Hey guys, Curiosity got the better of me and I did some research into unlocking the bootloader when it says no.
I remember from the Xperia U forums that XperianPro was looking at this and got people to back up there ta partition and view it in notepad++, this is shown in a hexadecimal format which is difficult to edit.
I took a new approach and decided to use the adb command
Code:
dd if=/dev/block/mmcblk0p1 of=/mnt/sdcard/ta.img
to get a .img of the ta partition which is loaded to mmcblk0p1 (on the T anyway)
when I opened this in notepad++ I found a whole lot more of human readable stuff in the ta partition.
I did find
Code:
ROOTING_ALLOWED="0"
As I recall. from XperianPros thread they did see this, and AFAIK some tried changing it to 1 and it caused a hard brick. but from using my method I think I found something else that will lead to the solution.
I found a Signature Value section
Code:
<SignatureValue>Uf7ztzGcQiKz5ivqLEG0Emxhh/9L0C0doeq1HlJIIamuyLiU8kmHxfxytPlzCVYC68jz0WWdRVsL
jaN62bvED6ZmUDETiUQa/mlytNFv2n8Ffv7ihXMay9uebxnme77JzThpWOrSXGP1odiMhvgft3xq
k9tAZKqAzChvy8LYruPXVB8dL1hl0wN3MrPrD4Dd+1WvTeXiTPJMmbftzLYy+HOaJw5oKmamHJRb
U6ejjC4eBgORvdmMddekkSd5JMMZ4ki6CBWU8SPK7eAebxUUXs1vT19gzjEIxiVt3fRnw680D4Fv
5zNB7Wy++y1dcqYyBEPEq9jVGwamcintj/fI9A==</SignatureValue>
I believe this is the signature of the file and changing the value of rooting allowed to 1 would obviously change the signature of the file, and I don't think they recalculated a signature in the other thread. from what I can gather from my ta.img is that it uses a sha1 key verification method (I think)
Sooooo.... Any help or insight would be great
I'm going to keep looking at this for the next few days and see what I find.
I don't think this has been covered regarding looking into an unofficial unlock, If it has then I must have missed it haha, and I'm probably barking mad. I also wanted to keep this separate from the bounty thread as that's about a bounty
If I remember correctly, however I may be wrong, but that signature is an SHA hashed version of the unlock code provided by Sony. Not sure which version of SHA, also may be salted. But do check/find out more, I may be wrong.
Sent from my LT30p using xda app-developers app
Thanks for looking into this for us people not allowed to unlock our bootloaders!
I believe if u crack this the bounty would rightfully be yours? I certainly would gladly give you my donation if you crack it.
Good luck
Very intresting thread. I hope this is the right way to unlock bootloader even for those who can't.
DS-1 said:
Very intresting thread. I hope this is the right way to unlock bootloader even for those who can't.
Click to expand...
Click to collapse
No.
This has been tried before and it results in a hard brick.
Simply changing a value from 0 to 1 is way to simple.
gregbradley said:
No.
This has been tried before and it results in a hard brick.
Simply changing a value from 0 to 1 is way to simple.
Click to expand...
Click to collapse
that's why I think this Signature Value has something to do with it
matt4321 said:
that's why I think this Signature Value has something to do with it
Click to expand...
Click to collapse
Well, best of luck with that
On the one hand, bear in mind that kexec is being developed (on and off development, really). I'd suggest that you get your unlock code from Sony, and the original one for the ta you got unlocked and start finding out what the various hashes of it are, might be you end up with one that matches that section, then hash your code with the same way, then do some magic the ta area
Just a thought.
Sent from my LT30p using xda app-developers app
Maybe simlock.ta, could be helpful.
There were some cases, when rooting allowed changed to yes after update.
It probably flashes only with the right values or what?
Simlock.ta in HEX -
Code:
// [SIMLOCK S1]
02
000007DA 0146 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 02 00 05 0A 02 00 00 00 0A 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 02 00 00 00 0A 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 47 4F 50
5F 49 44 3D 22 31 38 37 22 3B 4F 50 5F 4E 41 4D
45 3D 22 4F 72 61 6E 67 65 20 50 4C 22 3B 43 44
41 5F 4E 52 3D 22 31 32 36 38 2D 33 31 36 34 22
3B 52 4F 4F 54 49 4E 47 5F 41 4C 4C 4F 57 45 44
3D 22 30 22 3B 00 00 00 09 00 07 30 30 31 30 31
2D 2A 00 00 00 00 00 0B 00 07 32 36 30 30 33 2D
2A 00 00 00 00 00 00 00 00 02 00 00 00 0A 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 02 00 00 00 0A 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00
00 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 00 00 00 0A 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00
Simlock.ta in ASCII -
Code:
// [SIMLOCK S1]
02
(symbol)2010 (+)326(symbols) something...GOP_ID="187";OP_NAME="Orange PL";CDA_NR="1268-3164";ROOTING_ALLOWED="0";00101-* 26003-*...something
Just some idea.
is it reliable?
Looks promising. But [email protected] said this is too risky. Unless someone is willing to make a sacrifice for it. But come to think of it it had sone potential for bootloaders not allowed for unlocking.
Sent from my LT29i using XDA Premium 4 mobile app
I'm down to use my prototype Xperia T LT30a as a guinea pig for this experiment, but obviously only if some advancement is made to the current theory (Signature verification relationship, etc.). If the dev is somewhat confident/comfortable, then so am I. I have my Xperia L as a backup unit if my T gets destroyed.
LaZiODROID said:
I'm down to use my prototype Xperia T LT30a as a guinea pig for this experiment, but obviously only if some advancement is made to the current theory (Signature verification relationship, etc.). If the dev is somewhat confident/comfortable, then so am I. I have my Xperia L as a backup unit if my T gets destroyed.
Click to expand...
Click to collapse
this is good, I'm still looking into the relationship between unlock keys, signature value and other things
Ok. I just tested one thing. The same way, I can relock bootloader, I can also reunlock bootloader, using the unlocking number from Sony in hex format.
Anyone tested to get the number from Sony site and flash it with preset.ta?
This is preset.ta for reunlocking - replace ** with hex symbols of your unlocking number
Code:
// [ReUnlock bootloader]
02
000008B2 0010 ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
This is simlock.ta, which can be theoretically renamed to preset.ta and flashed, but who knows what happens.
Weird is, that each simlock.ta has different number of symbols.
HEX:
Code:
// [SIMLOCK S1]
02
000007DA 0141 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 02 00 05 0A 02 00 00 00 0A 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 02 00 00 00 0A 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 4D 4F 50
5F 49 44 3D 22 38 32 34 32 22 3B 4F 50 5F 4E 41
4D 45 3D 22 43 75 73 74 6F 6D 69 7A 65 64 20 43
45 31 22 3B 43 44 41 5F 4E 52 3D 22 31 32 36 38
2D 33 31 39 34 22 3B 52 4F 4F 54 49 4E 47 5F 41
4C 4C 4F 57 45 44 3D 22 31 22 3B 00 00 00 09 00
07 30 30 31 30 31 2D 2A 00 00 00 00 00 00 00 00
00 00 00 00 02 00 00 00 0A 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00
00 00 0A 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 02 00 00 00 0A 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 02 00 00 00 0A 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
ASCII:
Code:
something...OP_ID="8242";OP_NAME="Customized CE1";CDA_NR="1268-3194";ROOTING_ALLOWED="1";...something
I found that they use some of these algorithms: http://www.w3.org/TR/xmlsec-algorithms/ to make the ta secure.
So I'm thinking we try do it in reverse with an unlocked ta and key then we would know what to do in the correct order....? thoughts?
There are some from this signed info bit but there are a few more lurking around
Code:
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
</CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1">
</SignatureMethod>
<Reference URI="#node">
<Transforms>
<Transform Algorithm="http://www.octopus-drm.com/octopus/specs/cbs-1_0"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
</DigestMethod>
<DigestValue>axQveCiPf9Q7wn958RRi5ohD130=</DigestValue>
</Reference>
</SignedInfo>
@peetr_
Yeah my simunlock.ta looks different, I'm confused between the connection (if any) of these.
I also have a different OP_ID="8242" to you, mine is 24, not sure of the significance of that.....
EDIT: It also seems they are using the W3 digital signature initiative: http://www.w3.org/PICS/DSig/RSA-SHA1_1_0.html
I guess that the signature is unbreakable. These signature things in TA has probably something to do with drm keys, and other similar things. System takes it from here.
I think the only way to get somewhere, is finding some workaround or hole, using sony way of changing things in TA partition. But maybe, some of these parts could be never changed. Who knows?
Well. Changing rooting status with preset.ta is nothing special. It is possible. You only need good nerves. And dump of whole 7DA adress from your TA.
I just changed 1 to 0.
Side effect is no mobile service. I guess you have to choose - unlocked bootloader without mobile service or locked bootloader with mobile service.
Changing 0 to 1 makes service available again.
As you can see, I tested it on already unlocked bootloader (locking it permanently). So I don't know if it works backwards. But I do not see any reason, why not.
You only need another tester. I did all I could.
And it would be good, if someone with unlockable bootloader dumps his 7DA before first unlock and compares it with 7DA after unlocking. Or compare with restored not unlocked TA.
And yes, with rooting allowed 0, fastboot and custom kernels are no longer working for me, even if I flash my unlocking number with preset.ta.
peetr_ said:
Well. Changing rooting status with preset.ta is nothing special. It is possible. You only need good nerves. And dump of whole 7DA adress from your TA.
I just changed 1 to 0.
Side effect is no mobile service. I guess you have to choose - unlocked bootloader without mobile service or locked bootloader with mobile service.
Changing 0 to 1 makes service available again.
As you can see, I tested it on already unlocked bootloader (locking it permanently). So I don't know if it works backwards. But I do not see any reason, why not.
You only need another tester. I did all I could.
And it would be good, if someone with unlockable bootloader dumps his 7DA before first unlock and compares it with 7DA after unlocking. Or compare with restored not unlocked TA.
And yes, with rooting allowed 0, fastboot and custom kernels are no longer working for me, even if I flash my unlocking number with preset.ta.
Click to expand...
Click to collapse
If changing it looses mobile service, would changing it to unlock and then restoring after bring back mobile service. Thoughts?
Sent from my LT30p using Tapatalk
Yes, but you will be locked again.
Btw. if nothing, you can at least root and test things this way. I think this procedure is not for everyone, but once you make your unlock and lock ftf, you can change your device's state very easily.
Comparison between 7DA before and after first unlock would be better, just to be sure.
But if you have your TA backed up, to change it back to previous state, I think there's nothing to break.
And one more thing. It looks to me that flashmode cannot be broken. Am I right? So you can always flash something.
peetr_ said:
And one more thing. It looks to me that flashmode cannot be broken. Am I right? So you can always flash something.
Click to expand...
Click to collapse
I seem to recall in the Xperia U forum that some bricks were made from tampering with the TA, if a bad/corrupt TA is flashed then you can't get into flashmode. That's what was established from the U forums
Related
The Device Typhoon/Tornado/Wizard use the alike method of the building of the file nk.nbf.
The Headline where is found information on section and other data.
See http://wiki.xda-developers.com/index.php?pagename=TyphoonNbfFormat.
For Typhoon (ROMUpdateUtility) to versions from 0.9.õõ before 1.2.õõ had a size of the headline 200(Hex) byte.
See
Code:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 48 54 43 00 00 00 00 00 00 00 00 00 00 00 00 00 HTC
00000010 53 54 32 30 43 00 00 00 00 00 00 00 00 00 00 00 ST20C
00000020 31 2E 31 2E 32 33 2E 38 34 00 00 00 00 00 00 00 1.1.23.84
00000030 47 45 52 4D 41 4E 00 00 00 00 00 00 00 00 00 00 GERMAN
00000040 31 2E 31 2E 32 33 2E 38 34 00 00 00 00 00 00 00 1.1.23.84
00000050 53 50 4C 00 00 00 00 00 00 00 00 00 00 00 00 00 SPL
00000060 00 00 00 91 00 00 0C 00 87 12 BF 95 49 50 4C 00 ‘ ‡ ¿•IPL
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90
00000080 00 08 00 00 1B 4C 75 C2 53 70 6C 61 73 68 20 53 LuÂSplash S
00000090 63 72 65 65 6E 00 00 00 00 00 00 92 00 00 02 00 creen ’
000000A0 F9 06 9C 02 47 53 4D 00 00 00 00 00 00 00 00 00 ù œ GSM
000000B0 00 00 00 00 00 00 00 96 00 00 29 00 6F A2 23 76 – ) o¢#v
000000C0 4F 53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 OS
000000D0 00 00 04 82 00 00 B0 01 94 5A 37 4D 00 00 00 00 ‚ ° ”Z7M
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000F0 00 00 00 00 00 00 00 00 05 00 00 00 11 00 00 00
00000100 54 2D 4D 4F 42 30 30 31 00 00 00 00 00 00 00 00 T-MOB001
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001F0 00 00 00 00 00 00 00 00 00 00 00 00 89 D3 7F FF ‰Óÿ
use for decryption ROM TyphoonNbfTool_03.exe.
For Typhoon (new Rom T-mobile SDA ) ,Tornado and Wizard(Prodigy) -(ROMUpdateUtility) to versions 2.0.õ have a size of the headline 400(Hex)
See
Code:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 48 54 43 00 00 00 00 00 00 00 00 00 00 00 00 00 HTC
00000010 50 72 6F 64 69 67 79 00 00 00 00 00 00 00 00 00 Prodigy
00000020 31 2E 36 2E 32 2E 34 00 00 00 00 00 00 00 00 00 1.6.2.4
00000030 57 57 45 00 00 00 00 00 00 00 00 00 00 00 00 00 WWE
00000040 31 2E 30 36 00 00 00 00 00 00 00 00 00 00 00 00 1.06
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
000000F0 00 00 00 00 01 00 00 00 0C 00 00 00 11 00 00 00
00000100 57 49 5A 54 4D 4F 30 34 00 00 00 00 00 00 00 00 WIZTMO04
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000200 07 00 00 00 49 50 4C 00 00 00 00 00 00 00 00 00 IPL
00000210 00 00 00 00 00 00 00 90 00 08 00 00 80 AE 96 39 €®–9
00000220 53 50 4C 00 00 00 00 00 00 00 00 00 00 00 00 00 SPL
00000230 00 00 00 91 00 00 0C 00 40 2B 7F DE 47 53 4D 00 ‘ @+ÞGSM
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 96 –
00000250 00 00 28 00 14 4F BE 4B 4F 53 00 00 00 00 00 00 ( O¾KOS
00000260 00 00 00 00 00 00 00 00 00 00 04 80 00 00 90 03 €
00000270 A8 09 20 D3 53 70 6C 61 73 68 20 53 63 72 65 65 ¨ ÓSplash Scree
00000280 6E 00 00 00 00 00 00 92 00 00 03 00 6F A0 78 CB n ’ o*xË
00000290 45 78 74 65 6E 73 69 6F 6E 20 52 4F 4D 00 00 00 Extension ROM
000002A0 00 00 00 9B 00 00 A0 00 3D 4D 94 2C 48 54 43 20 › * =M”,HTC
000002B0 4C 6F 67 6F 00 00 00 00 00 00 00 00 00 00 00 9D Logo
000002C0 00 00 01 00 A5 F0 3C 09 00 00 00 00 00 00 00 00 ¥ð<
000002D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000002E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000002F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000003A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000003B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000003C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000003D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000003E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000003F0 00 00 00 00 00 00 00 00 00 00 00 00 97 AC 6C AD —¬l*
use for decryption ROM TyphoonNbfTool_04.exe.
Presently HTC Wizard(Prodigy) -(K-jam test ROM on xda-developers and ROM K-JAMin on ftp://ftp.clubimate.com/ and etc) has changed headline for ROMUpdateUtility versions 2.5.õ -has a size 800(Hex)
See
Code:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 48 54 43 00 00 00 00 00 00 00 00 00 00 00 00 00 HTC
00000010 50 4D 33 30 30 00 00 00 00 00 00 00 00 00 00 00 PM300
00000020 31 2E 30 2E 39 2E 31 31 34 00 00 00 00 00 00 00 1.0.9.114
00000030 57 57 45 00 00 00 00 00 00 00 00 00 00 00 00 00 WWE
00000040 31 2E 30 00 00 00 00 00 00 00 00 00 00 00 00 00 1.0
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
000000F0 00 00 00 00 00 00 00 00 0D 00 00 00 11 00 00 00
00000100 50 52 4F 43 44 4C 30 31 00 00 00 00 00 04 00 00 PROCDL01
00000110 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000002A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000002B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000002C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000002D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000002E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000002F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000003A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000003B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000003C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000003D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000003E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000003F0 00 00 00 00 00 08 68 04 07 02 03 46 71 E3 07 4E h Fqã N
00000400 07 00 00 00 53 50 4C 00 00 00 00 00 00 00 00 00 SPL
00000410 00 00 00 00 00 00 00 91 00 00 0C 00 AA B6 B6 CF ‘ ª¶¶Ï
00000420 00 08 00 00 01 00 00 00 49 50 4C 00 00 00 00 00 IPL
00000430 00 00 00 00 00 00 00 00 00 00 00 90 00 08 00 00
00000440 F6 D2 9A 46 00 08 0C 00 01 00 00 00 47 53 4D 00 öÒšF GSM
00000450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 96 –
00000460 00 00 28 00 04 1E 44 11 00 10 0C 00 00 00 00 00 ( D
00000470 4F 53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 OS
00000480 00 00 04 80 00 00 90 03 C0 94 12 FB 00 10 34 00 € À” û 4
00000490 00 00 00 00 53 70 6C 61 73 68 20 53 63 72 65 65 Splash Scree
000004A0 6E 00 00 00 00 00 00 92 00 00 03 00 5D 63 3E 65 n ’ ]c>e
000004B0 00 10 C4 03 00 00 00 00 45 78 74 65 6E 73 69 6F Ä Extensio
000004C0 6E 20 52 4F 4D 00 00 00 00 00 00 9B 00 00 A0 00 n ROM ›
000004D0 41 CB FA 5C 00 10 C7 03 00 00 00 00 48 54 43 20 AËú\ Ç HTC
000004E0 4C 6F 67 6F 00 00 00 00 00 00 00 00 00 00 00 9D Logo
000004F0 00 00 01 00 6E AA 8B 6D 00 10 67 04 00 00 00 00 nª‹m g
00000500 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000510 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000540 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000590 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000005A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000005B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000005C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000005D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000005E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000005F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000600 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000610 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000630 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000640 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000660 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
..............................................................................
..............................................................................
000007B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000007C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000007D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000007E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000007F0 00 00 00 00 00 00 00 00 00 00 00 00 51 6A 7F 06 Qj
The Program TyphoonNbfTool with opened by code -for new headline necessary to change the program.
http://cvs.sourceforge.net/viewcvs.py/nbftools/TyphoonNbfTool/
Here, there is programmers who can do this correct ?
You may decode the headline for (Wizard 800Í byte) for study -using program cpuHdrDec.exe (many thanks Onk for help).
Source code is enclosed.
Use : cpuHdrDec.exe <file.nbf>decode_header_outfile
So what do this mean?......can we modify/add or change the basic applicatios between?...
I have also seen headers of size 0x400.
not sure if it is correct, but i assume that the byte at 0xf8 functions like a header version.
i made a new version of typhoonnbfdecode.pl that understands the larger headers.
another change is that in the latest wizard rom, there are 2 copies of the spl and ipl, one for the 'g3' model, one for the 'g4' model.
willem
Thank you itsme -I converted perl in exe file .
hdubli cpuHdrDec.exe -this only for study of the headline
i found what the 'g4' and 'g3' model means, it refers to the type of 'disk-on-chip' used.
willem
this refers to type DOC - G4 or G3?
http://www.m-sys.com/site/en-US/Sup...electedProduct=mDiskOnChipG3&selectedType=All
http://www.m-sys.com/site/en-US/Sup...selectedProduct=DiskOnChipG4&selectedType=All
itsme said:
I have also seen headers of size 0x400.
not sure if it is correct, but i assume that the byte at 0xf8 functions like a header version.
i made a new version of typhoonnbfdecode.pl that understands the larger headers.
another change is that in the latest wizard rom, there are 2 copies of the spl and ipl, one for the 'g3' model, one for the 'g4' model.
willem
Click to expand...
Click to collapse
Hi Willem!
This code can extract modules fine. But there is still poblem with coding to .nbf and sd image.. Can you add keys for Wizard?
the wizard uses the same keys as tornado / charmer / prodigy.
encoding the larger headers i still have to do. ... when i find the time and need to do so.
willem
From qtek S200
RUU_Prophet_2090724_20907106_020720_QtekWWE_Ship
Code:
48544300000000000000000000000000 - HTC.............
50726f70686574000000000000000000 - Prophet.........
322e392e372e31303600000000000000 - 2.9.7.106.......
57574500000000000000000000000000 - WWE.............
322e3900000000000000000000000000 - 2.9.............
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000002000000 - ................
00000000000000000d00000011000000 - ................
50524f51544b30310000000000040000 - PROQTK01........
03000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
000000000010740459edb8d121122d3a - ......t.Yφ╕╤!..:
blversion 322e39
device Prophet
entrycount 0
extralist
Stranger yet Prophet Doesn't list the contents of the nbf in the header.
Also the number of sections returns as 0
From analysing RUU output I've found this nk.nbf has the following sections:
Code:
ruuflashdoc 91000000 c0000 5e443726 SPL
ruuflashdoc 90000000 800 15593234 IPL
ruuflashdoc 96000000 280000 fc466813 GSM
ruuflashdoc 80040000 3900000 757e3094 OS
ruuflashdoc 92000000 30000 140d16aa Splash
ruuflashdoc 9b000000 a00000 da2d783f ExtRom
ruuflashdoc 9d000000 10000 6d8baa6e HTC Logo
Bye,
Ricardo
EDIT: Added code section formatting
Another tidbit of info.
The header That I listed in the previous post goes from 0x0000 to 0x7FF. The rom sections follow, having no spacing between them...
Hipothesis:
The Sections offsets are hardcoded in the RUUUpdate now...
Couldn't find any info of them though...
Hipothesis wrong... The section still exists
I'm trying to decode it right now...
Bye now,
Ricardo
Checked the RuuUpdateUtil Header decoding:
The Decoding table values are the same from both
After debugging a RuuUpdateUtil header decode:
The decoding from itsme script is equivalent to the one on this "New" header type file
In other news:
RIP: HTC Prophet no. 1... You'll be missed
Hehe... I'm a jackass...
itsme's perl script works on the new rom... (Was not using -tp option...)
Code:
48544300000000000000000000000000 - HTC.............
50726f70686574000000000000000000 - Prophet.........
322e392e372e31303600000000000000 - 2.9.7.106.......
57574500000000000000000000000000 - WWE.............
322e3900000000000000000000000000 - 2.9.............
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000002000000 - ................
00000000000000000d00000011000000 - ................
50524f51544b30310000000000040000 - PROQTK01........
03000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
000000000010740459edb8d121122d3a - ......t.Yφ╕╤!..:
0900000053504c000000000000000000 - ....SPL.........
000000000000009100000c002637445e - .......æ....&7D^
000800000100000049504c0000000000 - ........IPL.....
00000000000000000000009000080000 - ...........É....
3432591500080c000100000053504c00 - 42Y.........SPL.
00000000000000000000000000000091 - ...............æ
00000c00da87a6de00100c0002000000 - ....┌çª▐........
49504c00000000000000000000000000 - IPL.............
000000900008000037e0383800101800 - ...É....7α88....
0200000047534d000000000000000000 - ....GSM.........
000000000000009600002800136846fc - .......û..(..hFⁿ
00181800000000004f53000000000000 - ........OS......
00000000000000000000048000009003 - ...........Ç..É.
94307e75001840000000000053706c61 - ö[email protected]
73682053637265656e00000000000092 - sh Screen......Æ
00000300aa160d140018d00300000000 - ....¬.....╨.....
457874656e73696f6e20524f4d000000 - Extension ROM...
0000009b0000a0003f782dda0018d303 - ...¢..á.?x.┌..╙.
00000000485443204c6f676f00000000 - ....HTC Logo....
000000000000009d000001006eaa8b6d - .......¥....n¬ïm
00187304000000000000000000000000 - ..s.............
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
00000000000000000000000000000000 - ................
000000000000000000000000927d6781 - ............Æ}gü
!!! storedcrc=4ddbe507 calculatedcrc=d171d945
blversion 322e39
device Prophet
entrycount 9
flags 17
flags2 13
hdrcrc 0x4ddbe507
language WWE
magic HTC
operator PROQTK01
rest ♦ ♥
rest2
version 2.9.7.106
91000000 000c0000 5e443726 SPL_1
90000000 00000800 15593234 IPL_1
91000000 000c0000 dea687da SPL_2
90000000 00000800 3838e037 IPL_2
96000000 00280000 fc466813 GSM_0
80040000 03900000 757e3094 OS_0
92000000 00030000 140d16aa Splash Screen_0
9b000000 00a00000 da2d783f Extension ROM_0
9d000000 00010000 6d8baa6e HTC Logo_0
Here you go! A prophet NBF decoded!
Why are there 2 SPL's? and 2 IPL's?
I think this pertains to DOC -see above. Depending on type DOC is used or one or other SPL IPL.
You may look initial KITL output.
see
http://forum.xda-developers.com/viewtopic.php?t=43203
Code:
(CoreCon) 11:31:56 03/07/2005 W. Europe Standard Time: Download service map set to NONE; ignoring download request!
The Kernel Debugger is waiting to connect with target.
0 PID:0 TID:0 Searching for G3/P3 based DiskOnChip
0 PID:0 TID:0 Found G3P3-based DiskOnChip
0 PID:0 TID:0 Searching for G4 based DiskOnChip
0 PID:0 TID:0 Did Not find G4 based DiskOnChip
0 PID:0 TID:0 SAFTL was registred to manage the flash.
0 PID:0 TID:0 GetModelName- 80,85, Name is PU10
0 PID:0 TID:0 Searching for G3/P3 based DiskOnChip
0 PID:0 TID:0 Found G3P3-based DiskOnChip
0 PID:0 TID:0 Searching for G4 based DiskOnChip
0 PID:0 TID:0 Did Not find G4 based DiskOnChip
0 PID:0 TID:0 SAFTL was registred to manage the flash.
P.S. I can mistaken in this question.
Think you're right Arc!
BTW: Nice to see you around here!
Bye,
Ricardo
Request if someone can inform as how to do the KITL Debugging and see the Log....Is this possible in Wizard?
This it is necessary to ask besidebuzz_lightyear
Hi there. Sorry for pulling out this old thread. Im making a flash tool for prophet, and didn't know about this thread, nor the programs you guys use. So i found out myself how to decrypt and use the header (0x800), and found about about the sections and everything.
But i still have one question about this: There are 2 SPL and sometimes 2 IPLs in the Header/ROM. How do i know which one goes to which phone? So far i've read its dependant on the DOC, and if its a G3 or a G4. But how do i query the phone, so that i can interprid which DOC it has? and how do i know which SPL goes with the DOC then?
Hope someone can help me with this.
After fighting versus the Tattoo for 2 hours I have finally flashed the device successfully.
Since there is not a proper thread containing the exact procedure for this device I'm going to explain it a little bit in detail, specially based on this device different things that doesn't have other android phones:
1. First we need to find a micro SD, normally this device comes with a 2gb Sandisk micro SD, this will be fine.
2. We need to format the microSD to FAT32, so remember to save your files before going on.
3. After the format, we need to create a GoldCard with this SD Card. Basically this is a "transformation procedure". You can find the method here: http://forum.xda-developers.com/showthread.php?t=572683 but I'm going to explain it based on Tattoo
Creating the Gold Card:
4. We need the android-sdk tools, we can find them here: http://developer.android.com/sdk/index.html download them, and unzip in a folder maybe in C:\androidtools
5. Go the the Command line (Start->Execute->write cmd and OK), and there you should find where you unzip the android-sdk tools, example cd c:\androidtools\tools
6. Run this command "adb shell cat /sys/class/mmc_host/mmc1/mmc1:*/cid" if you had the microSD in the drive you will find a long number like:
532600bd227d9c0347329407514d5402
7. Go to this page to reverse it: http://hexrev.soaa.me/ and copy the code reversed:
In our example it will be: 00544d5107943247039c7d22bd002653
8. Go to this page to generate your GoldCard image: http://psas.revskills.de/?q=goldcard
And put your reversed number and you email. You will receive an email with a file called "goldcard.img"
9. Now you need an Hex editor like HXD. Download it from: http://download.cnet.com/HxD-Hex-Editor/3000-2352_4-10891068.html?tag=mncol
10. Exactly the same as the instructions I pasted above:
11. Install and launch HxD Hex Editor program. (make sure you use "Run as Administrator" under Vista and win 7)
12. Go to Extra tab > Open Disk. Under Physical disk, select Removable Disk (Must be your SD card), uncheck “Open as Readonly), click OK. (BEWARE, MUST BE UNDER PHYSICAL DISK NOT LOGICAL DISK, THIS MISTAKE MADE ME BIG PROBLEMS)
13. Go to Extra again, Open Disk Image, open up goldcard.img which you’ve saved/unzipped earlier.
Now, you should have two tabs, one is your removable disk, the other is goldcard.img. Press OK when prompted for “Sector Size” 512 (Hard disks/Floppy disks), click OK.
14. Click on goldcard.img tab. Go to Edit tab > Select All, edit tab again > copy.
15. Click on the “removable disk” tab. Select offset (line) 00000000 till offset (line) 00000170 (including the 00000170 line), click on Edit tab and then Paste Write.
16. Click on File > Save. now you can exit the program.
------------
17. Now with the gold card created (the microSD transformed) we must reboot the HTC Tattoo. When we press the "reboot" button we must press nearly at the same time the POWER OFF and VOLUME DOWN buttons at the SAME TIME!!!! He will enter a new menu called HBOOT
18. We press back button to go to fastboot USB mode
19. Now we have to start the flashing utility for example: http://rapidshare.com/files/292517090/RUU_Click_HTC_WWE_1.67.405.6_WWE_release_signed_NoDriver.exe
This is done the 19th Decembre 2009, but maybe on the future there will be newer flash releases so this file will be replaced for the newer one.
19.1 If we get either Error 170 or 171 in the flashing process follow this other guide to solve this issue: http://forum.xda-developers.com/showthread.php?t=646663
20. The Flash will start we must wait, its better to do this process with 100% battery left
21. After 10 minutes, the flash will be done, and the HTC will reboot automatically with the Flashing done and everything OK!
-----------------------
Latest Official WWE Flashes for HTC Tattoo:
19.12.2009: http://rapidshare.com/files/292517090/RUU_Click_HTC_WWE_1.67.405.6_WWE_release_signed_NoDriver.exe
This is for all brand of HTC Tattoo? or only Orange?
can get root?
I have successfully flashed my tattoo with your tutorial but still can't use my Wind (italian) sim. At every roboot it ask me the unlock code, says "network succesful unlocked" and after it continue to say "unlocking sim card", but it never stops!!
The data of my phone are those:
HBOOT-0.52.0001
MICROP-0203
RADIO-3.35.07.20
What can I do??
Tony2k do you have your simlock unlock code? Or did you just flash your rom hoping for the simlock to go away?
I have bought the unlock code but the problem it's that I can enter another code, like 12345678, and have always the message "network unlocked successful" and after it continue to say "unlocking sim card", exactly like with code that I have bought.
Well Tony I am sorry but I cant help you here. I dont know whats wrong. I know that you have few trials to enter the simlock unlock code and that after exceeding these attempts you will have to remove the simlock via USB cable (I dont know which software to use). What you can try is using a turbo sim that you can get off ebay. I dont give you my word that it will work, but I have seen one or two people saying that it worked with the tattoo locked to orange uk. If ever you decide to try using the turbo sim, let me know if it bypasses the simlock on the tattoo.
Good luck man.
Great work MiSSigNNo.... u managed to carry out this impossible work as of now with success....
i have few questions to ask you. what made you flash your tattoo???
what advantage do you have at present over the previous ROM???
have u got into superuser mode with this procedure???
i am sure we all would like to know answers for these from you.... please be kind enough to reply to my post....
Manuvaidya:
1. To remove simlock successfully on orange uk htc tattoo, you are forced to flash the rom
2. If you were on orange uk, you will have an android with all the software that orange removed and it will be debranded. And knowing that it can be flashed this will encourage ppl to cook roms.
3. Unfortunately there is no way yet to get root access on the tattoo
Hope this helps you out mate
manuvaidya said:
Great work MiSSigNNo.... u managed to carry out this impossible work as of now with success....
i have few questions to ask you. what made you flash your tattoo???
what advantage do you have at present over the previous ROM???
have u got into superuser mode with this procedure???
i am sure we all would like to know answers for these from you.... please be kind enough to reply to my post....
Click to expand...
Click to collapse
No advantages actually, simply I hate much the mobile-branded roms. Also I tried my sim before I flashed to enter the unlock code and nothing happened, but after, I tried and then it asked me for the unlock code and I could manage to make it successfully.
I don't have the root-superuser mode. I'm sure there are plenty of opportunities with that, but we must look forward on finding the method to make it.
By the way In my "experience" with past branded-roms, they used to be slower since they had plenty of ****ty apps of the brand to make you spend money, and waste unnecesarily memory from the device, this is why the first two things I do everytime I buy an HTC is to flash to default rom and unlock them Since it was more difficult than other times with WM I decided to make this mini-guide, to help others make it easier.
Hi Guys,
I got to the last stage of this walkthrough and when i run the exe for the ROM i get an error 170 on the USB cable. Do you have any ideas what this could be?
Thanks
James
apie2004 said:
Hi Guys,
I got to the last stage of this walkthrough and when i run the exe for the ROM i get an error 170 on the USB cable. Do you have any ideas what this could be?
Thanks
James
Click to expand...
Click to collapse
You didn't make the goldcard correctly. start from the beginning on the goldcard creation. to know if gold card is well created when entering hboot, press the unlock button (call button if i can remember) and there you will se a green message like "key is OK" if not well made there will be a message in red saying "key error" or something like that
Thanks for that guys, still no luck though . I think I might be doing something wrong so here are the results i get as i go along.
adb shell =035344535530324780010f90d4009868
reverse code=009800d4900f01804732305553445303
goldcard.img=
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 41 30 30 00 00 00 00 00 00 00 2C 00 00 00 00 00 00 00 00 00 00 06 00 00 23 00 00 00 00 00 00 00 00 00 68 00 00 00 00 00 00 00 13 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 24 00 00 00 00 00 00 00 18 00 00 29 00 00 00 00 00 FA 00 00 BE 00 00 00 00 19 00 00 00 00 00 00 43 2B BA AA 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 21 FF FF FF FF FF FF FF FF 00 00 00 00 53 41 30 30 00 00 00 EF 00 83 80 00 00 3B 00 00 52 00 00 71 00 00 00 00 00 00 04 00 00 09 00 00 38 00 00 00 00 B4 83 00 00 5E 00 00 00 00 00 00 00 07 00 00 00 00 D2 00 00 00 00 20 00 45 3B 00 00 00 81 00 00 00 00 00 DD 00 98 06 00 00 00 00 00 00 DE 00 00 00 00 00 3B 00 3C 00 82 53 5A 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
I keep getting the same results over and over again so I think I might be going wrong somewhere... Any more ideas?
I'm afraid I'm stuck near the very beginning.
When I navigate to the sdk tools folder and run the command, I get the following:
Code:
C:\android-sdk-windows\tools>adb shell cat /sys/class/mmc_host/mmc1/mmc1:*/cid
adb server is out of date. killing...
* daemon started successfully *
error: device not found
Is there something I'm doing wrong? I'm running Win 7 x64 and trying to flash a Vodafone branded HTC (build number is apparently "1.67.161.5 CL#74011 release-keys").
Edit: I did format the card to FAT32 like you said.
I found that you need the andriod drivers installed for adb shell to work, if you run SDK setup in the andriod sdk folder and install the driver component, then point the device in device manager towards the new downloaded folder, should be called usb_driver. Hope that helps
Well I tried opening SDK Setup but all that happened was a command prompt window just appeared and then disappeared almost instantly (with Windows then complaining that the program might not have installed correctly). I also tried running it as administrator but got the same result. And nothing happens when I try opening it with cmd.
apie2004 said:
Thanks for that guys, still no luck though . I think I might be doing something wrong so here are the results i get as i go along.
adb shell =035344535530324780010f90d4009868
reverse code=009800d4900f01804732305553445303
goldcard.img=
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 41 30 30 00 00 00 00 00 00 00 2C 00 00 00 00 00 00 00 00 00 00 06 00 00 23 00 00 00 00 00 00 00 00 00 68 00 00 00 00 00 00 00 13 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 24 00 00 00 00 00 00 00 18 00 00 29 00 00 00 00 00 FA 00 00 BE 00 00 00 00 19 00 00 00 00 00 00 43 2B BA AA 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 21 FF FF FF FF FF FF FF FF 00 00 00 00 53 41 30 30 00 00 00 EF 00 83 80 00 00 3B 00 00 52 00 00 71 00 00 00 00 00 00 04 00 00 09 00 00 38 00 00 00 00 B4 83 00 00 5E 00 00 00 00 00 00 00 07 00 00 00 00 D2 00 00 00 00 20 00 45 3B 00 00 00 81 00 00 00 00 00 DD 00 98 06 00 00 00 00 00 00 DE 00 00 00 00 00 3B 00 3C 00 82 53 5A 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
I keep getting the same results over and over again so I think I might be going wrong somewhere... Any more ideas?
Click to expand...
Click to collapse
I also tried a couple of other cards, one broke the card and hboot was really unresponsive. The first card did the same sort of thing, CID error or similar
Success!
I read through this guide about getting adb to work, replaced the current driver with the one linked to there and then also realised that you couldn't get adb to work while the phone was in 'Disk Drive' mode (what a n00b I am). The only way I could get into 'USB Debugging' was by choosing 'HTC Sync' on the phone (but not actually have HTC Sync open on my PC). Once I did that, adb worked properly.
I'm guessing my mistake was just not having the phone in 'USB Debugging', so the old driver would probably have worked as well but at this point I don't really care.
Anyway, I managed to follow the rest of your guide just fine, MiSSigNNo, and it worked! Though I think maybe you should rewrite point number 17 in your original post; from the way you worded it, I thought there was an actual reboot button, different from the power button. A better wording would be something like: "Switch the phone off. Press the Power button to switch it back on but immediately hold down the Volume Down button after pressing the Power button until the HBoot menu appears (at which point you can let go of Volume Down)"
Otherwise I have no complaints, and I cannot thank you enough for posting the guide. It's so nice to be able to get rid of network branding (even if it was only slight in the case of Vodafone), and have a newer version of the system!
Do you know where we can keep track of the WWE Flash releases? It'd be nice to stay up to date I guess.
Edit: lol silly me, wasn't actually checking the rest of the forum so didn't see the thread on WWE ROM links.
what brand of sd card did you use? It's just that i've read somewhere that sandisk (the one i have) doesnt work as a goldcard. Tried it with one that didnt have a brand on it and that didnt work either
I used a SanDisk (it's the 2GB card that came with the phone) so it can't be true that all SanDisk cards don't work. Not that I know much about these things.
Hello.
Today I tried rooting and flashing a custom rom to my smartphone. The rooting process was completed normally, superuser was up etc. Installed Rom Manager but didn't flash CWM from there because I couldn't find my device name so I found it independently from here. Afterwards I tried flashing a CM 10.1 rom (Android 4.2.1), so I booted into recovery. Had a problem with backing up my rom so I proceeded (although I have a backup of my files from Titanium). Wiped data/cache and flashed the rom but then I forgot to REwipe data/cache and rebooted, resulting into a bootloop, with the samsung logo coming up, then the samsung galaxy animation, then repeat. Also, I could not enter recovery mode to wipe, because even after pressing the button combo the phone would skip to the samsung boot screen.
After that I tried multiple things:
1.Flashed CWM through Odin 4.38 independently. (File obtained from http://forum.xda-developers.com/showthread.php?t=1342190)
2.Flashed Stock Froyo rom. (File obtained from http://samsunggalaxyreview2.blogspot.gr/2011/05/samsung-galaxy-mini-s5570-original.html)
3.Flashed Stock Gingerbread rom (File obtained from http://yagyagaire.blogspot.gr/2011/08/upgrade-samsung-galaxy-popmini-gts5570.html#.UYmCjqJA3RM)
After Googling my problem and searching the forums I saw that most people got their issue fixed by either entering recovery (something I can't do), or flashing a different rom (which I did but to no avail).
So now I'm stuck with a device unable to fully boot successfully but with a working Download mode (the phone is accepted by Odin).
I don't know if this is what "bricking" is called but I definitely need help, either by a tutorial, link, instructions, etc. Anything you provide will be helping.
Also: it may sound stupid but is there a difference between s5570 and GT-s5570? If yes then probably the mistake is on my part and I'm sorry for making this thread.
Thank you very much.
Alexziab
EDIT: My initial stock version was Froyo 2.2.1
The first mistake you do is, you flashed Froyo over Gingerbread. Which NOT recommended.
Second, you flashed CM10.1 in stock recovery, another NOT recommended.
Third, GT-S5570 is S5570.
Fourth, that's not bootloop, that's Softbrick. Bootloop is looping in bootscreen, NOT bootsplash.
Reply
I see. Thank you for replying. Do you know any way to fix this problem?
EDIT: CM 10.1 was flashed after flashing the CWM recovery for Froyo 2.2.1, not stock recovery.
AlexZiab said:
I see. Thank you for replying. Do you know any way to fix this problem?
EDIT: CM 10.1 was flashed after flashing the CWM recovery for Froyo 2.2.1, not stock recovery.
Click to expand...
Click to collapse
You should have flashed cwm recovery over gingerbread, not on froyo.:what:
Sent Via XDA™ Premium
Reply
Galaxy_Rohit said:
You should have flashed cwm recovery over gingerbread, not on froyo.:what:
Sent Via XDA™ Premium
Click to expand...
Click to collapse
You see, I originally had Froyo. Flashed CWM on it through a thread here on xda (link above) then flashed 10.1.
Gingerbread was flashed later, in an attempt to recover the phone.
AlexZiab said:
You see, I originally had Froyo. Flashed CWM on it through a thread here on xda (link above) then flashed 10.1.
Gingerbread was flashed later, in an attempt to recover the phone.
Click to expand...
Click to collapse
Send it to SSC, they'll know what to do.
recovery problem with mini 2
I have a problem with GALAXY MINI 2, stock rom, stock kernel, rooted, TWRP recovery
I only tried CWM and TWRP, when I reboot into recovery from RomManager or QuickBoot I cannot reboot system, allways reboots into recovery, only other things that let's me do is power off and bootloader, is this a bug from something in stock kernel or something else ? for the moment I do not wish to flash something else in it
only thing that I could do to resolve this problem is to reflash recovery and autoboot from odin, all works ok now beside booting into recovery other way than power off and using hard keys, and it is damn hard to keep pressed that combination, and 90% from tryes I get power off, it shows TWRP screen and powers off
any ideas ?
grigtm said:
I have a problem with GALAXY MINI 2, stock rom, stock kernel, rooted, TWRP recovery
I only tried CWM and TWRP, when I reboot into recovery from RomManager or QuickBoot I cannot reboot system, allways reboots into recovery, only other things that let's me do is power off and bootloader, is this a bug from something in stock kernel or something else ? for the moment I do not wish to flash something else in it
only thing that I could do to resolve this problem is to reflash recovery and autoboot from odin, all works ok now beside booting into recovery other way than power off and using hard keys, and it is damn hard to keep pressed that combination, and 90% from tryes I get power off, it shows TWRP screen and powers off
any ideas ?
Click to expand...
Click to collapse
Go make a separate thread ! This isn't a ASKING THREAD !
Reply
F4uzan said:
Send it to SSC, they'll know what to do.
Click to expand...
Click to collapse
Can't I fix it by myself? My warranty has expired since 2012 so they will probably charge to fix it.
AlexZiab said:
Can't I fix it by myself? My warranty has expired since 2012 so they will probably charge to fix it.
Click to expand...
Click to collapse
No, you can't.
Fixed!
Followed this tutorial here on youtube: /watch?v=dU80AYnzf6g
After following the instructions, the phone finally booted! Language was set to (probably) russian but switched it to english and now I have a normally working (for now) phone! I don't see any problems with it! I guess the problem is solved. Thank you all for your support in any way!
Sorry for dodging the "link posting" rule that says that I should make 10 posts before posting a link. I have no intention to spam or anything, hope you understand.
AlexZiab if you don't now what you are doing just don't do it , buy a new phone and be careful next time
Sent from my GT-S5570 using xda app-developers app
SamsungGalaxyMiniPro said:
AlexZiab if you don't now what you are doing just don't do it , buy a new phone and be careful next time
Sent from my GT-S5570 using xda app-developers app
Click to expand...
Click to collapse
You know what. I have flashed about 30 phones or more but It never happened to me that phone was stuck at bootloop until this phone. AlexZiab made a mistake but we all do mistakes sometimes so I do and you will aswell. He just asked for help. If you dont have any answer you should just be quiet and let somebody else to help. Your post looks like AlexZiab is some stupid guy or whatever. Nobody is so smart as you are probably :laugh: . If he dont made that mistake he will not know next time. We are all learning every day. If we dont do mistakes we will be stupid, You know.
Boot-Loop resurrection - I am stucked
Hi All,
I've a S5570, and seems soft bricked after some
- probably - mistyped dd.
Now it is in boot-loop. . .
I can enter DM but stock ROM-s won't help.
I've managed to get into this baby using openocd
but stucked at identifying the OneNAND flash on-board.
Code:
> arm9 mww 0xa0a000e0 0x00000000
> arm9 mww 0xa0a0000c 0x00000004
> arm9 mww 0xa0a00000 0x0000000b
> arm9 mww 0xa0a00010 0x00000001
> arm9 mdw 0xa0a00014
0xa0a00014 00000020
> arm9 mdw 0xa0a00040
0xa0a00040 00d100d1
>
The Id returned is öxööd1ööd1 but sould be 0x5500bcec or something.
The dump of the controller region seems OK:
Code:
> arm9 mdb 0xa0a00000 0x0x100
0xa0a00000 0b 00 00 00 01 f1 00 00 00 f2 01 f1 04 00 00 00 ................
0xa0a00010 00 00 00 00 20 00 00 00 00 00 00 00 20 00 00 00 .... ....... ...
0xa0a00020 1a 00 d4 aa bd 01 21 00 00 00 00 00 00 00 00 00 ......!.........
0xa0a00030 1a 00 d4 aa bd 01 21 00 06 00 00 10 00 00 00 00 ......!.........
0xa0a00040 d1 00 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xa0a00050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xa0a00060 00 00 00 00 00 09 00 00 00 00 00 00 00 00 00 00 ................
0xa0a00070 80 47 80 47 a0 03 a0 03 b9 11 b9 11 a0 85 a0 85 .G.G............
0xa0a00080 20 c0 20 c0 20 c0 20 c0 20 c0 20 c0 00 00 00 00 . . . . . .....
0xa0a00090 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 ................
0xa0a000a0 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 00 00 ................
0xa0a000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xa0a000c0 41 f2 20 f2 00 00 00 00 00 00 00 00 00 00 00 00 A. .............
0xa0a000d0 90 70 ff f0 00 00 80 00 94 00 f3 00 e0 40 00 00 [email protected]
0xa0a000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xa0a000f0 ff 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Now what?
Is it a hard-brick?
Regards
M5
Separate thread
meres5 said:
Hi All,
I've a S5570, and seems soft bricked after some
- probably - mistyped dd.
Now it is in boot-loop. . .
I can enter DM but stock ROM-s won't help.
I've managed to get into this baby using openocd
but stucked at identifying the OneNAND flash on-board.
Code:
> arm9 mww 0xa0a000e0 0x00000000
> arm9 mww 0xa0a0000c 0x00000004
> arm9 mww 0xa0a00000 0x0000000b
> arm9 mww 0xa0a00010 0x00000001
> arm9 mdw 0xa0a00014
0xa0a00014 00000020
> arm9 mdw 0xa0a00040
0xa0a00040 00d100d1
>
The Id returned is öxööd1ööd1 but sould be 0x5500bcec or something.
The dump of the controller region seems OK:
Code:
> arm9 mdb 0xa0a00000 0x0x100
0xa0a00000 0b 00 00 00 01 f1 00 00 00 f2 01 f1 04 00 00 00 ................
0xa0a00010 00 00 00 00 20 00 00 00 00 00 00 00 20 00 00 00 .... ....... ...
0xa0a00020 1a 00 d4 aa bd 01 21 00 00 00 00 00 00 00 00 00 ......!.........
0xa0a00030 1a 00 d4 aa bd 01 21 00 06 00 00 10 00 00 00 00 ......!.........
0xa0a00040 d1 00 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xa0a00050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xa0a00060 00 00 00 00 00 09 00 00 00 00 00 00 00 00 00 00 ................
0xa0a00070 80 47 80 47 a0 03 a0 03 b9 11 b9 11 a0 85 a0 85 .G.G............
0xa0a00080 20 c0 20 c0 20 c0 20 c0 20 c0 20 c0 00 00 00 00 . . . . . .....
0xa0a00090 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 ................
0xa0a000a0 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 00 00 ................
0xa0a000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xa0a000c0 41 f2 20 f2 00 00 00 00 00 00 00 00 00 00 00 00 A. .............
0xa0a000d0 90 70 ff f0 00 00 80 00 94 00 f3 00 e0 40 00 00 [email protected]
0xa0a000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xa0a000f0 ff 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Now what?
Is it a hard-brick?
Regards
M5
Click to expand...
Click to collapse
Someone said it before on this same thread, and I'm going to say it again. This is NOT a Q&A thread. If you have a question regarding a problem, make a separate thread. If you don't follow the rules, we are not obliged to help. Simple as that
Cheers
NP
Probably I misunderstood the titles:
> Legacy & Low Activity Devices > Samsung Galaxy Mini > Galaxy Mini Q&A, Help & Troubleshooting >
Sorry for that. . .
Seems I had better to buy a riffbox and do not disturb the "developers"...
(in the URL above)
Lynuxen said:
Someone said it before on this same thread, and I'm going to say it again. This is NOT a Q&A thread. If you have a question regarding a problem, make a separate thread. If you don't follow the rules, we are not obliged to help. Simple as that
Cheers
Click to expand...
Click to collapse
meres5 said:
Hi All,
I've a S5570, and seems soft bricked after some
- probably - mistyped dd.
Now it is in boot-loop. . .
I can enter DM but stock ROM-s won't help.
I've managed to get into this baby using openocd
but stucked at identifying the OneNAND flash on-board.
Code:
> arm9 mww 0xa0a000e0 0x00000000
> arm9 mww 0xa0a0000c 0x00000004
> arm9 mww 0xa0a00000 0x0000000b
> arm9 mww 0xa0a00010 0x00000001
> arm9 mdw 0xa0a00014
0xa0a00014 00000020
> arm9 mdw 0xa0a00040
0xa0a00040 00d100d1
>
The Id returned is öxööd1ööd1 but sould be 0x5500bcec or something.
The dump of the controller region seems OK:
Code:
> arm9 mdb 0xa0a00000 0x0x100
0xa0a00000 0b 00 00 00 01 f1 00 00 00 f2 01 f1 04 00 00 00 ................
0xa0a00010 00 00 00 00 20 00 00 00 00 00 00 00 20 00 00 00 .... ....... ...
0xa0a00020 1a 00 d4 aa bd 01 21 00 00 00 00 00 00 00 00 00 ......!.........
0xa0a00030 1a 00 d4 aa bd 01 21 00 06 00 00 10 00 00 00 00 ......!.........
0xa0a00040 d1 00 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xa0a00050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xa0a00060 00 00 00 00 00 09 00 00 00 00 00 00 00 00 00 00 ................
0xa0a00070 80 47 80 47 a0 03 a0 03 b9 11 b9 11 a0 85 a0 85 .G.G............
0xa0a00080 20 c0 20 c0 20 c0 20 c0 20 c0 20 c0 00 00 00 00 . . . . . .....
0xa0a00090 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 ................
0xa0a000a0 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 00 00 ................
0xa0a000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xa0a000c0 41 f2 20 f2 00 00 00 00 00 00 00 00 00 00 00 00 A. .............
0xa0a000d0 90 70 ff f0 00 00 80 00 94 00 f3 00 e0 40 00 00 [email protected]
0xa0a000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0xa0a000f0 ff 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Now what?
Is it a hard-brick?
Regards
M5
Click to expand...
Click to collapse
We all make mistakes reading and remembering. I believe that this thread was in dev section and it was moved but he remembered it veing at the wrong place. We are all tires at the end of the year. Me too. My PC is about to die and I'm rarely in good mood nowdays.
Sent from my GT-S5570 using xda premium
An apology for my behavior
meres5 said:
Probably I misunderstood the titles:
> Legacy & Low Activity Devices > Samsung Galaxy Mini > Galaxy Mini Q&A, Help & Troubleshooting >
Sorry for that. . .
Seems I had better to buy a riffbox and do not disturb the "developers"...
(in the URL above)
Click to expand...
Click to collapse
I am deeply sorry for my behavior, and even more sorry that you misunderstood me.
You are in the right section. When I said this isn't a Q&A thread I meant it wasn't from the likes of this, meaning you post a question and you get an answer. But here you posted your question on another person's thread. This thread was created to by him to help him solve his problem by anyone who knows what that specific problem is. And you just walk right in here and start asking what's wrong with your device. Having a separate thread for your problem is mandatory in a case like this.
Second, I am not a developer. Am trying though. So you don't have to take my word for it, since obviously I have no right of telling what's wrong or what's right since I've never developed anything, right? Here is the same meaning in a different sentence by a person who is experienced here.
F4uzan said:
Go make a separate thread ! This isn't a ASKING THREAD !
Click to expand...
Click to collapse
For no create a thread for each custom ROM that is ported for the Fire 7 2017 for don't do off-topic in the original ROM forum I have decided to create this where all the custom ROM'S will be collected for the Fire 7 2017 aka austin.
AVAILABLE ROMS:
LineageOS 12.1
AOSP FIRE NEXUS ROM
A.I.C.P 10
Resurrection Remix Lollipop
FIRE OS REVAMPED
DOWNLOAD LINKS:
LineageOS 12.1
AOSP FIRE NEXUS ROM
A.I.C.P 10
Resurrection Reix Lollipop
FIRE OS REVAMPED
KERNELS:
ANY-KERNEL-AUSTIN
INSTALLATION OF ANY ROM (TWRP):
Boot to TWRP
Wipe cache, data, system and SDcard
Format data
Reboot to recovery
Flash ROM
Flash G-APPS (if needed)
INSTALLATION OF ANY ROM (FlashFire):
Open FlashFire
Click the "+" red button
Click on Wipe and and leave the defaults
Click the "+" red button
Click on Flash Zip or OTA, click on the ROM and "tick" auto-mount
Click the "+" red button
Click on Flash Zip or OTA, click on the G-APPS and "tick" auto-mount
Move Wipe to the top
Click on Flash
SCREENSHOTS OF ROMS:
LineageOS 12.1
AOSP FIRE NEXUS ROM
A.I.C.P 10
Resurrection Remix Lollipop
FireOS Revamped
OTHERS/MISC:
Enable 5Ghz Wifi
Special thanks to:
@k4y0z for the unlock method
@mateo121212 for the "porting files and guide"
@ggow for compile Lineage12.1 and AOSP Fire Nexus ROM
@cbolumar for compile A.I.C.P 10
@ANDROID2468 for make fireos revamped
Rortiz2 said:
...
INSTALLATION OF ANY ROM (FlashFire):
Open FlashFire
Click the "+" red button
Click on Wipe and and leave the defaults
Click the "+" red button
Click on Flash Zip or OTA, click on the ROM and "tick" auto-mount
Click the "+" red button
Click on Flash Zip or OTA, click on the G-APPS and "tick" auto-mount
Move Wipe to the top
Click on Flash...
Click to expand...
Click to collapse
Cool but the flash fire instructions are kinda pointless though
Also when we get roms with a newer Android version it will be impossible to install it with flash fire because flash fire doesn't patch the kernel to make it bootable.
How to enable 5Ghz wifi on fire7 2017 with custom roms.
By default, 5Ghz wifi feature of the chip is turned off. Currently, custom android roms cant enable this.
To re-enable 5Ghz feature, you have to:
1. Boot fire OS ( stock rom or revamped fire OS above)
2. Backup /data/nvram/APCFG/APRDEB/WIFI file.
3. Flash your favourite rom.
4. Write back WIFI file, then reboot.
5. Now you can see 5Ghz wifi SSIDs.
In the WIFI nvram file, address 0x00C5 and 0x00C6 seems to responsible for 5Ghz wifi.
analgeizer said:
By default, 5Ghz wifi feature of the chip is turned off. Currently, custom android roms cant enable this.
To re-enable 5Ghz feature, you have to:
1. Boot fire OS ( stock rom or revamped fire OS above)
2. Backup /data/nvram/APCFG/APRDEB/WIFI file.
3. Flash your favourite rom.
4. Write back WIFI file, then reboot.
5. Now you can see 5Ghz wifi SSIDs.
In the WIFI nvram file, address 0x00C5 and 0x00C6 seems to responsible for 5Ghz wifi.
Click to expand...
Click to collapse
Hi,
i tried to edit that file by myself, but it got everytime overwritten after reboot at my device.
Could you provide me your file for compare pls?
Regards
Beltar
Hi to all,
I have a Fire 7 7th with the twrp installed.
I downloaded the lineageos 12.1, but when I flash through twrp I get an error and the flash is not done.
Has anyone managed to make the flash and need some adjustments?
thank you so much
mixmaxmux said:
Hi to all,
I have a Fire 7 7th with the twrp installed.
I downloaded the lineageos 12.1, but when I flash through twrp I get an error and the flash is not done.
Has anyone managed to make the flash and need some adjustments?
thank you so much
Click to expand...
Click to collapse
What error?
Rortiz2 said:
What error?
Click to expand...
Click to collapse
Hi,
In attach the error that occurred during the flash.
Thanks
mixmaxmux said:
Hi,
In attach the error that occurred during the flash.
Thanks
Click to expand...
Click to collapse
TWRP Error 7 is rather common and infers a mismatch between ROM and device. It can be addressed by adjusting the updater script packaged with the ROM zip.
mixmaxmux said:
Hi,
In attach the error that occurred during the flash.
Thanks
Click to expand...
Click to collapse
Did you flash the system?
Enviado desde mi Mi A2 mediante Tapatalk
Rortiz2 said:
Did you flash the system?
Enviado desde mi Mi A2 mediante Tapatalk
Click to expand...
Click to collapse
sorry but I'm not very experienced.
I followed the instructions in the first post:
Boot to TWRP
- Wipe cache, data, system and SDcard
- Format data
- Flash ROM (file lineage-12.1-20181218-UNOFFICIAL-austin.zip)
lineage-12.1-20181218-UNOFFICIAL-austin.zip.zip file I checked that it is not corrupt
Note: I have flashed the lp-fire-nexus-rom-austin-20180602.zip and the gapps and all is Ok or also the revamp rom and all is OK
many thanks for your support.
Regards
Beltar89 said:
Hi,
i tried to edit that file by myself, but it got everytime overwritten after reboot at my device.
Could you provide me your file for compare pls?
Regards
Beltar
Click to expand...
Click to collapse
XDA says that I have to post 10 messages to enable atatchement. So, plz be patient.
Here is a dump of "WIFI" file from stock fireOS setup.
ADDRESS 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0123456789ABCDEF
------------------------------------------------------------------------------
00000000 04 01 00 00 00 00 00 00 00 00 00 00 22 22 22 22 ............""""
00000010 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E ................
00000020 1E 1E 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ..
00000030 20 20 20 20 00 00 00 00 00 00 00 00 00 00 01 20 ...........
00000040 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 B8 00 00 00 00 00 00 01 00 00 00 00 00 00 00 .ク..............
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C0 00 00 00 00 01 01 01 26 1B 1C 00 00 00 00 00 00 .......&........
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000100 01 00 00 00 00 00 01 00 04 04 01 00 00 00 00 00 ................
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000200 AA E4 ェ
mixmaxmux said:
sorry but I'm not very experienced.
I followed the instructions in the first post:
Boot to TWRP
- Wipe cache, data, system and SDcard
- Format data
- Flash ROM (file lineage-12.1-20181218-UNOFFICIAL-austin.zip)
lineage-12.1-20181218-UNOFFICIAL-austin.zip.zip file I checked that it is not corrupt
Note: I have flashed the lp-fire-nexus-rom-austin-20180602.zip and the gapps and all is Ok or also the revamp rom and all is OK
many thanks for your support.
Regards
Click to expand...
Click to collapse
TWRP keep partitions mounted after wipe. Some images fails to extract on already mounted parititon.
Just reboot after wipe, or unmount system partition from TWRP's mount menu.
mixmaxmux said:
sorry but I'm not very experienced.
I followed the instructions in the first post:
Boot to TWRP
- Wipe cache, data, system and SDcard
- Format data
- Flash ROM (file lineage-12.1-20181218-UNOFFICIAL-austin.zip)
lineage-12.1-20181218-UNOFFICIAL-austin.zip.zip file I checked that it is not corrupt
Note: I have flashed the lp-fire-nexus-rom-austin-20180602.zip and the gapps and all is Ok or also the revamp rom and all is OK
many thanks for your support.
Regards
Click to expand...
Click to collapse
Well I do not know what's happening ... I'll upload the ROM again ...
Rortiz2 said:
Well I do not know what's happening ... I'll upload the ROM again ...
Click to expand...
Click to collapse
Many thanks,
At the moment i have flashed the revamped rom and all is ok.
When you upload the rom i can flashed againg and check.
Many thanks for your support.
Max
Hi OP, Thank you for creating a list of all ported roms for Austin. I recently saw your video on flashing the roms using flashfire. Is it possible for you to upload a video showing how you rooted your device and installed flashfire? I'm sorry for asking this as I'm new to flashing custom roms and I really need your help here. A guide on installing twrp also would be nice.
zork307 said:
Hi OP, Thank you for creating a list of all ported roms for Austin. I recently saw your video on flashing the roms using flashfire. Is it possible for you to upload a video showing how you rooted your device and installed flashfire? I'm sorry for asking this as I'm new to flashing custom roms and I really need your help here. A guide on installing twrp also would be nice.
Click to expand...
Click to collapse
Thanks for watch the video. Yes I can make a video. But its better TWRP.
Enviado desde mi Mi A2 mediante Tapatalk
analgeizer said:
XDA says that I have to post 10 messages to enable atatchement. So, plz be patient.
Here is a dump of "WIFI" file from stock fireOS setup.
ADDRESS 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0123456789ABCDEF
------------------------------------------------------------------------------
00000000 04 01 00 00 00 00 00 00 00 00 00 00 22 22 22 22 ............""""
00000010 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E ................
00000020 1E 1E 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ..
00000030 20 20 20 20 00 00 00 00 00 00 00 00 00 00 01 20 ...........
00000040 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 B8 00 00 00 00 00 00 01 00 00 00 00 00 00 00 .ク..............
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C0 00 00 00 00 01 01 01 26 1B 1C 00 00 00 00 00 00 .......&........
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000100 01 00 00 00 00 00 01 00 04 04 01 00 00 00 00 00 ................
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000200 AA E4 ェ
Click to expand...
Click to collapse
Thanks, i already managed to enable 5Ghz. At my first tries i only edited 1 byte. But this will be enough to compare now with my file
regards
Christian
analgeizer said:
TWRP keep partitions mounted after wipe. Some images fails to extract on already mounted parititon.
Just reboot after wipe, or unmount system partition from TWRP's mount menu.
Click to expand...
Click to collapse
I have follow your info and the flash of the lineage rom Is All ok!
Flash lineage ok
Flash gapps ok
Flash magisk ok
Many thanks to all for the support.
Max
mixmaxmux said:
I have follow your info and the flash of the lineage rom Is All ok!
Flash lineage ok
Flash gapps ok
Flash magisk ok
Many thanks to all for the support.
Max
Click to expand...
Click to collapse
I'm glad it worked. I have already updated the post and I added that it should be restarted after wipes.
Added Resurrection Remix!
Finnaly got my N7plus bl unlocked.
Got a nice rom that has double tap to turn on the screen.
But... it still has this brightness issue...
Been looking around and found the driver that controls the LEDs is
BOOST_NT50356 or NT50356
Also found the i2c BUS and i2c address on my device:
7 0x11
Code:
busybox_phh i2cdump -y 7 0x11 -f
Tried with full brightness:
Code:
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef
00: 00 01 e9 0c 02 55 00 00 1f 9e 11 00 28 20 20 00 .????U..???.( .
10: 07 35 ff 07 00 00 00 00 00 00 00 00 00 00 00 00 ?5.?............
20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
50: 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .?..............
60: 23 b7 8f 05 00 04 04 01 af 23 2a 0d 01 9b 90 39 #???.????#*????9
70: 95 3c a8 60 1f 27 01 35 04 07 00 00 00 00 00 00 ?<?`?'?5??......
80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Minimum
Code:
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef
00: 00 01 e9 0c 02 55 00 00 1f 9e 11 00 28 20 20 00 .????U..???.( .
10: 07 35 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 ?5Z.............
20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
50: 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .?..............
60: 23 b7 8f 05 00 04 04 01 af 23 2a 0d 01 9b 90 39 #???.????#*????9
70: 95 3c a8 60 1f 27 01 35 04 07 00 00 00 00 00 00 ?<?`?'?5??......
80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Notice address 0x12 and 0x13. The only values that I see changing
Relevant info I found:
https://github.com/archie9211/android_kernel_nokia_B2N/issues/1
https://github.com/derflacco/android_kernel_drg/search?q=boost_nt50356&unscoped_q=boost_nt50356
Obvioulsy I tried to manually change the values, but the address is in use.
Unlock the bootloader?
How have you become successful to unlock the bootloader of Nokia 7 plus? Can you please explain in detail!
jahangirbsmrau said:
How have you become successful to unlock the bootloader of Nokia 7 plus? Can you please explain in detail!
Click to expand...
Click to collapse
https://forum.xda-developers.com/nokia-7-plus/help/root-t3893363/post78764676