your device one more time in usb to complete the unlock(THIS IS IMPORTANT) method
This method always work even with antivirus on
Tip:
If you have issues with SHOW flashmode drivers install also and the Gordons gate

[Q] Unable to root after relocking the bootloader..

Hello all,
I had unlocked my bootloader. flashed some roms (AOSP), used and thought of returning back to Stock as I wanted to test if the backed up TA can be restored successfully.
So I flashed .434 ftf, relocked the bootloader and tried to use the rooting toolkit to root.. But it is getting stuck in between as not getting any ahead further.. What should I do?
This is what all I can see:
Press any key to continue . . .
### beginüI ###
waiting for device
adb server is out of date. killing...
ADB server didn't ACK
* failed to start daemon *
error:
transfer files to your phone part1
adb server is out of date. killing...
* daemon started successfully *
27 KB/s (442 bytes in 0.015s)
adb server is out of date. killing...
* daemon started successfully *
adb server is out of date. killing...
* daemon started successfully *
10 KB/s (170 bytes in 0.015s)
adb server is out of date. killing...
* daemon started successfully *
----------------------------------------------------------------------
[*] description:
1. press the button to restore the data in your phone operation.
adb server is out of date. killing...
* daemon started successfully *
Now unlock your device and confirm the restore operation.
if Restoring data is complete,
Press any key to continue . . .
----------------------------------------------------------------------
[*] description:
1. Dial *#*#7378423#*#* and select "Service tests" in your phone o
2. select "Display" in your phone operation.
* Screen is white until completion of restart
adb server is out of date. killing...
ADB server didn't ACK
* failed to start daemon *
error:
executing /data/local/tmp/onload.sh ...
adb server is out of date. killing...
* daemon started successfully *
adb server is out of date. killing...
ADB server didn't ACK
* failed to start daemon *
error:
----------------------------------------------------------------------
[*] description:
1. push power button, so turn off the screen
2. push power button, so turn on the screen
* Repeat steps 1 and 2
----------------------------------------------------------------------
adb server is out of date. killing...
* daemon started successfully *

mandarjoshiin said:
Hello all,
I had unlocked my bootloader. flashed some roms (AOSP), used and thought of returning back to Stock as I wanted to test if the backed up TA can be restored successfully.
So I flashed .434 ftf, relocked the bootloader and tried to use the rooting toolkit to root.. But it is getting stuck in between as not getting any ahead further.. What should I do?
This is what all I can see:
Press any key to continue . . .
### beginüI ###
waiting for device
adb server is out of date. killing...
ADB server didn't ACK
* failed to start daemon *
error:
transfer files to your phone part1
adb server is out of date. killing...
* daemon started successfully *
27 KB/s (442 bytes in 0.015s)
adb server is out of date. killing...
* daemon started successfully *
adb server is out of date. killing...
* daemon started successfully *
10 KB/s (170 bytes in 0.015s)
adb server is out of date. killing...
* daemon started successfully *
----------------------------------------------------------------------
[*] description:
1. press the button to restore the data in your phone operation.
adb server is out of date. killing...
* daemon started successfully *
Now unlock your device and confirm the restore operation.
if Restoring data is complete,
Press any key to continue . . .
----------------------------------------------------------------------
[*] description:
1. Dial *#*#7378423#*#* and select "Service tests" in your phone o
2. select "Display" in your phone operation.
* Screen is white until completion of restart
adb server is out of date. killing...
ADB server didn't ACK
* failed to start daemon *
error:
executing /data/local/tmp/onload.sh ...
adb server is out of date. killing...
* daemon started successfully *
adb server is out of date. killing...
ADB server didn't ACK
* failed to start daemon *
error:
----------------------------------------------------------------------
[*] description:
1. push power button, so turn off the screen
2. push power button, so turn on the screen
* Repeat steps 1 and 2
----------------------------------------------------------------------
adb server is out of date. killing...
* daemon started successfully *
Click to expand...
Click to collapse
Have you usb debugging checked along with unknown sources ?

mileyxperia said:
Have you usb debugging checked along with unknown sources ?
Click to expand...
Click to collapse
Yes bro.. it has already been checked... :crying:

I can tell you it can not be related to your TA restore.

mandarjoshiin said:
Yes bro.. it has already been checked... :crying:
Click to expand...
Click to collapse
Flash again via flashtool full wipe root it with flashtool or binarys tool ?? Try to reinstall drivers ? Reboot pc ?

I reinstalled the drivers and now it has worked fine.. Now I can go ahead and try n see if restore TA works.. :fingers-crossed:

mandarjoshiin said:
I reinstalled the drivers and now it has worked fine.. Now I can go ahead and try n see if restore TA works.. :fingers-crossed:
Click to expand...
Click to collapse
Good luck flashing ta is risky could brick device :laugh:

Root my Kindle Fire HD (2013) Soho-KFSOWI. Please help!!

Hello everybody! I am new to xda so I hope I'm in the right place. Rooting a KF (2013) has proved to be quite challenging for me, also because I am dumb . Anyway I have tried to install the 'Permanent Root with Superuser' via Kindle Fire Utility 0.9.8 but I am not able to. I know that I am missing something but I am too dumb to understand what. I need the help of experts. So, I have run Kindle Fire Utility 0.9.8 and I got this:
HTML:
*****************************************************************
* Kindle Fire Utility 0.9.8 *
*****************************************************************
* This is now being maintained by awidawad *
*****************************************************************
* Credit goes to Vashypooh for original work *
*****************************************************************
1 Bootmode Menu
2 Install Permanent Root with Superuser
3 Install Latest TWRP Recovery
4 Install Latest FireFireFire
5 Extras (Requires Root)
0 Recheck Device Status
ADB Status: Online
Boot Status: Unknown
Please make a selection or hit ENTER to exit:
I have connected my KF Soho to the laptop through the factory cable and I have selected 1, and I got this:
HTML:
*****************************************************************
* Kindle Fire Utility 0.9.8 *
*****************************************************************
* This is now being maintained by awidawad *
*****************************************************************
* Credit goes to Vashypooh for original work *
*****************************************************************
1 Normal (4000)
2 Fastboot (4002)
3 Recovery (5001)
0 Recheck ADB/Fastboot Mode
ADB Status: Online
Boot Status: Unknown
Please make a selection or hit ENTER to return:
Then I have selected 1 and I got this:
HTML:
***********************************************
* Activating Normal (4000) *
***********************************************
The system cannot find the drive specified.
failed to copy 'files\nbmode' to '/data/local/nbmode': Permission denied
Unable to open /data/local/nbmode: No such file or directory
/system/bin/sh: /data/local/nbmode: not found
The kindle has been told to reboot in Normal Mode.
Press any key to continue . . .
If I select fastboot instead, I get this:
HTML:
***********************************************
* Activating Fastboot (4002) *
***********************************************
failed to copy 'files\fbmode' to '/data/local/fbmode': Permission denied
Unable to open /data/local/fbmode: No such file or directory
/system/bin/sh: /data/local/fbmode: not found
The kindle has been told to reboot in Fastboot Mode.
Press any key to continue . . .
In both cases my tablet reboots but checking with 'Root Analyzer' I can see that it is not rooted.
I have also tried rooting with Root_with_Restore_by_Bin4ry_v30 choosing the 1st option but I get this:
HTML:
======================================================================
= This script will root your Android phone with adb restore function =
= Script by Bin4ry (thanks to Goroh_kun and tkymgr for the idea) =
= Idea for Tablet S from Fi01_IS01 =
= (01.05.2013) v30 =
======================================================================
Device type:
1) Normal
2) Special (for example: Sony Tablet S, Medion Lifetab)
3) New Xperia Root by Goroh_kun (Xperia Z, Xperia V [JellyBean] ...)
G) Google Glass Mode (thx Saurik for the ab file)
x) Unroot
Make a choice: 1
Checking if i should run in Normal Mode or special Sony Mode
Please connect your device with USB-Debugging enabled now
Waiting for device to shop up, if nothing happens please check if Windows ADB-drivers are installed correctly!
adb server is out of date. killing...
* daemon started successfully *
remote object '/system/app/Backup-Restore.apk' does not exist
remote object '/system/bin/ric' does not exist
.
.
Above file not found warning ARE NOT ERRORS, it is intended to be this way!
Normal Mode enabled!
.
Pushing busybox....
5282 KB/s (1165484 bytes in 0.215s)
Pushing su binary ....
6985 KB/s (380532 bytes in 0.053s)
Pushing Superuser app
5148 KB/s (1500495 bytes in 0.284s)
Making busybox runable ...
.
Now unlock your device and confirm the restore operation.
Please look at your device and click RESTORE!
If all is successful i will tell you, if not this shell will run forever.
Running ...
At this point, my kindle fire displays a screen where I have to choose between 'Do not restore' and 'Restore my data' and I chose 'Restore my data' but my tablet does not reboot at all and the runme.bat file keeps running forever. I have also tried not to press anything at all on the 'Do not restore/Restore my data' screen and I get this:
HTML:
Successful, going to reboot your device in 10 seconds!
Waiting for device to show up again....
Going to copy files to it's place
mount: permission denied (are you root?)
You can close all open command-prompts now!
After reboot all is done! Have fun!
Bin4ry
Press any key to continue . . .
My tablet actually reboots but checking with Root Analyzer I still see the message 'No, your device is not rooted'. What should I do? :'( Ask me all the questions you need and I'll do my best to answer them. Also, please keep in mind that I am not technical therefore explain me things as you would explain them to a quite smart baby Thanks for your help!
Also, I'll write here more details about my device if it is of any help for you guys:
Device model: Kindle Fire HD (3rd generation)
Year: 2013
Bootloader: Uknown
Board: soho
Device: soho
Model: KFSOWI
OS: Fire OS 4.5.5.3