Related
In nowadays HTC devices flashing from a SD card is a trivial task, just copy your ROM image to the card and boot it... Unfortunately, with elder devices, like with Himalaya for example, it's different - every image to be flashed have to have a special signature, which is individual not only for your device, but... for the given SD card aswell!
1. Getting a header.
How to get it? You have to make a backup of your actually flashed ROM. You'll need an USB cable and your device in a bootloader mode. Make a backup with below command:
Code:
password BOOTLOADER
Pass.
USB>d2s
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SD:Detected one card
SD:ready for transfer OK
pc->drive.total_lba=F5800
pc->drive.num_heads=0
pc->drive.sec_p_track=0
pc->drive.num_cylinders=0
pc->drive.block_size=200
pc->drive.features=0
pc->drive.RCA=2
pc->drive.drv_type=40000000
pc->drive.securedAreaSize=0
pc->drive.securityDrv=0
pc->drive.busWidth=1
pc->drive.erasedSize=0
Total card size=1EB00000
SDCARDD2S+,cStoragePlatformType=FF
*******************************************************************************************************************************
Store image to SD/MMC card successful.
USB>
Done... but when you try to read this card, it shows it's not written in the meaning of a file - it's written sector by sector! Normally you would use ntrw for reading that into a normal file, but it has one major flaw: it dumps a whole card, so if you had 1GB card, you gonna get 1GB file... and that's why our beloved itsme wrote a small utility called psdread (and psdwrite, too), which I'm including in this tutorial.
Using this utility you have to read a header first. Assuming your card reader got a letter m: from your system (that's letter I have assigned to my card reader), just type:
Code:
c:>psdread.exe m: 0 0x19c
so you get something like this:
Code:
00000000: 48 49 4d 41 4c 41 59 41 53 20 20 20 20 20 20 20 HIMALAYAS
00000010: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
00000020: 31 2e 30 36 20 20 20 20 20 20 20 20 20 20 20 20 1.06
00000030: 78 7e a8 50 96 f5 45 3b 13 0d 89 0a 1c db ae 32 x~.P..E;.......2
00000040: 20 9a 50 ee 40 78 36 fd 12 49 32 f6 9e 7d 49 dc 1.P..x6..I2..}I.
00000050: ad 4f 14 f2 44 40 66 d0 6b c4 30 b7 32 3b a1 22 .O..D.f.k.0.2;..
00000060: f6 22 91 9d e1 8b 1f da b0 ca 99 02 b9 72 9d 49 .............r.I
00000070: 2c 80 7e c5 99 d5 e9 80 b2 ea c9 cc dd 00 4c f2 ,.~...........L.
00000080: 53 41 30 30 e1 dc d6 ae 83 90 49 f1 f1 ff e9 eb SA00......I.....
00000090: b3 a6 db 1e 87 0c 3e 77 24 42 0d 1c 06 b7 47 de .......w$B....G.
000000a0: 6d 12 4d c8 43 2e cb a6 1f 03 5a 7d 09 38 25 1f m.M.C.....Z}.8%.
000000b0: 5d 9f d4 fc 96 f5 45 3b 13 0d 89 0a 1c d3 90 2d ].....E;.......-
000000c0: 48 9a 50 ee 40 78 36 fd 12 49 32 f6 9e 81 49 dc H.P..x6..I2...I.
000000d0: ad 4f 14 f2 44 40 66 d0 6b c4 30 b7 3c 84 f2 87 .O..D.f.k.0.....
000000e0: 61 49 d1 4f 0a d8 16 e7 72 e6 bb 12 84 34 a6 77 aI.O....r....4.w
000000f0: 02 37 e4 97 2c 74 cb c9 12 68 33 74 9e ad 87 d5 .7..,t...h3t....
00000100: fa 16 bb 11 ad ae 24 88 79 fe 52 db 25 43 e5 3c ......$.y.R.%C..
00000110: b3 12 4d c8 43 bb 8b a6 1f 03 5a 7d 09 38 25 1f ..M.C.....Z}.8%.
00000120: 5d d4 cb fc 96 f5 45 3b 13 0d 89 0a 1c db ae 32 ].....E;.......2
00000130: 20 9a 50 ee 40 78 36 fd 12 49 32 f6 9e 7d 49 dc ..P..x6..I2..}I.
00000140: ad 4f 14 f2 44 40 66 d0 6b c4 30 b7 32 3b a1 22 .O...D.f.k.0.2;.
00000150: f6 22 91 9d e1 8b 1f da b0 ca 99 02 b9 72 9d 49 .............r.I
00000160: 2c 80 7e c5 99 d5 e9 80 b2 ea c9 cc 53 bf 67 d6 ,.~.........S.g.
00000170: bf 14 d6 7e 2d dc 8e 66 83 ef 57 49 61 ff 69 8f ...~-..f..WIa.i.
00000180: 48 54 43 53 41 30 30 34 30 30 30 30 30 31 46 43 HTCSA004000001FC
00000190: 30 30 30 30 46 45 46 39 46 32 43 44 0000FEF9F2CD
Well, it could be the end of the first part of this tutorial, but let's make a full backup file. Let's take a look at the end of this block:
Code:
HTCS A0040000 01FC0000 FEF9F2CD
where:
A0040000 - location of your OS image in a device
01FC0000 - size of the actual OS (decimal 33292288 bytes)
FEF9F2CD - checksum
On the very end of the ROM image there're 4 bytes more (HTCE), so the size of the whole image would be: 19C + 1FC0000 + 4 = 0x1FC01A0 bytes total.
Now you can make your backup image with following commands:
Code:
c:\> psdread.exe m: 0 0x1FC01A0 os.img
While the header itself (needed for the next steps of this tutorial) will be created with:
Code:
c:\> psdread.exe m: 0 0x19c header.img
2. Getting a bare OS.nb file
While in nowadays kitchens a bare OS.nb file os normal, you probably haven't even seen this file... so how to get it?
Normal ROM image is in nk.nbf file, which is XOR-encoded actual image. Decode it with:
Code:
c:\> xda2nbftool.exe -x nk.nbf nk.nba 0x20040304
so you have nk.nba file now. You can dismantle it now with:
Code:
c:\> dump.exe -o 0x40040 -l 0x1FC0000 nk.nba os.nb
and you have your OS.nb
3. Making a flashing ready image file.
Putting this all to a final file is trivial... it's just our header + OS.nb:
Code:
c:\> type header.img > SD_img.img
c:\> type OS.nb >> SD_img.img
And in the end you get SD_img.img file, which you can transfer to your SD card with:
Code:
c:\> psdwrite m: SD_img.img
I'd like to recommend using some good hexeditor.. I recommend you really great freeware one, called HxD (you can get it here). It can even operate on disk images and disks themselves.
4. Flashing your device.
Well, this will be the most tough part...
Well, not really
Turn off your Himalaya (really! the best would be to put out your battery), put your SD card in and turn it on. It will display a message: "press power to flash". Just press the power button and wait until it finishes. YOU CAN'T ABORT THE PROCESS, DON'T TOUCH IT! GO AND MAKE YOURSELF A COFFEE OR TEA OR GO FOR A SMOKE!!!
and... that's it
happy flashing!
......
good work very thank's
Flashing Himalaya from SD card- Many thanks "utak3r"
Atlast !!!!!!!!!
u r my saviour ........
Many Many Thanks for the steps......
I been asking and waiting a proper procedure to flash from sd card especially for xda2.
I will give a try and see if am succeeding.
well actually my usb is broken that is the reason am looking to flash from sd card.
In that case, can anyone post a lasted stable rom which is already ready to flash from SD Card ?
should the same SD card should be used ?
will it not work if I copy the SD image to a different SD card and flash it?
Many thanks utak3r
WOW!!! amazing tut
Stickied it!
gopi159 said:
should the same SD card should be used ?
will it not work if I copy the SD image to a different SD card and flash it?
Click to expand...
Click to collapse
As I said it in this tut - the header is unique for every device and every SD card, so... no, you can't download some image and flash it, sorry. Your bootloader will say: "not allowed" and that's it.
I'm working now on getting this header from a device without a cable - will I succeed? I don't know, last time I tried (about 2 years ago) I failed...
i cant understand all this
can you explain how to flash a new rom with a sd card only without cable
abdelamine said:
i cant understand all this
can you explain how to flash a new rom with a sd card only without cable
Click to expand...
Click to collapse
You can do it only if you have this header I'm talking above. If you don't have it - no flashing, unfortunately.
Flashing from SD card
How long time to be need it for flashing from SD card?
did we can charging battery while flashing from SD Card?
because we have old device with a short period of prodigal battery condition
Well, I can't remember it now, but it's faster than flashing through a cable. It shouldn't be longer than 20 minutes AFAIR.
And no, there's no charging while in this mode...
utak3r said:
I'm working now on getting this header from a device without a cable - will I succeed? I don't know, last time I tried (about 2 years ago) I failed...
Click to expand...
Click to collapse
I wish You luck in this task!
I think, that there must be the way to generate SD header information.
And thanx for such good tutorial - now I can make SDImage without using of sdtool.pl
Avis said:
I wish You luck in this task!
I think, that there must be the way to generate SD header information.
Click to expand...
Click to collapse
well, thanks
As for now I can dump ROM, but with my way, so it doesn't contain this header... it has to be generated by bootloader. So probably I'll end with decompiling a bootloader code
HOW CAN I write password BOOTLOADER and where
hi utak3r,
on the first part of the tutorial, how can we get this header?
where can we actually put this code? is it on command prompt or on device?
thanks...
got it.. use hyperterminal...
abdelamine said:
HOW CAN I write password BOOTLOADER and where
Click to expand...
Click to collapse
while you're in bootloader mode connect with your hima with mtty... and that's where you can issue various commands.
easy
any have easy tool..????
my usb connector is really broken, is there any solution to do it without using a pc and usb connection?
thanks
You have Vista, XP???
same question
& i have xp & vista
utak3r said:
As I said it in this tut - the header is unique for every device and every SD card, so... no, you can't download some image and flash it, sorry. Your bootloader will say: "not allowed" and that's it.
I'm working now on getting this header from a device without a cable - will I succeed? I don't know, last time I tried (about 2 years ago) I failed...
Click to expand...
Click to collapse
Is every header really unique? let us say, there are 1000 hima, so there are 1000 different headers?
If the answer is not, maybe we can flash the device using only our SD card without the help of usb connection. someone may post their ready-made file then try to flash it, if fails, try another.
I just want to make a possibilty coz my usb connection was broken too.
you can go and try to collect few headers... but I really doubt
Hello
Not sure if this is the right place, but I don't think development is the right thread either as I simply need a one time tester and there is already a dev thread for the tool in Optimus Black Forums.
I have developed a tool that extracts LG's bin firmware. I extended it to extract tot files as well. As some of you might know the tot files splits some partitions up into multiple files. I already managed to extract the tot file into their various part, but I have only recently added the ability to merge the parts to it's partition
I don't have enough bandwidth to download one of your firmware files to test it so can someone please test the tool.
Heres the dev thread : link
Heres the git : link
You'll have to compile it with gcc/mingw. The tools name must be BinExtractor(.exe) or it won't remove the first argument (usually the tool path and then it will keep on showing the usage no matter what)
Run it with
Code:
BinExtractor -daph Path/To/Tot/File/firmware.tot
and see if it displays the header info. If that succeeds please test the extraction
Code:
BinExtractor -extract Path/To/Tot/File/firmware.tot
It should prompt you that it detected data blocks with identical names and ask you if you want to merge them. And you want to merge them . After it extracted the files can you please check that the various partitions that it extracted are correct.
To check the system partition mount or extract the system partition in Linux and in Windows use a tool like ext2read to check it.
If it fails with an error please post the results from -daph (and -extract if it happened there) and the first meg of the tot file you used.
If the partitions aren't extracted properly (or merged properly) and -daph succeeded please post just the output from -daph and in what way the output is faulty.
Thanks in advance.
Wow it moved out of page 1 already.
Bump.
It was ignored because the Nexus 4 doesn't use LG .bin files, it uses standard .img files.
Rusty! said:
It was ignored because the Nexus 4 doesn't use LG .bin files, it uses standard .img files.
Click to expand...
Click to collapse
Thanks for responding, but according to this: [Stock] Stock ROMs Collection US/CA/EU/AU
These files are in TOT format
Click to expand...
Click to collapse
And theres a DL link that I presume contains a tot file
LGE960AT-00-V10c-NXS-XX-OCT-25-2012-JVP15Q-USER+0
Click to expand...
Click to collapse
Can you please explain since the info I have atm is a bit contradictory.
Thanks for this xonar. Much appreciated.
Would anyone be able to compile a Windows binary for me and upload it please? Thanks.
Sent from my Nexus 4 using Tapatalk 2
efrant said:
Thanks for this xonar. Much appreciated.
Would anyone be able to compile a Windows binary for me and upload it please? Thanks.
Sent from my Nexus 4 using Tapatalk 2
Click to expand...
Click to collapse
I just compiled it with mingw, but it's not behaving as it's Linux counterpart.
If j is 1024 why isn't the output file 512kB ?!? (Tested with P970 bin)
Code:
for(j = 0; j < tmp.pent_arr[i].file_size; j++)
{
/*DO 512 BLOCK*/
fread(buff, sizeof(char), 512, f);
fwrite(buff, sizeof(char), 512, out);
}
fclose(out);
EDIT: Had a facepalm moment
Windows needs to specify reading and writing in binary. I'll give you exe in a moment.
EDIT2: I attached a zip with the exe inside.
To get it working in Windows I changed read access to binary everywhere theres a fopen and I initialized some thing to 0 as Windows unlike Linux doesn't start you of with a nice clean slate.
I'll push changes to git tomorrow morning to make it work on Windows aswel and from now on I'll actually test the windows exe on windows and not through wine.
Hope it works. I'm going to bed now.
xonar_ said:
I just compiled it with mingw, but it's not behaving as it's Linux counterpart.
If j is 1024 why isn't the output file 512kB ?!? (Tested with P970 bin)
Code:
for(j = 0; j < tmp.pent_arr[i].file_size; j++)
{
/*DO 512 BLOCK*/
fread(buff, sizeof(char), 512, f);
fwrite(buff, sizeof(char), 512, out);
}
fclose(out);
EDIT: Had a facepalm moment
Windows needs to specify reading and writing in binary. I'll give you exe in a moment.
EDIT2: I attached a zip with the exe inside.
To get it working in Windows I changed read access to binary everywhere theres a fopen and I initialized some thing to 0 as Windows unlike Linux doesn't start you of with a nice clean slate.
I'll push changes to git tomorrow morning to make it work on Windows aswel and from now on I'll actually test the windows exe on windows and not through wine.
Hope it works. I'm going to bed now.
Click to expand...
Click to collapse
Thanks so much. I'll try to give it a shot tomorrow. If it doesn't work, I guess I could always use cygwin.
Sent from my Nexus 4 using Tapatalk 2
Doesn't seem to work on Bell Optimus G:
Code:
BinExtractor.exe -extract "LGE973AT-00-V10f-BELL-CA-OCT-24-2012+0.tot"
Reading AP Header...
Unknown Magic Number at 0x8 : AF 33 BF DE
Writing Files...
Finished
Running the info command:
GPT HEADER
----------
Signature 45 46 49 20 50 41 52 54
Revision 65536
Header Size 92
CRC32 of Header B2 64 10 F5
Current Header LBA 1
Backup Header LBA 61071359
First Usable LBA 34
Last Usable LBA 61071326
Disk GUID 32 1B 10 98 E2 BB F2 4B A0 6E 2B B3 3D 00 0C 20
Start of Partition Entries 2
Number of Partition Entries 36
Size of Partition Entries 128
CRC32 of Partition Array 71 79 32 B7
PARTITION ENTRIES
-----------------
PARTITION ENTRY
---------------
Partition Type GUID A2 A0 D0 EB E5 B9 33 44 87 C0 68 B6 B7 26 99 C7
Unique Partition GUID 7B 6F 3E CF 28 B7 86 F3 6A AE 46 69 B1 BC 9A 08
First LBA 16384
Last LBA 147455
Attributes 8
Partition Name modem
PARTITION ENTRY
---------------
Partition Type GUID 2C BA A0 DE DD CB 05 48 B4 F9 F4 28 25 1C 3E 98
Unique Partition GUID BC D0 5B BC 05 A5 44 30 8E 88 59 5C 87 19 A1 08
First LBA 147456
Last LBA 148479
Attributes 0
Partition Name sbl1
PARTITION ENTRY
---------------
....
zivan56 said:
Doesn't seem to work on Bell Optimus G:
Code:
Unknown Magic Number at 0x8 : AF 33 BF DE
Click to expand...
Click to collapse
The tool doesn't support Bell OG yet. I made a guess at what the format could be but I can't say for certain that it will work. I'll push changes in a moment.
Someone tested it on another OG firmware, but it fails to mount the image with:
Code:
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail or so
Code:
EXT4-fs (loop0): bad geometry: block count 389120 exceeds size of device (360576 blocks)
Click to expand...
Click to collapse
Can anyone give me the output from -dgpt with at&t OG or sprint OG?
or the first meg of the tot file of Nexus 4 or Bell OG along with -dgpt output?
EDIT: If possible use pastebin to display dgpt output as it might be fairly long.
I known what the problem is. Great thanks to SnowLeopardJB for testing and correspondence
The file that was being created doesn't have 'space' up until the end of the partitions. (It was left out since thats where it stops in the file) but on the actual disk still has 'space' after the last bit of data.
So it can be fixed with
Code:
#VAL is the value that is supposedly outside the device from the err msg
VAL=389120
#This will say already that size, but the file itself will change size
resize2fs system.img $VAL
#Not sure if this last step is then necessary
fsck.ext4 -f system.img
#Now you can mount is as any other partition :laugh:
I'll make the program add the 'space' and see if it produces a immediately mountable file.
I also totally changed the way it handles 44 DD 55 AA files for future flexibility and it's a step closer to being able to make it use predefined files as formats.
The latest version in git seems to extract the Bell Optimus G firmware properly now. I tried mounting the resulting radio image section and it worked fine, so I assume it knows the proper partition boundaries now.
Btw, I would recommend posting some instructions how to compile it. Not everyone is savvy enough to know how to use gcc.
Likewise, your program is hardcoded to look for its name when looking for parameters. Since there was no makefile it defaulted to a.out, which, the way it is coded, would never accept any parameters unless renamed to LGBinExtractor.
zivan56 said:
The latest version in git seems to extract the Bell Optimus G firmware properly now. I tried mounting the resulting radio image section and it worked fine, so I assume it knows the proper partition boundaries now.
Click to expand...
Click to collapse
Only merged partitions was affected by 'space' bug, plain extraction should have been correct for Bell OB after bb697c27e5. I haven't commited 'space' fix yet.
In retrospect using fseek to create 'space' between image parts might not have been such a good idea either and might also be causing problems.
zivan56 said:
Btw, I would recommend posting some instructions how to compile it. Not everyone is savvy enough to know how to use gcc.
Click to expand...
Click to collapse
Adding a makefile is on my todo list.
zivan56 said:
Likewise, your program is hardcoded to look for its name when looking for parameters. Since there was no makefile it defaulted to a.out, which, the way it is coded, would never accept any parameters unless renamed to LGBinExtractor.
Click to expand...
Click to collapse
Yea, not one of my better choices. I changed it to remove the first arg if it doesn't start with '-'.
Okay Merging partitions should work now. I'm waiting for confirmation then I'll ask mod to close the thread.
xonar_ said:
Okay Merging partitions should work now. I'm waiting for confirmation then I'll ask mod to close the thread.
Click to expand...
Click to collapse
Hello i'm try test with LG Optimus tag working:laugh:
Code:
AP HEADER
----------
Magic Number 44 DD 55 AA
Number of Partitions 32
PARTITION ENTRIES
-----------------
PARTITION ENTRY
------------
Data Block Name MODEM
Data Block ID 1
Size on File 47104
File Offset 0
Size on Disk 65537
Disk Offset 0
PARTITION ENTRY
------------
Data Block Name SBL1
Data Block ID 2
Size on File 1024
File Offset 47104
Size on Disk 2048
Disk Offset 65537
PARTITION ENTRY
------------
Data Block Name SBL2
Data Block ID 3
Size on File 1024
File Offset 48128
Size on Disk 2048
Disk Offset 67585
PARTITION ENTRY
------------
Data Block Name EXT
Data Block ID 4
Size on File 1024
File Offset 49152
Size on Disk 12287
Disk Offset 69633
PARTITION ENTRY
------------
Data Block Name RPM
Data Block ID 5
Size on File 1024
File Offset 50176
Size on Disk 16384
Disk Offset 81920
PARTITION ENTRY
------------
Data Block Name SBL3
Data Block ID 6
Size on File 2048
File Offset 51200
Size on Disk 16384
Disk Offset 98304
PARTITION ENTRY
------------
Data Block Name ABOOT
Data Block ID 7
Size on File 2048
File Offset 53248
Size on Disk 16384
Disk Offset 114688
PARTITION ENTRY
------------
Data Block Name BOOT
Data Block ID 8
Size on File 15360
File Offset 55296
Size on Disk 32768
Disk Offset 131072
PARTITION ENTRY
------------
Data Block Name TZ
Data Block ID 9
Size on File 1024
File Offset 70656
Size on Disk 16384
Disk Offset 163840
PARTITION ENTRY
------------
Data Block Name MODEM_ST1
Data Block ID 10
Size on File 0
File Offset 71680
Size on Disk 16384
Disk Offset 180224
PARTITION ENTRY
------------
Data Block Name MODEM_ST2
Data Block ID 11
Size on File 0
File Offset 71680
Size on Disk 16384
Disk Offset 196608
PARTITION ENTRY
------------
Data Block Name PERSIST
Data Block ID 12
Size on File 16384
File Offset 71680
Size on Disk 16384
Disk Offset 212992
PARTITION ENTRY
------------
Data Block Name RECOVERY
Data Block ID 13
Size on File 17408
File Offset 88064
Size on Disk 32768
Disk Offset 229376
PARTITION ENTRY
------------
Data Block Name MDM
Data Block ID 14
Size on File 57344
File Offset 105472
Size on Disk 65536
Disk Offset 262144
PARTITION ENTRY
------------
Data Block Name M9K_EFS1
Data Block ID 15
Size on File 0
File Offset 162816
Size on Disk 16384
Disk Offset 327680
PARTITION ENTRY
------------
Data Block Name M9K_EFS2
Data Block ID 16
Size on File 0
File Offset 162816
Size on Disk 16384
Disk Offset 344064
PARTITION ENTRY
------------
Data Block Name M9K_EFS3
Data Block ID 17
Size on File 0
File Offset 162816
Size on Disk 16384
Disk Offset 360448
PARTITION ENTRY
------------
Data Block Name FSG
Data Block ID 18
Size on File 0
File Offset 162816
Size on Disk 16384
Disk Offset 376832
PARTITION ENTRY
------------
Data Block Name SSD
Data Block ID 19
Size on File 0
File Offset 162816
Size on Disk 32768
Disk Offset 393216
PARTITION ENTRY
------------
Data Block Name BSP
Data Block ID 20
Size on File 0
File Offset 162816
Size on Disk 16384
Disk Offset 425984
PARTITION ENTRY
------------
Data Block Name BLB
Data Block ID 21
Size on File 0
File Offset 162816
Size on Disk 32768
Disk Offset 442368
PARTITION ENTRY
------------
Data Block Name TOMBSTONES
Data Block ID 22
Size on File 1024
File Offset 162816
Size on Disk 147456
Disk Offset 475136
PARTITION ENTRY
------------
Data Block Name DRM
Data Block ID 23
Size on File 0
File Offset 163840
Size on Disk 16384
Disk Offset 622592
PARTITION ENTRY
------------
Data Block Name FOTA
Data Block ID 24
Size on File 0
File Offset 163840
Size on Disk 49152
Disk Offset 638976
PARTITION ENTRY
------------
Data Block Name MISC
Data Block ID 25
Size on File 0
File Offset 163840
Size on Disk 16384
Disk Offset 688128
PARTITION ENTRY
------------
Data Block Name TZ_BKP
Data Block ID 26
Size on File 0
File Offset 163840
Size on Disk 16384
Disk Offset 704512
PARTITION ENTRY
------------
Data Block Name SYSTEM
Data Block ID 27
Size on File 1720320
File Offset 163840
Size on Disk 1720320
Disk Offset 720896
PARTITION ENTRY
------------
Data Block Name CACHE
Data Block ID 28
Size on File 0
File Offset 1884160
Size on Disk 655360
Disk Offset 2441216
PARTITION ENTRY
------------
Data Block Name WALLPAPER
Data Block ID 29
Size on File 0
File Offset 1884160
Size on Disk 16384
Disk Offset 3096576
PARTITION ENTRY
------------
Data Block Name USERDATA
Data Block ID 30
Size on File 0
File Offset 1884160
Size on Disk 4587520
Disk Offset 3112960
PARTITION ENTRY
------------
Data Block Name MPT
Data Block ID 31
Size on File 0
File Offset 1884160
Size on Disk 32768
Disk Offset 7700480
PARTITION ENTRY
------------
Data Block Name GROW
Data Block ID 32
Size on File 20480
File Offset 1884160
Size on Disk 21000000
Disk Offset 7733248
Code:
Reading AP Header...
Writing Files...
Writing File : 1-MODEM.img -- DONE --
Writing File : 2-SBL1.img -- DONE --
Writing File : 3-SBL2.img -- DONE --
Writing File : 4-EXT.img -- DONE --
Writing File : 5-RPM.img -- DONE --
Writing File : 6-SBL3.img -- DONE --
Writing File : 7-ABOOT.img -- DONE --
Writing File : 8-BOOT.img -- DONE --
Writing File : 9-TZ.img -- DONE --
Writing File : 10-MODEM_ST1.img -- DONE --
Writing File : 11-MODEM_ST2.img -- DONE --
Writing File : 12-PERSIST.img -- DONE --
Writing File : 13-RECOVERY.img -- DONE --
Writing File : 14-MDM.img -- DONE --
Writing File : 15-M9K_EFS1.img -- DONE --
Writing File : 16-M9K_EFS2.img -- DONE --
Writing File : 17-M9K_EFS3.img -- DONE --
Writing File : 18-FSG.img -- DONE --
Writing File : 19-SSD.img -- DONE --
Writing File : 20-BSP.img -- DONE --
Writing File : 21-BLB.img -- DONE --
Writing File : 22-TOMBSTONES.img -- DONE --
Writing File : 23-DRM.img -- DONE --
Writing File : 24-FOTA.img -- DONE --
Writing File : 25-MISC.img -- DONE --
Writing File : 26-TZ_BKP.img -- DONE --
Writing File : 27-SYSTEM.img -- DONE --
Writing File : 28-CACHE.img -- DONE --
Writing File : 29-WALLPAPER.img -- DONE --
Writing File : 30-USERDATA.img -- DONE --
Writing File : 31-MPT.img -- DONE --
Writing File : 32-GROW.img -- DONE --
Finished
PS : @xonar_ If you need any flash file LG pm me i have all files LG
---------- Post added at 01:25 AM ---------- Previous post was at 12:25 AM ----------
LG Optimus LTE2 F160 working
Code:
GPT HEADER
----------
Signature 45 46 49 20 50 41 52 54
Revision 65536
Header Size 92
CRC32 of Header 93 23 A2 52
Current Header LBA 1
Backup Header LBA 30535679
First Usable LBA 34
Last Usable LBA 30535646
Disk GUID 32 1B 10 98 E2 BB F2 4B A0 6E 2B B3 3D 00 0C 20
Start of Partition Entries 2
Number of Partition Entries 32
Size of Partition Entries 128
CRC32 of Partition Array 2A A9 B7 BD
PARTITION ENTRIES
-----------------
PARTITION ENTRY
---------------
Partition Type GUID A2 A0 D0 EB E5 B9 33 44 87 C0 68 B6 B7 26 99 C7
Unique Partition GUID 72 05 1F 0E 0C 89 89 B5 F4 D4 0E 5D 04 65 52 1E
First LBA 16384
Last LBA 147455
Attributes 8
Partition Name modem
PARTITION ENTRY
---------------
Partition Type GUID 2C BA A0 DE DD CB 05 48 B4 F9 F4 28 25 1C 3E 98
Unique Partition GUID 9A 00 DF 9C DE F9 95 65 62 3C 0F 15 D6 1A 75 6B
First LBA 147456
Last LBA 148479
Attributes 0
Partition Name sbl1
PARTITION ENTRY
---------------
Partition Type GUID AD 52 6B 8C 9E 8A 98 43 AD 09 AE 91 6E 53 AE 2D
Unique Partition GUID F1 EC 20 B2 C4 FA 8B FC 06 D2 4F 33 72 B6 0F D2
First LBA 148480
Last LBA 149503
Attributes 0
Partition Name sbl2
PARTITION ENTRY
---------------
Partition Type GUID DF 44 E0 05 F1 92 25 43 B6 9E 37 4A 82 E9 7D 6E
Unique Partition GUID A8 87 F8 53 B8 47 22 FA A9 2B 91 26 94 F6 19 2B
First LBA 149504
Last LBA 151551
Attributes 0
Partition Name sbl3
PARTITION ENTRY
---------------
Partition Type GUID CD FD 0F 40 E0 22 E7 47 9A 23 F1 6E D9 38 23 88
Unique Partition GUID 2A D1 EA 8A 29 76 F5 14 50 CD FA D5 2D 9F 41 26
First LBA 151552
Last LBA 152575
Attributes 0
Partition Name aboot
PARTITION ENTRY
---------------
Partition Type GUID 93 F7 8D 09 12 D7 3D 41 9D 4E 89 D7 11 77 22 28
Unique Partition GUID F7 5A 4B 53 B7 53 FB FF 4C F1 26 3A AD 9D C9 12
First LBA 152576
Last LBA 153599
Attributes 0
Partition Name rpm
PARTITION ENTRY
---------------
Partition Type GUID 86 7F 11 20 85 E9 57 43 B9 EE 37 4B C1 D8 48 7D
Unique Partition GUID 7A C9 D2 E5 B5 2A 04 6C BE 24 C7 AE 35 55 01 B2
First LBA 163840
Last LBA 188415
Attributes 8
Partition Name boot
PARTITION ENTRY
---------------
Partition Type GUID 7F AA 53 A0 B8 40 1C 4B BA 08 2F 68 AC 71 A4 F4
Unique Partition GUID F9 09 61 B9 4F 99 AF 89 FF C3 F3 16 99 B0 E3 A9
First LBA 196608
Last LBA 197631
Attributes 0
Partition Name tz
PARTITION ENTRY
---------------
Partition Type GUID 38 68 4A 00 2A 06 DF 44 81 52 4F 34 0C 05 22 5D
Unique Partition GUID BC 83 9C AC D5 BF F4 36 1C 0F D4 63 6F AD 23 07
First LBA 197632
Last LBA 197633
Attributes 0
Partition Name pad
PARTITION ENTRY
---------------
Partition Type GUID 3E 37 13 20 C4 1A 31 41 B0 F8 91 58 F9 65 4F 4F
Unique Partition GUID 46 F4 88 C2 2C 7A 4A AD 17 28 DD 70 10 8B BD AD
First LBA 197634
Last LBA 203777
Attributes 0
Partition Name modemst1
PARTITION ENTRY
---------------
Partition Type GUID 3E 37 13 20 C4 1A 31 41 B0 F8 91 58 F9 65 4F 4F
Unique Partition GUID 0A E8 2B 7F B8 CF 52 3E C2 7E 52 26 3E 03 B5 35
First LBA 203778
Last LBA 209921
Attributes 0
Partition Name modemst2
PARTITION ENTRY
---------------
Partition Type GUID AF 3D C6 0F 83 84 72 47 8E 79 3D 69 D8 47 7D E4
Unique Partition GUID 85 78 29 24 17 62 3D 36 A4 4B E9 47 10 87 AD 67
First LBA 212992
Last LBA 229375
Attributes 8
Partition Name sns
PARTITION ENTRY
---------------
Partition Type GUID 54 05 D3 6C 5D 5F EF 40 82 FE 10 92 35 9F 92 EE
Unique Partition GUID DC BF D4 C1 2E 63 5D 16 3F 45 88 4F 2A 36 86 3C
First LBA 229376
Last LBA 262143
Attributes 0
Partition Name misc
PARTITION ENTRY
---------------
Partition Type GUID AF 3D C6 0F 83 84 72 47 8E 79 3D 69 D8 47 7D E4
Unique Partition GUID 8E C6 02 A3 3F DC 79 98 12 7F 02 BE 38 F7 D4 6B
First LBA 262144
Last LBA 2359295
Attributes 8
Partition Name system
PARTITION ENTRY
---------------
Partition Type GUID AF 3D C6 0F 83 84 72 47 8E 79 3D 69 D8 47 7D E4
Unique Partition GUID E2 F2 D0 8D 3E D2 D0 90 E9 45 09 EA 7E 8F 2C 97
First LBA 2359296
Last LBA 29589503
Attributes 8
Partition Name userdata
PARTITION ENTRY
---------------
Partition Type GUID AF 3D C6 0F 83 84 72 47 8E 79 3D 69 D8 47 7D E4
Unique Partition GUID F7 2D 03 28 16 E8 78 07 D0 84 1B 08 6F 5B 6D 39
First LBA 29589504
Last LBA 29605887
Attributes 8
Partition Name persist
PARTITION ENTRY
---------------
Partition Type GUID AF 3D C6 0F 83 84 72 47 8E 79 3D 69 D8 47 7D E4
Unique Partition GUID 21 6C AF DC 30 3D D9 D9 3F AE 56 42 4C 0F 66 AC
First LBA 29605888
Last LBA 30146559
Attributes 8
Partition Name cache
PARTITION ENTRY
---------------
Partition Type GUID AF 3D C6 0F 83 84 72 47 8E 79 3D 69 D8 47 7D E4
Unique Partition GUID 26 4F D8 D1 AC 24 CC CA EA 7F E1 F0 E5 6C FD 61
First LBA 30146560
Last LBA 30294015
Attributes 0
Partition Name tombstones
PARTITION ENTRY
---------------
Partition Type GUID 86 7F 11 20 85 E9 57 43 B9 EE 37 4B C1 D8 48 7D
Unique Partition GUID BB 74 76 DD 1D 6B 07 56 23 FB 94 96 7A 52 0A DC
First LBA 30294016
Last LBA 30318591
Attributes 8
Partition Name recovery
PARTITION ENTRY
---------------
Partition Type GUID 3E 37 13 20 C4 1A 31 41 B0 F8 91 58 F9 65 4F 4F
Unique Partition GUID 7C 48 3D 02 F0 90 E3 39 F7 14 BA D1 D9 BD 76 C8
First LBA 30318592
Last LBA 30324735
Attributes 8
Partition Name fsg
PARTITION ENTRY
---------------
Partition Type GUID 42 E7 86 2C 5E 74 DD 4F BF D8 B6 A7 AC 63 87 72
Unique Partition GUID 9B 2F 13 2B 51 11 1E C2 30 66 A0 E7 08 BC BF DF
First LBA 30324736
Last LBA 30324751
Attributes 8
Partition Name ssd
PARTITION ENTRY
---------------
Partition Type GUID AF 3D C6 0F 83 84 72 47 8E 79 3D 69 D8 47 7D E4
Unique Partition GUID 75 44 C3 7D E2 05 C3 88 22 1B 8A 2D D1 D9 E4 FA
First LBA 30326784
Last LBA 30343167
Attributes 0
Partition Name drm
PARTITION ENTRY
---------------
Partition Type GUID AC 9C 14 00 9B ED 01 48 9A E9 6D F9 60 3A 18 27
Unique Partition GUID 55 D9 D2 33 14 1A 58 56 F8 47 15 23 E1 B9 A4 07
First LBA 30343168
Last LBA 30408703
Attributes 0
Partition Name fota
PARTITION ENTRY
---------------
Partition Type GUID AF 3D C6 0F 83 84 72 47 8E 79 3D 69 D8 47 7D E4
Unique Partition GUID 38 9D 3B B9 01 35 EA F7 BA 61 44 35 4F AE 2C 73
First LBA 30408704
Last LBA 30474239
Attributes 0
Partition Name mpt
PARTITION ENTRY
---------------
Partition Type GUID BB 51 9C 73 F9 7A 0A 45 88 49 FF 4F 3D 94 CC AF
Unique Partition GUID EB 58 E9 92 44 82 6E A3 9C 07 F8 60 1D 46 AB 8E
First LBA 30474240
Last LBA 30475263
Attributes 0
Partition Name tzbak
PARTITION ENTRY
---------------
Partition Type GUID 11 84 CC 6A A5 68 18 41 BA B0 07 FA 12 72 B4 9B
Unique Partition GUID 8C 02 6E 7C 87 46 63 0D 71 93 68 7C 2A 4A D8 73
First LBA 30475264
Last LBA 30476287
Attributes 0
Partition Name rpmbak
PARTITION ENTRY
---------------
Partition Type GUID 95 F5 3E 32 7A AF FA 4A 80 60 97 BE 72 84 1B B9
Unique Partition GUID 47 79 8A 0B 52 C4 79 9B 2A 90 81 4E FC A8 E0 77
First LBA 30476288
Last LBA 30477311
Attributes 0
Partition Name encrypt
PARTITION ENTRY
---------------
Partition Type GUID 73 75 D2 A7 3C A5 E7 4C 87 BC 4D 35 12 FF C8 64
Unique Partition GUID 96 9C 90 E9 54 25 10 09 5A B6 CB 7E D3 1E 79 1D
First LBA 30490624
Last LBA 30523391
Attributes 8
Partition Name reserved
PARTITION ENTRY
---------------
Partition Type GUID AF 3D C6 0F 83 84 72 47 8E 79 3D 69 D8 47 7D E4
Unique Partition GUID 88 8D 1A E1 EF BF 80 A7 58 89 13 B3 AF AD 5E A3
First LBA 30523392
Last LBA 30535646
Attributes 0
Partition Name grow
Q:\LG\LG-F160L>
Not work on my G
it forceclose when i try to use -daph
KhmerHacker said:
it forceclose when i try to use -daph
Click to expand...
Click to collapse
What firmware did you try it on?
Succes with your tools
Thanks xonar. with your tools, I successed with Optimus Vu F100L rom: F100L29j_00.kdz. But the tools ext2read you metioned cannot see the ext4 26-SYSTEM.img, but I mount in linux and get the right result as below
mkdir
mount -t ext4 -o loop 26-SYSTEM.img /tmp
thanks very, a question:
after I make change to the img file, how can I repacked the img to tot file? need a change the wdb dll wdh file also?
anyone can give help is wellcome.
flyhigher76 said:
Thanks xonar. with your tools, I successed with Optimus Vu F100L rom: F100L29j_00.kdz. But the tools ext2read you metioned cannot see the ext4 26-SYSTEM.img, but I mount in linux and get the right result as below
mkdir
mount -t ext4 -o loop 26-SYSTEM.img /tmp
Click to expand...
Click to collapse
Not sure why ext2read don't work
,but if it works in Linux it should be correct.
flyhigher76 said:
thanks very, a question:
after I make change to the img file, how can I repacked the img to tot file? need a change the wdb dll wdh file also?
anyone can give help is wellcome.
Click to expand...
Click to collapse
It's possible to recreate the tot file from the extracted partitions,but a mistake can make your phone Hard Bricked. I wouldn't recommend doing that.
change Optimus Vu Languge
xonar_ said:
Not sure why ext2read don't work
,but if it works in Linux it should be correct.
It's possible to recreate the tot file from the extracted partitions,but a mistake can make your phone Hard Bricked. I wouldn't recommend doing that.
Click to expand...
Click to collapse
I like the Optimus Vu very much, fot it's unique size and it's first-class panel display attract me. But unfortunately, it is not in Chinese, also when I make a call I must choose to call local or call Korea. I'm tired of this, so I want to have a custom system for my own. The difficult is that I cannot get control the /system for root fails many times, so I cannot change any apk and jar in /system. I hope I can modify the rom as I have do with galaxy note, and forturely find this thread.
I know tot format file since I own this optimus Vu, so I have no idea about this format. Can you give me some information about this format, like some website?
vmt.
flyhigher76 said:
I know tot format file since I own this optimus Vu, so I have no idea about this format. Can you give me some information about this format, like some website?
vmt.
Click to expand...
Click to collapse
Theres the source code of my tool.
THIS TUTORIAL IS ONLY FOR HARD BRICKED DEVICES.
HARD BRICK MEANS NO FLASHMODE AND NO FASTBOOT.
IN ORDER TO PROCEED DISASSEMBLY OF YOUR DEVICE IS REQUIRED.
IF YOU HAVE WARRANTY,STOP READING THIS, GO THE SONY SERVICE AND PLAY STUPID.
AS AFTER OPENING YOUR DEVICE, YOUR WARRANTY IS 100% VOID.
I AM NOT RESPONSIBLE FOR ANY DAMAGE.
YOU'VE BEEN WARNED.
you need to write back original security units.
this is only possible, if you do have original trim area backup.
you can make it with this way :
using winhex save all unit data as "hex ascii" and add command
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Code:
tawrite:0002<unit number, 4 hex digits><unit data>
you need to find and prepare like this 3 critical units : 07D3, 07DA, 0851
then copy result units into file with extension .gdfs and zip it into file with extension .SIN_FILE_SET
and you can use this way.
Let's get started.
1. Download HARD BRICK RECOVERY & ggsetup :
Code:
http://www.mediafire.com/download/cqk9sl2ec56c65j/ggsetup-3.0.0.7.zip
http://www.mediafire.com/download/d0c01h9i9biqxc7/HARD+BRICK+RECOVERY.zip
2. Install ggsetup-3.0.0.7.exe
3. Open the back cover of your device.
4. Find the test point (See attachments).
5. Disconnect a battery, connect a usb cable. LED RED will start to blink.
6. Using the paper clip connect your test point with the GND. I used the metal shield in the middle of the motherboard.
7. Open the device manager, you should see SEMC Flash Device. If no, you did something wrong.
8. Disconnect your phone from computer.
9, Repeat the step 5.
10.Run the s1tool and select S1 EMERGENCY MODE for the phone type.
11. Press the flash button, and choice the repair script file for your device.
12. Press testpoint ready and repeat the step 6.
13. Remove the testpoint and press READY.when program will ask you to do so.
14. Press the flash button, and choice the APP & FSP file for your device.
15. Press testpoint ready and repeat the step 6.
16. Remove the testpoint and press READY, when program will ask you to do so.
17. If flash was successful, you may disconnect your phone from usb, connect your battery and try to boot.You may have to charge your battery.
18. Now you must root phone, restore full trim area backup.
P.S.
I was not be able to flash on windows 8 64bit, but I flashed without problems on 7 .
I would like to thank:
http://forum.xda-developers.com/member.php?u=3665957 for making the software.
http://forum.xda-developers.com/member.php?u=3508509 for text.
in HARD BRICK RECOVERY package there are some other things :
1-XperiFirm_2.5 → for download FILE of rom .
2-ma3d.exe →for make APP & FSP from FILE (you have it when you download package).
3-DooMLoRD_Easy-Rooting-Toolkit_v18_perf-event-exploit → for root your phone.
4-Backup-TA-9.11 → for restore your orginal TA backup after your phone get start and work normally.
Amazing. Unfortunately I have hard bricked V.
So to unbrick my sxv I just need script made from TA backup?
Nice to see so useful info. :good: Thanks for TestPoint location.
Here is my TA backup.
View attachment TA-backup-20131114.094208.zip
ElArchibald said:
Amazing. Unfortunately I have hard bricked V.
So to unbrick my sxv I just need script made from TA backup?
Nice to see so useful info. :good: Thanks for TestPoint location.
Here is my TA backup.
View attachment 2982634
Click to expand...
Click to collapse
I have just told him .so plz wait until he makes it for you.
here is script, however it is very easy to make script yourself :
using winhex save all unit data as "hex ascii" and add command
Code:
tawrite:0002<unit number, 4 hex digits><unit data>
you need to find and prepare like this 3 critical units : 07D3, 07DA, 0851
then copy result units into file with extension .gdfs and zip it into file with extension .SIN_FILE_SET
Just a question, if there is no TA Backup, we can't restore phone?
nope, this is not possible.
at least for now.
I didn't brick my XV right now
I just forgot to backup TA before unlocking bootloader, I'm just thinking about a backup for ultra emergency situations
Can I somehow take backup now?
Aria.A97 said:
I didn't brick my XV right now
I just forgot to backup TA before unlocking bootloader, I'm just thinking about a backup for ultra emergency situations
Can I somehow take backup now?
Click to expand...
Click to collapse
You can make a backup but it will not contain DRM keys as you has unlocked bootloader.
You can backup via Backup TA v9.11, or use FlashTool (File > Switch Pro then Advanced > Trim Area > Backup), you also can make S1 Dump (Advanced > Trim Area > S1 Dump), i think S1 Dump can be used in *.ftf file since it has an *.ta extension.
ElArchibald said:
You can make a backup but it will not contain DRM keys as you has unlocked bootloader.
You can backup via Backup TA v9.11, or use FlashTool (File > Switch Pro then Advanced > Trim Area > Backup), you also can make S1 Dump (Advanced > Trim Area > S1 Dump), i think S1 Dump can be used in *.ftf file since it has an *.ta extension.
Click to expand...
Click to collapse
OK. Thanks. I backed up with TA Backup on Carbon ROM (BTW F*** those DRM keys, I never use Sony Stock ROMs, I flashed CM 10.2 just 6 hours after buying my phone at 3:35 A.M )
BTW whats difference between with flashtools & making S1 Dump and just backing up with TA Backup?
Aria.A97 said:
OK. Thanks. I backed up with TA Backup on Carbon ROM (BTW F*** those DRM keys, I never use Sony Stock ROMs, I flashed CM 10.2 just 6 hours after buying my phone at 3:35 A.M )
BTW whats difference between with flashtools & making S1 Dump and just backing up with TA Backup?
Click to expand...
Click to collapse
No difference between TA Backup and FlashTool, they make raw TA partition dump.
S1 Dump makes flashable *.ta file which can be added into FTF bundle.
Example: Part of the contents of my S1 dump. said:
Code:
000007D3 05CE 02 00 00 00 03 FC 04 00 00 00 00 00 00 00 29 00 00 00 00 00 00 01 D2 20 66 76 CC DF EB 3D C9 D5 65 95 74 A4 2D 9F 1C 21 B6 4C 93 93 81 55 F6 39 07 1D 19 10 02 28 C0 49 00 00 03 C0 00 01 02 B9 02 B7 30 82 02 B3 30 82 01 9B A0 03 02 01 02 02 01 01 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 17 31 15 30 13 06 03 55 04 03 14 0C 53 31 5F 52 6F 6F 74 5F 37 30 35 34 30 1E 17 0D 31 31 30 38 30 38 31 35 30 30 32 32 5A 17 0D 33 31 30 38 31 30 31 35 30 30 32 32 5A 30 14 31 12 30 10 06 03 55 04 03 14 09 53 31 5F 48 57 43 6F 6E 66 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 B5 09 41 7A C8 78 96 19 06 B7 13 4F 1E D3 28 13 4E 03 E3 A9 B6 AF 45 95 D6 07 E8 22 E8 BE F6 A3 1C AE 86 54 16 87 85 6D 44 81 20 B6 43 5B 26 AB 4B 3C 21 8A 75 A7 EA 8E 3A 3C 5F 02 CF 0A 9B A3 7A 22 CC AF 5D 9B 70 29 18 D6 57 78 57 FD AE 38 1B 3F 15 9E 83 BE 92 30 F9 11 C6 30 D6 D6 01 E3 DA D7 AA 66 5C 8D E3 D8 93 E0 DE DE 96 37 3D 68 47 82 E2 93 E9 09 70 CA 04 07 EF CD 99 7A 70 3D 50 A8 D1 00 45 E8 27 C8 86 79 9D E4 7C A4 78 AE 5E BD 79 52 B4 F5 C2 E8 D3 51 57 76 B7 7E 38 20 79 E5 AE 48 1F D6 3D 54 76 BF 30 2F 76 AD 5D 3E BB B4 E5 0C D0 0E 53 04 95 D0 A1 0E ED E1 58 D1 7E 35 27 13 37 EF 6C AB 07 95 FD C1 12 E3 3C 19 66 5E FD D3 00 AE 4B 56 38 22 CA CC 9A E0 7C DB E3 B2 F1 36 26 96 E5 0E F6 E7 5E AF 73 51 7B AA D1 03 C1 B8 9F 24 DB 85 E2 85 45 ED 98 B0 75 A5 02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 1B 90 C7 B0 E8 20 0E 1B 83 50 3A C9 E4 1E B6 DA 46 46 AB 55 CA B7 87 CF E7 B0 B5 FA 6E EE 11 19 87 FC 85 00 94 4C 61 B5 60 43 19 BC 4E B3 E7 0D A1 64 37 E0 21 6D B7 E9 E6 58 22 C3 C4 93 B4 C3 0E 05 A7 63 14 02 6E AD 3C 89 CE 54 3D E6 26 43 B0 5C 2D F4 2B DF 9B 59 73 DF 68 B8 FC 20 D8 20 26 70 D7 8E 97 83 04 43 3B 2F B1 5C A7 16 45 8A 7E FB 6F 71 03 EB 4B 5D 18 C0 88 C9 BC 15 DA E9 9B AA F8 08 33 A4 32 6F 40 15 7B B3 86 07 1E D9 1A A1 24 4E EB D1 86 8F F4 90 62 4D 77 3E 5E 89 8A 09 A9 51 25 B6 CF CC D8 14 3B E5 5D B0 98 71 16 B6 B7 69 B3 1C 60 6C A0 83 5A 6C A7 EE A5 BB 71 11 2D 21 83 5D 33 D9 22 E9 D1 94 2E 70 16 AF E8 AA 06 54 56 D3 22 36 FE BF 47 6A 20 A1 30 27 06 06 AA 9A E4 DB 64 96 68 DD 27 C0 63 11 1C 2C 59 BD B4 01 D1 8B CB 53 E4 17 4A 73 53 F7 41 A7 02 01 00 9B 69 55 E8 B2 4E 56 1F 90 9F 54 B9 C3 E9 AF D4 3E CA EB 2A 5B F6 A0 2B C7 71 2D 50 DA D8 98 2F 29 1C E1 77 65 6A CA C9 0A 79 4A FD 34 F6 7E 34 92 C7 4D 54 D7 C7 51 53 9F 82 E8 11 0D 41 42 18 ED 5B 0E 0A A6 A4 75 1E D2 C8 7A D5 1C 77 BB 04 B9 56 DB 95 42 21 42 CB 75 50 AE 87 EE 2F 46 45 15 6D A0 B5 5A 52 95 29 5B D9 CE 6B 89 93 A6 13 65 B8 1D 75 C9 2D AA E2 4B 54 62 2C 9F 62 12 07 EC 6B 55 D9 AF FB 39 3B 0D BD 52 A7 9D 9A CD 0E DB D2 7C 60 09 F8 24 69 70 C9 EE 8D 39 ED FC E3 5E A0 9F F2 CA 9F 9E BB 17 99 61 DC EB F3 D6 FE D0 96 23 F6 DE 38 96 43 B8 29 8A 3D B2 A6 BE F9 47 59 E9 83 DE 53 84 F2 39 DC 4C 93 DE A3 49 7C BA E2 47 7D 5E B3 1A 04 6F E8 E1 A3 8E E6 15 18 9D 98 BE ED AF 10 79 09 9A 2A 43 2B 44 B8 5B A3 71 65 16 EE E5 FB 8C 8D EE 9B 85 C8 21 AA 01 0A 00 05 00 00 00 00 00 4E 02 00 4B 52 45 56 3D 22 52 35 45 22 3B 53 45 52 56 45 52 3D 22 62 6D 63 73 65 63 73 30 34 22 3B 41 55 54 48 43 45 52 54 3D 22 55 4E 4B 4E 4F 57 4E 22 3B 54 49 4D 45 53 54 41 4D 50 3D 22 31 33 30 36 30 33 20 30 39 3A 35 31 3A 33 37 22 00 0B 00 00 08 35 51 01 05 49 30 68 00 00 00 01 51 00 01 00 07 53 31 5F 42 6F 6F 74 00 01 00 13 00 08 00 00 00 01 00 00 00 1A 00 01 00 09 53 31 5F 4C 6F 61 64 65 72 00 01 00 0B 00 00 00 01 00 05 53 31 5F 53 57 00 02 00 13 00 20 00 00 00 03 00 00 00 04 00 00 00 09 00 00 00 0B 00 00 00 0F 00 00 00 10 00 00 00 11 00 00 00 12 00 01 00 08 53 31 5F 52 50 4D 46 57 00 02 00 23 00 00 00 01 00 07 53 31 5F 43 75 73 74 00 01 00 13 00 08 00 00 00 09 00 00 00 12 00 01 00 05 53 31 5F 53 4C 00 01 00 43 00 00 00 01 00 0A 53 31 5F 4D 6F 64 65 6D 4F 53 00 02 00 23 00 00 00 01 00 0A 53 31 5F 4D 6F 64 65 6D 53 57 00 02 00 13 00 0C 00 00 00 07 00 00 00 08 00 00 00 13 00 01 00 08 53 31 5F 53 50 53 53 57 00 02 00 23 00 00 00 01 00 07 53 31 5F 46 4F 54 41 00 02 00 23 00 00 00 01 00 0C 53 31 5F 48 65 78 61 67 6F 6E 53 57 00 02 00 23 00 00 00 01 00 07 53 31 5F 52 49 56 41 00 02 00 23 00 00 00 01 00 06 53 31 5F 45 54 53 00 02 00 13 00 08 00 00 00 03 00 00 00 04 00 01 00 09 53 31 5F 52 41 4D 45 54 53 00 02 00 0B 00 00 00 01 00 09 53 31 5F 54 5A 45 78 65 63 00 02 00 A3 00 00 00 06 00 04 71 C5 8D 09 00 10 10 FE D0 A0 26 F6 D5 08 65 DF EC 9F 76 F2 95 E7
000007DA 0283 CF 47 FE 0E D6 10 53 EC D3 6E 94 31 37 B1 57 A6 CC 9C 6B 8B 02 00 05 0A 02 00 00 00 0A 9F D5 AA F1 20 F8 C8 EE 5D C2 E2 56 C8 E6 22 54 6B B5 70 0B 20 7B 9D BA 0B DE B5 B0 21 97 49 67 D0 0F 9D E3 32 20 F6 36 E2 BE 2D 64 2F 1C 9E 43 1A 65 87 BB 7E 02 00 00 00 0A 15 FC CE 88 A3 E0 10 D6 EE 24 B4 92 21 B1 AB 6E BD CF BD A4 20 F4 7B 67 EA 25 1D AE 08 1C B5 B2 01 0C 53 90 EE 94 69 03 25 B5 5E A3 CF 9E A1 D5 DF 71 68 9C C2 00 8C 4F 50 5F 49 44 3D 22 34 33 22 3B 4F 50 5F 4E 41 4D 45 3D 22 53 69 6E 67 74 65 6C 22 3B 43 44 41 5F 4E 52 3D 22 31 32 36 38 2D 35 39 36 31 22 3B 52 4F 4F 54 49 4E 47 5F 41 4C 4C 4F 57 45 44 3D 22 31 22 3B 52 43 4B 5F 48 3D 22 36 43 41 46 38 45 46 41 44 46 42 32 34 36 31 34 42 42 33 41 45 35 45 30 31 44 38 46 31 46 33 33 41 42 39 42 41 43 30 45 37 37 45 37 38 39 42 45 32 43 30 36 33 37 37 41 41 38 42 36 33 31 39 45 22 00 43 53 45 52 56 45 52 49 44 3D 22 62 6D 63 73 65 63 73 30 34 22 3B 41 55 54 48 43 45 52 54 3D 22 55 4E 4B 4E 4F 57 4E 22 3B 54 49 4D 45 53 54 41 4D 50 3D 22 31 33 30 36 30 33 20 30 39 3A 35 31 3A 33 32 22 00 09 00 07 30 30 31 30 31 2D 2A 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 0A B0 32 D9 5B 3B 36 BA 22 FA 27 E4 0E 02 75 F2 51 C8 DF 19 D3 20 54 F7 EB 9E 05 5A 41 84 BD 3F BA 37 4B 58 06 DC C1 26 9F A9 53 F7 E6 34 0A 39 28 86 AC 8D 56 82 02 00 00 00 0A A2 58 90 B4 02 D5 03 B3 D8 69 68 18 3F 87 66 58 9A 27 E8 76 20 52 FB BA BA EF 58 18 35 C6 A5 8F A3 6F CE 95 E8 ED 39 1E 7E D4 4D 67 06 87 A1 16 FC 7D 98 05 FF 02 00 00 00 0A B6 78 13 0F 42 EE 0E 18 67 8A 27 9B 5D 21 14 6F 0D 9A E1 B3 20 F7 59 B4 2F 87 2C 0C 21 EE CA 68 F0 AE FB B2 AA 93 0D FA B5 5A 91 ED 6B 81 2A 39 47 74 2F 32 92 02 00 00 00 0A C3 3D 2B 5B 5A 4B 1F 4E 57 FD BF 31 42 90 6A 14 9F 8A D4 63 20 AC B7 E7 60 E7 DE 13 7E 52 37 2E CB 89 DB 31 7B 4B 70 86 20 F5 74 A5 62 08 46 72 16 8E 63 63 FB 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 F5 B5 05 DB E7 35 47 E2 02 8C 47 F7 89 1C A4 CB DB 33 31 8E
00000851 03CA 02 00 09 07 DA 27 0F 00 15 02 4A 00 03 BC 00 01 02 B5 02 B3 30 82 02 AF 30 82 01 97 A0 03 02 01 02 02 01 01 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 17 31 15 30 13 06 03 55 04 03 14 0C 53 31 5F 52 6F 6F 74 5F 37 30 35 34 30 1E 17 0D 31 31 30 38 30 38 31 35 30 30 32 30 5A 17 0D 33 31 30 38 31 30 31 35 30 30 32 30 5A 30 10 31 0E 30 0C 06 03 55 04 03 14 05 53 31 5F 53 4C 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 95 7C 28 6C 4F 12 7D E5 DA D2 5F 83 0D 7F A2 B4 0B 0A 26 DB 56 89 0E 7E B5 F9 58 F7 60 3F D6 16 21 BA 75 B4 98 17 C6 23 A0 EB 4A DE 89 99 B8 24 53 21 B6 AE 53 FB 9D 3B C8 64 6E 72 5C A5 B5 43 04 C3 4B 59 76 0F B7 0C 52 CE 17 20 00 52 9D 65 17 F9 A7 56 A4 2F DB BF D7 20 E2 42 25 BF 71 A9 A1 DD 25 06 C3 28 68 DA D8 24 16 61 D8 E4 A8 3B DB 39 E7 89 E4 B8 BC 51 4C 8B C8 24 18 C4 5B C8 AF 1B 31 9D 4B E4 7A 37 F6 2B 9E A9 E7 E2 15 7E E8 35 87 A8 35 B1 2C E5 2E EA CE 3E 01 7B E9 7E 93 EF 81 68 08 4D 5A 82 02 A3 36 FF 60 41 8D FD BC B3 E2 71 77 DE ED C7 3A A2 26 9C A9 91 50 6D 64 72 7F 21 3F 02 51 85 F2 EE 4C 49 92 A1 F2 54 30 E1 60 11 2A EA DB 37 05 76 08 D8 13 58 37 1F EE 22 70 3E 94 15 22 E8 B6 73 73 7D 8F CF 34 DE C2 CA 1C 7D B1 80 2B 69 74 ED 30 52 1D 26 40 F7 02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 2B 54 DE B3 43 0A EF 6D 18 CB E4 EB F5 DC 5D 18 E4 A6 4C 15 A2 5A 09 DA AE C3 FD 2C 3F B6 0B 89 BF 35 F7 57 E7 0E 4F 88 25 74 3B B5 2B 64 F2 2F B9 FB 4D DA B2 3A 2B 00 2D F2 5C 6A 37 46 FC 82 66 CB 93 58 74 4E E7 FC 71 E9 CA 5D 4F 66 9C 2E 2D 34 4C 71 86 79 DE 54 44 A6 47 A3 44 E8 F3 BD 67 46 E7 E2 02 2B F8 AA 0C FD 5E C2 A9 CE 41 82 3D F7 C7 65 D2 0B 8A AE 23 C5 A6 2F 9A 9A 23 18 F6 96 C7 0B E5 8A 78 A5 77 B4 04 12 95 45 09 E8 B9 7A 13 6C D7 A6 90 D1 44 0F 11 3B 32 D7 99 C5 14 A3 00 B5 BE F2 95 E0 82 51 68 AB DE 02 A8 9B 48 86 BB C9 DF 9F C9 25 FB 3A FF 1C 43 50 D5 68 1B ED 69 EB FE CE 44 C6 69 A1 B4 58 F3 AB 4A 23 50 5D 3B 6C 32 16 73 FF DB 14 8D 59 14 35 AA 34 CD 1F 00 C0 5E 79 D2 FE B3 FA 2F 19 90 BB 53 89 E6 65 E1 C5 71 7B 66 A2 B7 50 D3 7C 2B 5F 6D 2B 02 01 00 52 D9 86 32 22 BC 56 9D 50 94 C6 05 55 A5 40 37 52 DF DE 9F 05 9D 23 CE 51 5D E3 24 21 3F 94 8C 3C F5 C9 D7 B4 97 1E 51 BC 14 2E E3 88 8F 65 17 1A 0E 9B D9 0B A2 57 66 90 49 30 EC 9B BE 82 06 3C 75 9A 02 4E 9D CC 0B D8 A5 89 B7 25 1B B1 1C B4 C5 9D 35 5B 0E 62 89 00 3C 82 04 97 83 39 8F 43 63 DB 19 21 9D B0 BF 61 45 4C 2B 7B 06 12 D0 8F 78 16 29 55 23 EC 01 0A 8D 91 38 2D AE 3B 12 23 68 18 A5 2B 11 53 8D DE F3 C7 D3 60 9B 78 02 C1 46 5D FD B3 89 A8 E1 D6 F0 E1 14 31 88 DB C9 5A BC E0 00 2A 7D 76 D8 E0 88 73 A9 2A C7 6A 1A 87 55 B8 90 45 59 0E B5 EF DC CE A3 9D 32 41 36 3F 9B 23 16 66 34 62 2D 28 21 7C 6D 5B ED C4 6F B6 BA F8 28 4D 08 DF 71 1F 82 69 6D 3C DE 79 F9 CD F9 0E B5 A3 DC 43 23 84 66 79 57 C6 49 3E C5 9D D3 66 1B 24 72 5F 4B 18 A2 49 1B 08 6D E2 5B
Click to expand...
Click to collapse
sony v hard brick
hi every body
special thanks to friend with good information. I have root my Sony xperia V and no problem about root after that I try to make 2 partition in SD card my Sony going to loop the boot when device is booting i disconnect the battery to exit the SD card to back in 1 partition .my Sony not start again no on,no response to charger ,to computer ,and flash tools,completely dead.
I use your site information but I don't have blink in Led. when I try to connect to PC the PC hang it and no response.please help I repair my device.
thanks
the_laser said:
here is script, however it is very easy to make script yourself : View attachment 2983316
using winhex save all unit data as "hex ascii" and add command
Code:
tawrite:0002<unit number, 4 hex digits><unit data>
you need to find and prepare like this 3 critical units : 07D3, 07DA, 0851
then copy result units into file with extension .gdfs and zip it into file with extension .SIN_FILE_SET
Click to expand...
Click to collapse
I tried to repair phone, but seems something wrong. It wont start flashing process.
Phone recognized as ZEUS Flash Device (USB\VID_05C6&PID_9008&REV_0000) when i connect testpoint.
After these steps
10.Run the s1tool and select S1 EMERGENCY MODE for the phone type.
11. Press the flash button, and choice the repair script file for your device.
12. Press testpoint ready and repeat the step 6.
13. Remove the testpoint and press READY.when program will ask you to do so.
Click to expand...
Click to collapse
Device recognized as SOMC Flash Device (USB\VID_0FCE&PID_ADDE&REV_0100
)
Here S1Tool log:
Code:
29.10.2014 14:56:50 Welcome to S1 tool.
29.10.2014 14:56:50 That is small and crippled subset of SETOOL2 service tool.
29.10.2014 14:57:10
29.10.2014 14:57:10 SELECT FIRMWARE PACKAGES
29.10.2014 14:57:10 YOU CAN SELECT SEVERAL PACKAGES WITH CTRL BUTTON
29.10.2014 14:57:13 CHECKING PACKAGES ...
29.10.2014 14:57:13
29.10.2014 14:57:13 DETACH USB CABLE FROM PHONE
29.10.2014 14:57:13 REMOVE BATTERY FROM PHONE
29.10.2014 14:57:13 ATTACH TESTPOINT
29.10.2014 14:57:13 PRESS "READY", THEN ATTACH USB CABLE TO PHONE
29.10.2014 14:57:13
29.10.2014 14:57:23 will use DLOAD protocol ...
29.10.2014 14:57:23 0808010600900000
29.10.2014 14:57:23 0D0F50424C5F446C6F6164564552322E30
29.10.2014 14:57:23 162001000100
29.10.2014 14:57:23 17004001000100E1506B00
29.10.2014 14:57:23 PRODUCT DETECTED: "SONY MSM8960-3 OEM1 Fused"
29.10.2014 14:57:23 1801000F43240892D02F0DC96313C81351B40FD5029ED98FF9EC7074DDAE8B05CDC8E1
29.10.2014 14:57:23 PROCESSING ...
29.10.2014 14:57:25 REMOVE TESTPOINT NOW, THEN PRESS "READY"
29.10.2014 14:57:25
29.10.2014 14:57:29 Emergency loader uploaded ...
29.10.2014 14:57:30
29.10.2014 14:57:30 RUNNING S1_PRELOADER VER "R5F001"
29.10.2014 14:57:30 LOADER AID: 0001
29.10.2014 14:57:33 DEVICE ID: 71C58D09
29.10.2014 14:57:33 FLASH ID: "0015/00000000"
29.10.2014 14:57:33 LOADER VERSION: "R5F001"
29.10.2014 14:57:33
29.10.2014 14:57:33 WRITING PACKAGES ...
29.10.2014 14:57:33 Elapsed:23 secs.
29.10.2014 14:57:57
29.10.2014 14:57:57 SELECT FIRMWARE PACKAGES
29.10.2014 14:57:57 YOU CAN SELECT SEVERAL PACKAGES WITH CTRL BUTTON
29.10.2014 14:58:33 CHECKING PACKAGES ...
29.10.2014 14:58:33
29.10.2014 14:58:33 DETACH USB CABLE FROM PHONE
29.10.2014 14:58:33 REMOVE BATTERY FROM PHONE
29.10.2014 14:58:33 ATTACH TESTPOINT
29.10.2014 14:58:33 PRESS "READY", THEN ATTACH USB CABLE TO PHONE
29.10.2014 14:58:33
29.10.2014 14:58:48 will use DLOAD protocol ...
29.10.2014 14:58:48 0808010600900000
29.10.2014 14:58:48 0D0F50424C5F446C6F6164564552322E30
29.10.2014 14:58:48 162001000100
29.10.2014 14:58:48 17004001000100E1506B00
29.10.2014 14:58:48 PRODUCT DETECTED: "SONY MSM8960-3 OEM1 Fused"
29.10.2014 14:58:48 1801000F43240892D02F0DC96313C81351B40FD5029ED98FF9EC7074DDAE8B05CDC8E1
29.10.2014 14:58:48 PROCESSING ...
29.10.2014 14:58:49 REMOVE TESTPOINT NOW, THEN PRESS "READY"
29.10.2014 14:58:49
29.10.2014 14:58:53 Emergency loader uploaded ...
29.10.2014 14:58:54
29.10.2014 14:58:54 RUNNING S1_PRELOADER VER "R5F001"
29.10.2014 14:58:54 LOADER AID: 0001
29.10.2014 14:58:56 DEVICE ID: 71C58D09
29.10.2014 14:58:56 FLASH ID: "0015/00000000"
29.10.2014 14:58:56 LOADER VERSION: "R5F001"
29.10.2014 14:58:56
29.10.2014 14:58:56 WRITING PACKAGES ...
29.10.2014 14:58:56 Elapsed:59 secs.
29.10.2014 14:59:12
29.10.2014 14:59:12 SELECT FIRMWARE PACKAGES
29.10.2014 14:59:12 YOU CAN SELECT SEVERAL PACKAGES WITH CTRL BUTTON
29.10.2014 14:59:18 CHECKING PACKAGES ...
29.10.2014 14:59:18
29.10.2014 14:59:18 DETACH USB CABLE FROM PHONE
29.10.2014 14:59:18 REMOVE BATTERY FROM PHONE
29.10.2014 14:59:18 ATTACH TESTPOINT
29.10.2014 14:59:18 PRESS "READY", THEN ATTACH USB CABLE TO PHONE
29.10.2014 14:59:18
29.10.2014 14:59:36 will use DLOAD protocol ...
29.10.2014 14:59:36 0808010600900000
29.10.2014 14:59:36 0D0F50424C5F446C6F6164564552322E30
29.10.2014 14:59:36 162001000100
29.10.2014 14:59:36 17004001000100E1506B00
29.10.2014 14:59:36 PRODUCT DETECTED: "SONY MSM8960-3 OEM1 Fused"
29.10.2014 14:59:36 1801000F43240892D02F0DC96313C81351B40FD5029ED98FF9EC7074DDAE8B05CDC8E1
29.10.2014 14:59:36 PROCESSING ...
29.10.2014 14:59:38 REMOVE TESTPOINT NOW, THEN PRESS "READY"
29.10.2014 14:59:38
29.10.2014 14:59:41 Emergency loader uploaded ...
29.10.2014 14:59:42
29.10.2014 14:59:42 RUNNING S1_PRELOADER VER "R5F001"
29.10.2014 14:59:42 LOADER AID: 0001
29.10.2014 14:59:44 DEVICE ID: 71C58D09
29.10.2014 14:59:44 FLASH ID: "0015/00000000"
29.10.2014 14:59:44 LOADER VERSION: "R5F001"
29.10.2014 14:59:44
29.10.2014 14:59:44 WRITING PACKAGES ...
29.10.2014 14:59:44 Elapsed:32 secs.
Last thing that i've done before brick, is wipe in cwm, and accidentally format sdcard0. Could it damage or format whole eMMC? If so, can i repair GPT table, partitions and restore TA somehow?
Is there any way to recover it?
sony v hard brick
last remember is my device have same message as last friend said (ZEUS flash device) when it connect to PC the message come and after that PC hang it until I push the reset push button.please answer to solve this problem.I don't have information about these 07D3-07DA-0851 ????? please somebody guide step by step how we can alive the device back
@ElArchibald:
did you selected .SIN_FILE_SET package ?
if yes - then your phone have damaged trim area structure and only way to fix it - use JTAG interface to copy first ~8 mb from working phone, then using s1tool to restore security units backup.
the_laser said:
@ElArchibald:
did you selected .SIN_FILE_SET package ?
if yes - then your phone have damaged trim area structure and only way to fix it - use JTAG interface to copy first ~8 mb from working phone, then using s1tool to restore security units backup.
Click to expand...
Click to collapse
Yes. I selected .SIN_FILE_SET. Thanks for help and info. As i understand, I only can buy working main board (or cracked phone with working board), and/or find JTAG pinouts to repair my eMMC.
sony v hard brick
I think I cant alive my phone back because our friend here didn't have any solution about to repair my phone
the_laser said:
@ElArchibald:
did you selected .SIN_FILE_SET package ?
if yes - then your phone have damaged trim area structure and only way to fix it - use JTAG interface to copy first ~8 mb from working phone, then using s1tool to restore security units backup.
Click to expand...
Click to collapse
@the_laser
Sorry to bother you.
Can i simply do "dd if=/dev/block/mmcblk0 of=/storage/sdcard1/dump.bin bs=8M count=1" on working device to get dump? Or this is not enough and need dump made through JTAG?
Don't want to disassemble the donor if I find it. And which JTAG solution can i use for Xperia devices 2012-2014?
If so can somebody make a dump for me?
dump is enough
about JTAG - i'm recommend RIFF box.
removed
GDFS is not worked on my Xperia Z1 Compat, I have created gdfs and was not able to repair bricked ta, status was "writing packages" without any error but nothing is writen, status allways was error in header when trying to flash any sin! This might help you -> http://forum.xda-developers.com/showpost.php?p=56571705&postcount=314
Hi All,
I have a bricked HTC One with the QDLoader mode. Under Linux it shows as qualcomm usb modem converter hence I can't use the unbricking tool to revive my phone.
My phone is from US and I have zero support in my country for HTC.
When researched, I have came to know that if somehow I get hold of MPRG8064T.hex and 8064t_msimage.mbn and some other files, I can use QPST to revive my phone. Can the experts at XDA educate me with the possible solution(s) or point me to the files required.
Also as the same SoC is shared by the following devices, can I use the QPST files from any of these (are these files processor specific only)
HTC One Max
HTC One
Asus Padfone Infinity
LG Optimus G Pro
Oppo Find 5
Xiaomi Mi-2S
Samsung Galaxy S4 Active
Samsung Galaxy S4 I9505
ZTE Grand Memo
LG G Pad 8.3
Vivo Xplay
Oppo N1
LG GX
JiaYu S1
InFocus IN810
Oppo Find 5 Review
Amazon Fire TV
Panasonic Eluga P P-03E
Pantech Vega Iron InFocus IN815
D-r-e-a-m-e-r said:
Hi All,
I have a bricked HTC One with the QDLoader mode. Under Linux it shows as qualcomm usb modem converter hence I can't use the unbricking tool to revive my phone.
My phone is from US and I have zero support in my country for HTC.
When researched, I have came to know that if somehow I get hold of MPRG8064T.hex and 8064t_msimage.mbn and some other files, I can use QPST to revive my phone. Can the experts at XDA educate me with the possible solution(s) or point me to the files required.
Also as the same SoC is shared by the following devices, can I use the QPST files from any of these (are these files processor specific only)
HTC One Max
HTC One
Asus Padfone Infinity
LG Optimus G Pro
Oppo Find 5
Xiaomi Mi-2S
Samsung Galaxy S4 Active
Samsung Galaxy S4 I9505
ZTE Grand Memo
LG G Pad 8.3
Vivo Xplay
Oppo N1
LG GX
JiaYu S1
InFocus IN810
Oppo Find 5 Review
Amazon Fire TV
Panasonic Eluga P P-03E
Pantech Vega Iron InFocus IN815
Click to expand...
Click to collapse
it's more likely your motherboard is dead and your SOOL ...sorry
I am also in this dilemma with a friends phone, but it seems there is no clue about those files... Staying posted & subscribed if something arises...
D-r-e-a-m-e-r said:
I have a bricked HTC One with the QDLoader mode. Under Linux it shows as qualcomm usb modem converter hence I can't use the unbricking tool to revive my phone. [...] When researched, I have came to know that if somehow I get hold of MPRG8064T.hex and 8064t_msimage.mbn and some other files, I can use QPST to revive my phone. Can the experts at XDA educate me with the possible solution(s) or point me to the files required.
Click to expand...
Click to collapse
Poesini said:
I am also in this dilemma with a friends phone, but it seems there is no clue about those files... Staying posted & subscribed if something arises...
Click to expand...
Click to collapse
Me, too. I can't find MPRG8064T.bin/.hex anywhere.
G0DKING said:
Me, too. I can't find MPRG8064T.bin/.hex anywhere.
Click to expand...
Click to collapse
Actually I might be able to help hold on will be back in a few hours
Lol
I swear I saw those file on my desktop.
Sent from my SM-T320 using XDA Free mobile app
shawnsingh said:
Actually I might be able to help hold on will be back in a few hours
Lol
I swear I saw those file on my desktop.
Sent from my SM-T320 using XDA Free mobile app
Click to expand...
Click to collapse
You all should thank for this lol.
Found them going to post in 5 min
Sent from my SM-T320 using XDA Free mobile app
---------- Post added at 05:36 AM ---------- Previous post was at 05:31 AM ----------
MBN MSIMAGE FILE
https://drive.google.com/file/d/0B0j1tztDCRGtTnd4VXgxdTZzbkE/view?usp=sharing
MPRG FILE
https://drive.google.com/file/d/0B0j1tztDCRGtRmhELUtSRlctSmM/view?usp=sharing
shawnsingh said:
You all should thank for this lol.
Click to expand...
Click to collapse
For sure, man. I saw your first reply and immediately thought to myself, "Awesome! I definitely got to thank him when he uploads the files".
G0DKING said:
For sure, man. I saw your first reply and immediately thought to myself, "Awesome! I definitely got to thank him when he uploads the files".
Click to expand...
Click to collapse
Lol its all good hopefully QPST emmc program works for you
from my SM-T320 using XDA Free mobile app
It didn't work for me; I don't know if my setup is messed or if it's the wrong file, though.
@VBlack, can you let me know what's wrong?
[email protected]:/media/ubuntu/Flashdrive$ ./qdload.py MPRG8064.hex
QDLoad utility version 1.2 (c) VBlack 2014
Found TTY port: /dev/ttyUSB0
Traceback (most recent call last):
File "./qdload.py", line 815, in <module>
main()
File "./qdload.py", line 762, in main
tty = openTTY(args.ttyPort)
File "./qdload.py", line 174, in openTTY
tty = serial.Serial(port=tty_path, baudrate=115200)
File "/usr/lib/python2.7/dist-packages/serial/serialutil.py", line 261, in __init__
self.open()
File "/usr/lib/python2.7/dist-packages/serial/serialposix.py", line 278, in open
raise SerialException("could not open port %s: %s" % (self._port, msg))
serial.serialutil.SerialException: could not open port /dev/ttyUSB0: [Errno 13] Permission denied: '/dev/ttyUSB0'
Click to expand...
Click to collapse
G0DKING said:
It didn't work for me; I don't know if my setup is messed or if it's the wrong file, though.
@VBlack, can you let me know what's wrong?
Click to expand...
Click to collapse
As it is stated - you does not have enough permissions. You either should run script as sudo, or add your user to dialout group and relogin to Ubuntu.
Sent from my XT1080 using Tapatalk
VBlack said:
As it is stated - you does not have enough permissions. You either should run script as sudo, or add your user to dialout group and relogin to Ubuntu.
Sent from my XT1080 using Tapatalk
Click to expand...
Click to collapse
Hey VBlack would you know or can you help us figure out an unbrick method for the Droid RAZR m we are getting so close but can't make ends meet.
Sent from my SM-T320 using XDA Free mobile app
VBlack said:
As it is stated - you does not have enough permissions. You either should run script as sudo, or add your user to dialout group and relogin to Ubuntu.
Sent from my XT1080 using Tapatalk
Click to expand...
Click to collapse
Sorry about that, I ran it with permissions and it gave me the same error I got before with the MPRG file you supplied:
[email protected]:/media/ubuntu/USB$ sudo ./qdload.py MPRG8064.hex
QDLoad utility version 1.2 (c) VBlack 2014
Found TTY port: /dev/ttyUSB0
Sending MAGIC ...
Failed to read response.
Sending SBL Reset...
Failed to read response.
Done
Click to expand...
Click to collapse
To be clear, I have 3 different MPRG8064 files (2 .hex and 1 .bin) and all give me this same error. As an experiment, I ran ./qdload.py MPRG8064.bin with NO MRPG file in the folder: same error. Then I ran "./qdload.py MPRG" (i.e. no file number & extension): same error. At this point, I'm not even sure qdload.py is reading the MPRG file. Is there a change I can make to qdload.py to verify/make it show that it's recognizing & reading the MPRG file (i.e. a different error message from when it doesn't recognize the file to when it does but is the wrong .hex/.bin file for that device)?
G0DKING, try to run it like this:
./qdload.py --verbose MPRG8064.hex
If it couldn't read file there will be an python error with backtrace... If file is ok - it is just send it to device. .bin file should be converted to .hex using some bin2hex utility.
VBlack said:
G0DKING, try to run it like this:
./qdload.py --verbose MPRG8064.hex
If it couldn't read file there will be an python error with backtrace... If file is ok - it is just send it to device. .bin file should be converted to .hex using some bin2hex utility.
Click to expand...
Click to collapse
Done, the results for each of the 3 different MPRG8064.hex files, plus a non-existant MPRG0000.hex file, are the same:
[email protected]:/media/ubuntu/USB$ sudo ./qdload.py --verbose MPRG8064A.hex
QDLoad utility version 1.2 (c) VBlack 2014
Found TTY port: /dev/ttyUSB0
/dev/ttyUSB0
SENDING: 7e 06 4e 95 7e
Sending MAGIC ...
SENDING: 7e 01 51 43 4f 4d 20 66 61 73 74 20 64 6f 77 6e 6c 6f 61 64 20 70 72 6f 74 6f 63 6f 6c 20 68 6f 73 74 07 05 09 77 05 7e
Failed to read response.
Sending SBL Reset...
SENDING: 7e 0b ab 4e 7e
Failed to read response.
Done
[email protected]:/media/ubuntu/USB$ sudo ./qdload.py --verbose MPRG8064B.hex
QDLoad utility version 1.2 (c) VBlack 2014
Found TTY port: /dev/ttyUSB0
/dev/ttyUSB0
SENDING: 7e 06 4e 95 7e
Sending MAGIC ...
SENDING: 7e 01 51 43 4f 4d 20 66 61 73 74 20 64 6f 77 6e 6c 6f 61 64 20 70 72 6f 74 6f 63 6f 6c 20 68 6f 73 74 07 05 09 77 05 7e
Failed to read response.
Sending SBL Reset...
SENDING: 7e 0b ab 4e 7e
Failed to read response.
Done
[email protected]:/media/ubuntu/USB$ sudo ./qdload.py --verbose MPRG8064C.hex
QDLoad utility version 1.2 (c) VBlack 2014
Found TTY port: /dev/ttyUSB0
/dev/ttyUSB0
SENDING: 7e 06 4e 95 7e
Sending MAGIC ...
SENDING: 7e 01 51 43 4f 4d 20 66 61 73 74 20 64 6f 77 6e 6c 6f 61 64 20 70 72 6f 74 6f 63 6f 6c 20 68 6f 73 74 07 05 09 77 05 7e
Failed to read response.
Sending SBL Reset...
SENDING: 7e 0b ab 4e 7e
Failed to read response.
Done
[email protected]:/media/ubuntu/USB$ sudo ./qdload.py --verbose MPRG0000.hex
QDLoad utility version 1.2 (c) VBlack 2014
Found TTY port: /dev/ttyUSB0
/dev/ttyUSB0
SENDING: 7e 06 4e 95 7e
Sending MAGIC ...
SENDING: 7e 01 51 43 4f 4d 20 66 61 73 74 20 64 6f 77 6e 6c 6f 61 64 20 70 72 6f 74 6f 63 6f 6c 20 68 6f 73 74 07 05 09 77 05 7e
Failed to read response.
Sending SBL Reset...
SENDING: 7e 0b ab 4e 7e
Failed to read response.
Done
Click to expand...
Click to collapse
Yes, Im' sorry. utility load files on-demand - so it is not even going to read it, because it is not get correct response initially. So your phone in some different state...
VBlack said:
Yes, Im' sorry. utility load files on-demand - so it is not even going to read it, because it is not get correct response initially. So your phone in some different state...
Click to expand...
Click to collapse
Is there a way to edit qdload.py so that it correctly loads the files needed?
Regarding my phone being "in some different state", can you elaborate on that?
I'm just wondering what my options are and what my next step should be in unbricking this phone.
So, since it is not Motorola phone - it could be another protocol,which is not supported by tool. You could try my test tool version with verbose printing - it could tell more about phone state...
http://pastebin.com/hPNaPp15
Sent from my XT1080 using Tapatalk
VBlack said:
So, since it is not Motorola phone - it could be another protocol,which is not supported by tool. You could try my test tool version with verbose printing - it could tell more about phone state...
http://pastebin.com/hPNaPp15
Sent from my XT1080 using Tapatalk
Click to expand...
Click to collapse
Looks like minor issues with the code:
[email protected]:/media/ubuntu/USB$ sudo ./qdload_1.2.2d.py --verbose MPRG8064A.hex
QDLoad utility version 1.2.2d (c) VBlack 2014
2-1
/dev/ttyUSB0
Found TTY port: /dev/ttyUSB0
/dev/ttyUSB0
Traceback (most recent call last):
File "./qdload_1.2.2d.py", line 943, in <module>
main()
File "./qdload_1.2.2d.py", line 888, in main
if isStageDBL(tty, images):
File "./qdload_1.2.2d.py", line 748, in isStageDBL
for image in images:
TypeError: 'NoneType' object is not iterable
Click to expand...
Click to collapse
You need to specify partition table file with -ptf to script, which contains at least sbl1.mbn
Sent from my XT1080 using Tapatalk
VBlack said:
You need to specify partition table file with -ptf to script, which contains at least sbl1.mbn
Sent from my XT1080 using Tapatalk
Click to expand...
Click to collapse
I need to do that to fix the qdload.py code?
And doesn't pulling those files require a rooted working identical device?
@RO.maniac ask how to relock his v37 bootloader on another thread:
RO.maniac said:
I have a little situation here. on a D6603.
Was running LP, unlocked, andropluskernel, root, xposed. happy.
Relocked bootloader with flashtool.
Updated to N preview using xperia companion.
Unlocked bootloader with flashtool.
That new bootloader, nexus style, was telling me safe boot off and unlocked bootloader.
Wasn't satisfied with the lack of root on N preview, so I decided to go back to stock LP via Xperia Companion. Then I found out the lastest update Xperia would flash is MM. I said fine.
Tried to relock bootloader with flashtool, I got ok message but it didn't relock the bootloader. tried a lot of times, different pc, flashtool version, regenerated code. nothing. so no Xperia Companion - no big deal, I just have an obsession with latest official builds, since my main device is a Nexus5. oh, what a nice girl that is. and easy to undress.
flashed a LP .ftf, tried to relock bootloader, no success.
[...]
What the heck happened with the relocking of the bootloader??!!
I'm thinking it has something to do with the new bootloader from N preview which I was running when I unlocked it. Now it won't relock on any version.
Click to expand...
Click to collapse
The idea of this dev-thread is understanding why S1 v37 is not re-lockable and if there is a way to relock it or downgrade it then relock, without bricking the phone obviously.
@RO.maniac can you, please, provide
- the S1boot part of your cmdline,
- backups of your TA partition before, after upgrading the bootloader,
- any flashtool log?
Thanks in advance.
N preview TA backup & flashtool log
Here you have the flashtool log and two backups of the current TA partition. One is pulled with ADB and one is from TWRP.
https://drive.google.com/file/d/0B0YzIybNxHcQa3E0Q1JJZlBkUU0/view?usp=sharing - TWRP ver.
https://drive.google.com/file/d/0B0YzIybNxHcQRXR2MjQ0Y3UzOWM/view?usp=sharing - ADB ver.
I don't have a TA backup of my old bootloader.
https://drive.google.com/file/d/0B0YzIybNxHcQcWNMMUtWeF9RNFk/view?usp=sharing - flashtool log. Tried to relock three times.
https://drive.google.com/file/d/0B0YzIybNxHcQVk1CZ1RISmhLMWM/view?usp=sharing - current bootloader mode photo.
I am now running N Preview 3, rooted, permissive.
RO.maniac said:
Here you have the flashtool log and two backups of the current TA partition. One is pulled with ADB and one is from TWRP.
Click to expand...
Click to collapse
Thanks! And no worries for the old TA. Just we can't revert to old version without it.
Can you send me your s1boot partition and the cmdline part with 's1boot'?
Also can you provide me your oem unlock code? (I should be able to find it in your ta partition)
P.S. your name is in plain text in your flashtool log.
nailyk said:
Thanks! And no worries for the old TA. Just we can't revert to old version without it.
Can you send me your s1boot partition and the cmdline part with 's1boot'?
Also can you provide me your oem unlock code? (I should be able to find it in your ta partition)
P.S. your name is in plain text in your flashtool log.
Click to expand...
Click to collapse
My name is no secret.
I'm not familiar with pulling s1boot partition and the cmdline part with 's1boot'. Do you need anything more than the photo I just popped in the post? - oh, you mean the boot partition and the code in the photo. That s1 upfront blinded me.
https://drive.google.com/open?id=0B0YzIybNxHcQMGxSTUdtdzBzTjQ - boot TWRP backup
Unlock code: C88FB2FFCCE72540
RO.maniac said:
My name is no secret.
I'm not familiar with pulling s1boot partition and the cmdline part with 's1boot'. Do you need anything more than the photo I just popped in the post?
Unlock code: C88FB2FFCCE72540
Click to expand...
Click to collapse
Awesome! I miss the picture, sorry.
Your fastbootlog also says: S1_Boot_MSM8974AC_LA3.0_L_Hero_17 which make me doubt....
Never read this version before. and never seen the screen you post before....
For me, fastboot mode was only blue light.... on this bootloader version.
I will start re with this elements, thank you.
Do you know exactly when this Hero_L17 version get installed on your phone? Is it coming from a custom rom?
nailyk said:
Awesome! I miss the picture, sorry.
Your fastbootlog also says: S1_Boot_MSM8974AC_LA3.0_L_Hero_17 which make me doubt....
Never read this version before. and never seen the screen you post before....
For me, fastboot mode was only blue light.... on this bootloader version.
I will start re with this elements, thank you.
Do you know exactly when this Hero_L17 version get installed on your phone? Is it coming from a custom rom?
Click to expand...
Click to collapse
This is the bootloader mode from N preview. Just like the Nexus line. I was really surprised to see it just as on my Nexus5.
Other than stock LP and MM , the only custom rom I've had is RXSW 3.0 which is MM.
I think this Hero_L17 is coming with N preview.
This is what I may seem not to understand. When I flash a complete .ftf doesn't EVERYTHING change, including the bootloader?
You are asking like it's there for some time, surviving .ftf flashes.
---------- Post added at 06:19 PM ---------- Previous post was at 06:17 PM ----------
nailyk said:
Awesome! I miss the picture, sorry.
Your fastbootlog also says: S1_Boot_MSM8974AC_LA3.0_L_Hero_17 which make me doubt....
Never read this version before. and never seen the screen you post before....
For me, fastboot mode was only blue light.... on this bootloader version.
I will start re with this elements, thank you.
Do you know exactly when this Hero_L17 version get installed on your phone? Is it coming from a custom rom?
Click to expand...
Click to collapse
Also, you should watch my past posts here because I tend to edit them a lot and add things instead of writing a new reply. I will let go of this habit, I promise.
RO.maniac said:
This is what I may seem not to understand. When I flash a complete .ftf doesn't EVERYTHING change, including the bootloader?
You are asking like it's there for some time, surviving .ftf flashes.
Click to expand...
Click to collapse
afaik ftf files are almost the same that flashable zip files: partition binaries and script files.
To check that, some tools give you the ability of unpack ftf files.
So some ftf custom rom only flash kernel and system, some other flash everything on the phone. Some other add ta partitions modifying.
But as the full boot process is signed, maybe other process are in cause. That's why i'm digging on.
I hope i didn't miss the point. (my English is really bad )
RO.maniac said:
Also, you should watch my past posts here because I tend to edit them a lot and add things instead of writing a new reply. I will let go of this habit, I promise.
Click to expand...
Click to collapse
No worries, but as I'm really slow to write my answers I miss some edits From now I will double check
Your English is not that bad. Yes, you got the point and I got it about the .ftf files.
From what I can remember when I flashed a .ftf of N preview 3, the flashtool log listed everything, from boot to some TA. I'll do a backup and reflash just to check. Will post log.
---------- Post added at 07:20 PM ---------- Previous post was at 06:49 PM ----------
nailyk said:
afaik ftf files are almost the same that flashable zip files: partition binaries and script files.
To check that, some tools give you the ability of unpack ftf files.
So some ftf custom rom only flash kernel and system, some other flash everything on the phone. Some other add ta partitions modifying.
But as the full boot process is signed, maybe other process are in cause. That's why i'm digging on.
I hope i didn't miss the point. (my English is really bad )
Click to expand...
Click to collapse
https://drive.google.com/open?id=0B0YzIybNxHcQNVA3OTZCM2ZqTm8 - flashtool log of N preview 3 flash
You can continue this little study but just so you know, the screen just died on me. It started flicking all of a sudden and in under an hour is gave away for good. Now is backlit but no color.
So the test object is dead.
For the second time, after the main board water damage. I'm officially done with it. When my friend gets back in the country he'll find out his phone died again. ))
As I've said, my screen died. So I decided to dump the phone and cleaned my pc of flashtool, xperia companion and all that.
Some minutes ago I decided to try another flash because my mind was running scenarios about the facts before the screen just died. What happened exactly before: TWRP backup, updated flashtool at startup, flashed N preview 3, in order to get the log so I can see if that Hero7 bootloader is coming with N preview. And it is indeed.
Booted and the screen was flicking with white flashes on the edges. In a few minutes I saw a vertical black line and then it turned black, but backlight on.
Today I thought, what the hell, flash it again, maybe it's not a hw problem. But now I know it is
So I installed an older version of flashtool, 0.9.18.6, and flashed N preview. Still dead screen
But this version of flashtool RELOCKED my bootloader. I could see the code written to TA and I can flash with Xperia Companion. Too bad I don't have a screen.
One in all, just dump this discussion and everything about my friend's damned Z3. Just close the drawer, as I've done.
RO.maniac said:
https://drive.google.com/open?id=0B0YzIybNxHcQNVA3OTZCM2ZqTm8 - flashtool log of N preview 3 flash
Click to expand...
Click to collapse
I see from the github there is a branch 0.9.16 so that is a good idea to test with this version.
First, we see the ta block between your two tries are different. First try block n° 8B2, second try 8FD. I can't understand why (same version of flashtool used).
It take me a lot of time because that was not a hexadecimal place in the ta partition but an unit in the ta partition.
Investigations:
For memory, your unlock code is C88FB2FFCCE72540 (in hex: 43 38 38 46 42 32 46 46 43 43 45 37 32 35 34 30),
my unlock code is 481FD30094B6F2FC (in hex: 34 38 31 46 44 33 30 30 39 34 42 36 46 32 46 43)
If we look in the 8B2 unit we found that:
my ta partition after unlocking
Code:
[COLOR="Magenta"]B2 08 00 00[/COLOR] [COLOR="SeaGreen"]10 00 00 00[/COLOR] [COLOR="Blue"]C1 E9 F8 3B FF FF FF FF[/COLOR] 34 38 31 46 44 33 30 30 39 34 42 36 46 32 46 43
your ta partition after unlocking:
Code:
[COLOR="magenta"]B2 08 00 00[/COLOR] [COLOR="SeaGreen"]10 00 00 00[/COLOR] [COLOR="Blue"]C1 E9 F8 3B FF FF FF FF[/COLOR] 43 38 38 46 42 32 46 46 43 43 45 37 32 35 34 30
So our unlock code is present. Why it doesn't work?
If I take a look in my ta partition, before unlocking my bootloader, there is no 8b2 unit.
For the 8FD unit, i cannot find it.
So I cannot understand why your first try did not lock the bootloader. Maybe an issue with the usb cable and/or the booted mode, or just with the download of flashtool.
RO.maniac said:
You can continue this little study but just so you know, the screen just died on me. It started flicking all of a sudden and in under an hour is gave away for good. Now is backlit but no color.
So the test object is dead.
For the second time, after the main board water damage. I'm officially done with it. When my friend gets back in the country he'll find out his phone died again. ))
Click to expand...
Click to collapse
That's sad. I read some thread about dead backlights but not about screen. Did you think software cause this?
RO.maniac said:
As I've said, my screen died. So I decided to dump the phone and cleaned my pc of flashtool, xperia companion and all that.
Some minutes ago I decided to try another flash because my mind was running scenarios about the facts before the screen just died. What happened exactly before: TWRP backup, updated flashtool at startup, flashed N preview 3, in order to get the log so I can see if that Hero7 bootloader is coming with N preview. And it is indeed.
Booted and the screen was flicking with white flashes on the edges. In a few minutes I saw a vertical black line and then it turned black, but backlight on.
Today I thought, what the hell, flash it again, maybe it's not a hw problem. But now I know it is
So I installed an older version of flashtool, 0.9.18.6, and flashed N preview. Still dead screen
But this version of flashtool RELOCKED my bootloader. I could see the code written to TA and I can flash with Xperia Companion. Too bad I don't have a screen.
One in all, just dump this discussion and everything about my friend's damned Z3. Just close the drawer, as I've done.
Click to expand...
Click to collapse
Maybe it is just a connection problem between the motherboard and the screen. I read your other post so it maybe is 'just' a bad connection (cleaning or flyed-up)?
Anyway thanks a lot for your time, I learn a lot with information you provide! I will mostly help me for this project.
P.S.: don't forget I'm looking for a dev z3, broken screen is not a big deal for me Contact me privately if your friend is ok to sell that phone to me.
P.S.2: just for fun:
if you take a look in the (critical) 7DA ta unit it look like:
Code:
hexdump -C TA.img -s 0x0002073c -n 664
0002073c [COLOR="Magenta"]da 07 00 00[/COLOR] [COLOR="SeaGreen"]87 02 00 00[/COLOR] [COLOR="Blue"] c1 e9 f8 3b ff ff ff ff[/COLOR] |...........;....|
0002074c 73 eb 3d 40 59 80 18 1a 68 1a 33 84 5b a6 ad c3 |[email protected][...|
0002075c 45 d3 66 47 02 00 05 0a 02 00 00 00 0a db 37 24 |E.fG..........7$|
0002076c 02 0c b2 c4 85 f4 c9 6c 21 f1 84 33 29 4d 27 ff |.......l!..3)M'.|
0002077c 81 20 a3 65 b6 40 3c 80 16 c9 4a e3 1b 59 d6 54 |. [email protected]<...J..Y.T|
0002078c fa 50 37 82 f9 50 53 ce 1c dc aa fb 0b 98 96 e3 |.P7..PS.........|
0002079c 22 6a 02 00 00 00 0a d2 d9 95 24 b0 77 2b 91 59 |"j........$.w+.Y|
000207ac 59 f2 ee 30 a1 dc d9 88 c7 79 51 20 a2 19 73 0e |Y..0.....yQ ..s.|
000207bc 30 4c a1 29 94 4c 43 2b 8a cd 23 e9 3a 09 0b 03 |0L.).LC+..#.:...|
000207cc 06 74 6a 86 1f ce 97 ea 6c d0 b7 ba 00 90 4f 50 |.tj.....l.....OP|
000207dc 5f 49 44 3d 22 34 33 35 22 3b 4f 50 5f 4e 41 4d |_ID="435";OP_NAM|
000207ec 45 3d 22 43 75 73 74 6f 6d 69 7a 65 64 22 3b 43 |E="Customized";C|
000207fc 44 41 5f 4e 52 3d 22 31 32 38 38 2d 35 30 32 38 |DA_NR="1288-5028|
0002080c 22 3b 52 4f 4f 54 49 4e 47 5f 41 4c 4c 4f 57 45 |";ROOTING_ALLOWE|
0002081c 44 3d 22 31 22 3b 52 43 4b 5f 48 3d 22 46 41 45 |D="1";RCK_H="FAE|
0002082c 46 35 31 39 39 31 34 31 39 34 36 38 43 41 37 38 |F51991419468CA78|
0002083c 43 39 43 33 37 30 38 35 36 31 36 43 42 33 31 39 |C9C37085616CB319|
0002084c 42 39 46 36 36 45 30 35 30 45 34 33 31 38 34 37 |B9F66E050E431847|
0002085c 41 39 41 34 36 46 43 33 39 44 42 41 34 22 00 43 |A9A46FC39DBA4".C|
0002086c 53 45 52 56 45 52 49 44 3d 22 62 6d 63 73 65 63 |SERVERID="bmcsec|
0002087c 73 30 33 22 3b 41 55 54 48 43 45 52 54 3d 22 55 |s03";AUTHCERT="U|
0002088c 4e 4b 4e 4f 57 4e 22 3b 54 49 4d 45 53 54 41 4d |NKNOWN";TIMESTAM|
0002089c 50 3d 22 31 35 30 34 30 39 20 32 30 3a 33 31 3a |P="150409 20:31:|
000208ac 35 38 22 00 09 00 07 30 30 31 30 31 2d 2a 00 00 |58"....00101-*..|
000208bc 00 00 00 00 00 00 00 00 00 00 02 00 00 00 0a 4e |...............N|
000208cc d0 29 6b 2c bf 7b ec 14 0b bb 94 f5 9c fa 62 6a |.)k,.{........bj|
000208dc 1c 02 61 20 6d 79 f5 a7 3e ca c6 6e 30 69 30 f7 |..a my..>..n0i0.|
000208ec c3 a4 80 1e 60 bc ba e8 59 7d 5e 99 55 c4 47 e9 |....`...Y}^.U.G.|
000208fc f5 f5 58 be 02 00 00 00 0a 36 04 d9 c2 fd 86 a1 |..X......6......|
0002090c a1 3c 91 c1 d0 8d bb 35 ab a6 b1 10 f0 20 67 0e |.<.....5..... g.|
0002091c dc a5 62 dd 45 db 51 1e eb 6e f7 c6 95 58 f1 d4 |..b.E.Q..n...X..|
0002092c 39 73 5d 53 c5 22 14 b2 06 be 0c 01 ea 5f 02 00 |9s]S."......._..|
0002093c 00 00 0a 22 39 fe 4a f7 2e 93 6d a7 70 5d 3e 53 |..."9.J...m.p]>S|
0002094c a3 11 6c 96 70 84 18 20 3a 17 7b 00 05 63 1b fc |..l.p.. :.{..c..|
0002095c 6b 96 a4 e2 22 33 e2 05 7a 38 7b 72 81 60 ee ec |k..."3..z8{r.`..|
0002096c f9 da 55 c8 c1 81 e7 bd 02 00 00 00 0a cc 10 ff |..U.............|
0002097c a1 49 75 63 f3 c9 ee 40 fa d8 ac 09 65 b6 e6 dc |[email protected]|
0002098c a3 20 9c 57 33 bf 51 c3 ff 29 20 78 fa 57 2c 69 |. .W3.Q..) x.W,i|
0002099c a5 97 52 fc 33 fa 97 f6 3d 5d 38 89 e0 d7 34 1c |..R.3...=]8...4.|
000209ac 95 eb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000209bc 00 00 14 57 0a e6 ee af 30 a1 e8 57 69 59 10 22 |...W....0..WiY."|
000209cc 6f 78 32 5c 5c f4 0b ff |ox2\\...|
000209d4
There is a RCK_H key. With the script provided here i enter your unlock code and the script answer that:
Code:
RCK_H="FAEF51991419468CA78C9C37085616CB319B9F66E050E431847A9A46FC39DBA4"
When you enter 'fastboot oem unlock <key>' the key is computed by s1 and compared to this information.