ok, Been struggeling for 2 days getting my new Imate back to life after it started showing the "Serial" death screen trying to upgrade it to O2 new rom.
I tried everything using the USB cradle and also using the SD way and my other good Imate...... As soon as I insert the SD in the dead Imate after packing it with the ROM from the good one it tells me "section=1 not allowed!" were as it is mentioned here in the forum it shold tell me "press power to upgrade".
I noticed that this new one has a bootloader ver 1.06 which is not refered to anywhere in this forum.
Any ideas?
sd cards usually only work for the same bootloader.
the trick is to put a 1.06 header on your sd card.
what you can do is this:
- first using your 1.06 bootloader create an sdcard with your bootloader,
by connecting your xda to a terminal program ( either via USB, or seiral )
then type 'd2s 80000000 40000'
this will write your bootloader to SD.
- then make a raw image copy of this sd card, using psdread
* insert the sdcard in a working xda2, put it in it's cradle, and type:
psdread -3 0 0x40400 bl106.img
- then create an sd image of the correct rom, in your working xda2.
from this image, replace the header part of the first sector of the
sdcard with the header from the bl106.img.
the header is the first 0x180 bytes.
psdread -3 0 0x200 os-header.img
* use hexeditor to replace the first 0x180 bytes of this file.
and write it back:
psdwrite -3 os-header.img.
then your sd card should work with the new bootloader.
btw, I am very interested in a copy of this bootloader. can you send me the bl106.img file?
Thank You
itsyou,
I Thank you tons for replying back... will give it a shot and will let you know the outcome.
As for the Bootloader Copy, I only have 2 SDs 512 & 256. I have no problems with bandwidth let me know where to dump it for you and I will do it promptly.
:wink:
now that I looked again at ur expalnation I find it very difficult for me to do.
Wouldnt it be easier to just flash my good XDA with the new bootloader then do a full sd image from that one and run it into the bad one? if this would work then fine if not pls find below some questions:
- first using your 1.06 bootloader create an sdcard with your bootloader,
by connecting your XDA to a terminal program ( either via USB, or seiral )
then type 'd2s 80000000 40000'
this will write your bootloader to SD.
DONE
- then make a raw image copy of this sd card
How
using psdread
* insert the sdcard in a working xda2, put it in it's cradle, and type:
psdread -3 0 0x40400 bl106.img
where to type that? in cmd prompt? if so; I did that, windows gave me an error related to a 16bit application encountered error (am using XP)? while Active sync is on? in mtty? Is this the SD card the one i did above or a formated one
- then create an sd image of the correct rom, in your working xda2.
from this image, replace the header part of the first sector of the
sdcard with the header from the bl106.img.
the header is the first 0x180 bytes.
psdread -3 0 0x200 os-header.img
Not clear
* use hexeditor to replace the first 0x180 bytes of this file.
and write it back:
psdwrite -3 os-header.img.
psdwrite ... is that a hex editor I can find somewhere
where to type that? in cmd prompt? if so; I did that, windows gave me an error related to a 16bit application encountered error (am using XP)? while Active sync is on? in mtty? Is this the SD card the one i did above or a formated one
psdread is a desk top windows command line tool, found in this archive.
you already know how to make an sdcard with os image. - type 'd2s' to your bootloader.
from this sd card you copy only the first sector with
Code:
psdread -3 0 0x200 sd-sector.img
then replace the header in this file.
this is an example of what the first 512 bytes look like:
first the part that needs to be replaced:
Code:
0000000: 4849 4d41 4c41 5941 5320 2020 2020 2020 HIMALAYAS
0000010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
0000020: f622 919d e18b 1fda b0ca 9902 b972 9d49 ."...........r.I
0000030: 2c80 7ec5 99d5 e980 b2ea c9cc 53bf 67d6 ,.~.........S.g.
0000040: bf14 d67e 2ddc 8e66 83ef 5749 61ff 698f ...~-..f..WIa.i.
0000050: 61cd d11e 9d9c 1672 72e6 1df0 844f 4a77 a......rr....OJw
0000060: 02d7 e839 2c53 cbc9 121e 3374 9e0c f4d5 ...9,S....3t....
0000070: d49f d4a4 597e 35cf 3222 f4cc cfd3 902d ....Y~5.2".....-
0000080: 5341 3030 e1dc d6ae 8390 49f1 f1ff e9eb SA00......I.....
0000090: b3a6 db1e 870c 3edd 24eb 0d1c 06b7 47de ......>.$.....G.
00000a0: 8412 4dc8 43c3 cba6 1f03 5a7d 0938 251f ..M.C.....Z}.8%.
00000b0: 5d9f d4fc 96f5 453b 130d 890a 1cd3 902d ].....E;.......-
00000c0: 489a 50ee 4078 36fd 1249 32f6 9e81 49dc [email protected]
00000d0: ad4f 14f2 4440 66d0 6bc4 30b7 bec6 ff42 [email protected]
00000e0: 5455 9a6a 2215 d1e1 9038 3238 d93f 7c66 TU.j"....828.?|f
00000f0: 5e03 d8c0 9c91 d971 9f69 a5e2 0c99 9247 ^......q.i.....G
0000100: fa16 bb11 adae 2488 79fe 52db 2543 e53c ......$.y.R.%C.<
0000110: 1870 92da 6454 ceb1 853e 6915 f846 6a04 .p..dT...>i..Fj.
0000120: 9673 0ed9 162f 6768 d4f7 4a4a d057 6876 .s.../gh..JJ.Whv
0000130: fa16 bb11 adae 2488 79fe 52db 2543 e53c ......$.y.R.%C.<
0000140: f445 d3d8 28ce 0bf5 c560 593d 9727 8a59 .E..(....`Y=.'.Y
0000150: 762d d0c2 c9cd 68d4 496a 7925 0861 4014 v-....h.Ijy%[email protected]
0000160: b13b 6aa5 1128 c18c d6a9 0b87 978c 2ff1 .;j..(......../.
0000170: 151d 9a95 c19b e1c0 7ee9 a89a a786 c2b5 ........~.......
this part you need to keep.
Code:
0000180: 4854 4353 3830 3034 3030 3030 3031 4538 HTCS8004000001E8
0000190: 3030 3030 4238 3042 4546 4246 fe03 00ea 0000B80BEFBF....
00001a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001d0: 0000 0000 0000 0000 0000 0000 4543 4543 ............ECEC
00001e0: 04c9 0d80 0000 0000 0000 0000 0000 0000 ................
00001f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
use any hexeditor you like.
most will allow you to cut/past from one file to the other.
make very sure that at offset 0000180 it says something that starts with 'HTCS80040000'
otherwise you may accidentally overwrite your bootloader, and permanently damage your device.
after you have modified the sd-sector.img file, write it back to the sdcard
containing your os image with
Code:
psdwrite -3 sd-sector.img
.
both psdread and psdwrite can be found in the itsutils.zip archive, and are descibed here and here
itsme,
followed ur kind instructions to the letter and all went smooth with no errors what so ever till I started to write back the image to the bad XDA and it gave me the freaken same error (find below)
SD Download
===========
Section=1
Not allow
update!
I started loosing hope in this thing.
I am attaching here the bl106.img file as per ur request hope it helps you and anyone else in the future (is that what u want, if not let me know what exactly u need before i send this bad one to the shop for fixing)
Best regards.
Note: i noticed in the step where am supposed to replace the first 0x180 bytes that both headers form both images ar the same...I think...maybe am wrong thus i still replaced them as per ur instructions.
(my good xda has ver. 1.02 bootloader)
this is a bootloader v1.02 you uploaded here.
I assure you that this file was dumped from an xda2 which says ver. 1.06.
Although I already sent the Device for fixing I still have a whole flash dump to the deffective device on my HD. gemme an address where I can upload it to and I will do promptly.
Thanks again for all the help you gave me.
ftp.xda-developers.com
user xda
pass xda
file (raw image) of defective device being uploaded :wink:
Am supposed to get a replacement for this device in a week time. will post u a note case it has a 1.06 ver again.
just out of curiosity
who in Egypt jandles service of the XDA II ??
just in case!!
No one :?
I have been relaying on Dubai for that matter.
I did find the 1.06 bootloader in the 1.66.167 upgrade.
OH MAN! are you telling, had I waited one more day b4 sending it to Dubai I could have used this upgrade to do the trick?
How about in the one I uploaded, which version was embeded in the raw image?
still only the 1.02 version.
I don't think the 1.06 bootloader would have helped.
itsme,
Looking at the bright side of things, I now should not regret sending the busted xdaII back for exchange then.
Thank you very much for all the help you gave me. it only shows what a gr8 community this is.
PowerLOC Destinator problem with XDA II new ROM:
Hi,
Destinator problem with XDA II ROM:
ROM-1604eng
ROM-16036wwe
ROM-v16050
ROM -16021wwe
ROM-16052ger
All these ROM versions has the same problem, The PowerLOC Destinator can not find com 5, if I use the Pocket Blue Tools patch the freeze in com 7.
The only way I find to use the PowerLOC Destinator in the XDA II is with the Rom version 1.03.00 wwe_o2 asia together with the Pocket Blue Tools.
Somebody suceed using the PowerLOC Destinator with new Rom?
Best,
Dias
My Destinator works fine with bluetooth patch and 1.66.00WWE ROM. Don't know what your problem could be, other than not doing things in the finicky order the XDA II requires with BLuetooth.
I saw this note in Default_Driver.CAB of the 1.66.131 extrom.
; Change DUN port from COM5 to BSP4.
[HKEY_LOCAL_MACHINE\ExtModems\bluetooth_dun]
"port"="BSP4:"
maybe it is related?
Related
First of all .. my thanks goes to all the people to this forum!
You're really GREAT !!
In any case sorry for my poor english :wink:
I've few questions ...
I've read many many pages but I can't understand the right procedure to follow for dumping my Himalaya original ROMs because in some pages the "d2s" command is followed by some numbers and in other, by other numbers ... confusion bring me !
After that, otherwise, I've tried to follow the XDA II procedure and the storing procedure to SD seems to be ok .. but when I try to save the rom dump from my SD to PC using ntwr (otherwise was unreadable in Win), I've got a read error but, in any case, I obtain only one file on my PC of about 400 MB and I suppose that something is wrong because all of you speaks of about 50 MB ... so ... What's the right procedure with the right command? How can I be sure that my dump is correct? The dump it's only one file or one for separate ROM Radio and Extended?
When I solve this issue I can try to upgrade my Himalaya to WM2005.
Thank you for your help.
Please help me, I'd like don't lose my guarantee.
This post was submitted also to buzz forum
Now this is the situation ...
Qtek 2020 - 1.66.04ITA
-= Preparing the device =-
01 ) I,m gone to Bootloader (Power + Directions + Reset)
02 ) I see on the device "Serial v1.06"
03 ) I stop MSSync service Ctrl+Alt+Canc and stop wcescomm.exe
04 ) Put device on cradle
05 ) Now I see on the device "USB v1.06" instead of "Serial v1.06"
06 ) Put the 512 MB SD into the device
07 ) Start Mtty 1.42
08 ) Leave as is all the parameters
09 ) I've "USB" port (and not ".WCEUSBSH001") and I press USB
10 ) Ok seems to be connected to the device
-= Dumping the ROM on SD =-
11 ) Into mtty command line I write (and not copy and paste and without "sd a" at the end)
d2s 80000000 02000000
12 ) Device tell me % of work while in mtty I found
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SD : Detected one card
SD : ready for transfer OK
pc->drive.total_lba=EEC00
pc->drive.num_heads=0
pc->drive.sec_p_track=0
pc->drive.num_cylinders=0
pc->drive.block_size=200
pc->drive.features=0
pc->drive.RCA=B368
pc->drive.drv_type=40000000
pc->drive.securedAreaSize=0
pc->drive.securityDrv=0
pc->drive.busWidth=1
pc->drive.erasedSize=0
Total card size=1DD80000
SDCARDD2S+,cStoragePlatformTyp e=FF
****************************** ****************************** ****************************** ****************************** ********
Store image to SD/MMC card successful.
USB>
13 ) Then I write
d2s 60000000 00300000 sd a
14 ) Device tell me % of work while in mtty I found
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SD : Detected one card
SD : ready for transfer OK
pc->drive.total_lba=EEC00
pc->drive.num_heads=0
pc->drive.sec_p_track=0
pc->drive.num_cylinders=0
pc->drive.block_size=200
pc->drive.features=0
pc->drive.RCA=B368
pc->drive.drv_type=40000000
pc->drive.securedAreaSize=0
pc->drive.securityDrv=0
pc->drive.busWidth=1
pc->drive.erasedSize=0
Total card size=1DD80000
************
Store image to SD/MMC card successful.
USB>
15 ) Then I write
d2s 70000000 01080000 sd a
16 ) Device tell me % of work while in mtty I found
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SD : Detected one card
SD : ready for transfer OK
pc->drive.total_lba=EEC00
pc->drive.num_heads=0
pc->drive.sec_p_track=0
pc->drive.num_cylinders=0
pc->drive.block_size=200
pc->drive.features=0
pc->drive.RCA=B368
pc->drive.drv_type=40000000
pc->drive.securedAreaSize=0
pc->drive.securityDrv=0
pc->drive.busWidth=1
pc->drive.erasedSize=0
Total card size=1DD80000
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=EA0000
All:dwSize=1F20000
****************************** ****************************** ******
Store image to SD/MMC card successful.
USB>
-= Saving ROM from SD Card to PC =-
17 ) Put the SD Card into a Card Reader
18 ) Go to Dos command line into ntrw path
19 ) Type "ntrw read ROM.nb1 H:" where H: is the Card reader drive
Now start the problem ... :shock:
I want to know if it's all ok with this process ...
The output of ntrw is:
NTRW 2.0
Removable media
Cylinders: 0:60
TracksperCylinder: 255
SectorsPerTrack: 63
BytePerSectors: 512
bufsize is 65536
500629504 bytes written bytes: 0
ReadFile(): ROM.nb1 -- Parametro non corretto
First signal of some error but someone tell that's ok!
And then I see prompt.
Now I find the file ROM.nb1 that is 477 MB (like the SD size after a FAT format).
It's ok? ... I don't think so .. but let's going on!
I open the file with an HEX Editor and the file seems ok but after a string like HTCE the file contains all 00h.
Can I cut off that part?
How can I ensure myself that's all ok?
Come on guru don't leave me with the bootloader splash screen instead of the MAGNETO one :lol: :lol: :lol:
Thanks to rhmartin's help (on buzzdev.net) I've reach this situation ..
I've got my dumped rom in SD and in a file.
But ...
I acquire more information about my Qtek 2020 (XDA2):
ROM: 1.66.04ITA
Radio: 1.10
ExtROM: 1.66.148
I think that's a WM2003 (not SE), isn't it?
In any case ... I put back my dumped roms in SD and followed the procedure for rom restore:
1 - Bootloader
2 - Put SD into device
3 - Wait for "Press Power Button"
4 - ecc. ecc.
But I never reached number 3, what's wrong?
I've put back the dump as a single file (as ntrw output give to me), it's correct or I must put it back (and so backup first in that way) as 3 separate files?
I've seen that in download area there's no WM2003 dumped rom, so I search by myself and I found RUU172128ITA (1.72 ITA) but I prefer if my backup can be useful for disaster recovery and can be used for my original version backup.
I think that you understand my situation .. I prefer ask before a not funny situation instead fill the forum with hundreds emergency posts.
I hope you think I've reason.
Thank you for the patience and sorry for possible misunderstandings or english syntax errors!
NO ONE CAN HELP ME ... INCREDIBLE!
I'm ready to ask sorry but ...
There's no one in this great forum that can help me ...
IT'S INCREDIBLE !!! :shock: :shock: :shock:
I don't think that no one haven't my problem ...
PLEASE SOMEONE HELP ME
:evil:
Firstly, let me thank everyone for their help in advance.
Tonight I tried upgrading my ROM to the newest Cingular ROM. I'm on Cingular in NYC and have been having radio problems so I hoped Cingular's optimizations would help. Anyway, I was running the i-mate ROM previously. I have done this many times. During the ROM upgrade, it gave me the usual Device ID error so I restarted the upgrade utility and evertything was good. Well, at 19% progress it stalled, eventually crapping out citing a communications error. The device won't reboot now.
I got the device in tri-color mode and began the process again. The upgrade stops with Device ID error, but now the restart trick no longer works! I also tried updating it with both the original TyTN ROM and the i-mate ROM I was previously using. They all crap out with a Device ID error! Now I have a paper weight because it also won't boot with what was loaded previously, hanging on the Windows Mobile splash screen.
Does anybody have any advice or solution???
Thanks...I'm desperate here!
See this page:
http://wiki.xda-developers.com/index.php?pagename=Hermes_UpgradeProblems
Connect to your device bootloader using mtty.exe and issue the commands "set 14 0" and "task 8". This will (hopefully) boot the existing imate rom.
If this does not work run the commands "checkimage" and "info 8" and paste the output here. For more info read the wiki:
http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoader
Alternatively, you can try to flash it using HERMIMG.nbh on SD card:
http://wiki.xda-developers.com/index.php?pagename=Hermes_SDCardFlashing
Thank you...I'm going to try this in just a few minutes. Needless to say...I'm sweating!
OK guys, this is what I got running "checkimage" and "info 8". What do you think?
USB>checkimage
IPL CRC checksum = 0x24C42773
SPL CRC checksum = 0x9382C208
CE CRC checksum = 0x5D6A925D
ExtROM CRC checksum = 0xFFF79D19
Radio Image CRC checksum = Checksum: Wait interpreter timeout
0x0
USB>info 8
Block 0x0(0) is Reversed block
Block 0x1(1) is Reversed block
Block 0x2(2) is Reversed block
Block 0x3(3) is Reversed block
Block 0x4(4) is Reversed block
Block 0x5(5) is Reversed block
Block 0x6(6) is Reversed block
Block 0x7(7) is Reversed block
Block 0x8(8) is Reversed block
Block 0x9(9) is Reversed block
Block 0xA(10) is Reversed block
Block 0xB(11) is Reversed block
Block 0xC(12) is Reversed block
Block 0x3FB(1019) is Reversed block
Partition[0], type=0x20, start=0x2, total=0x18FE
Partition[1], type=0x23, start=0x1900, total=0x1700
Partition[2], type=0x25, start=0x3000, total=0x19C00
Partition[3], type=0x4, start=0x1CC00, total=0x1DC00
CE Total Length(with sector info) = 0x3A66000
CE CheckSum Length(without sector info) = 0x3980000
USB>
Any clue on what this data means?
Thanks
CJNYC said:
Radio Image CRC checksum = Checksum: Wait interpreter timeout
0x0
Click to expand...
Click to collapse
Your radio is screwed. Format your microSD card and copy the NBH file contained in a rom upgrade (if possible use one that matches your CID). Rename the NBH file to 'HERMIMG.nbh' and put the microSD card on the phone. Power on the phone in bootloader mode and you should see the flash confirmation, press the power button to confirm and wait 30 min. This process is described in more detail here:
http://wiki.xda-developers.com/index.php?pagename=Hermes_SDCardFlashing
Good luck
Thanks POF...this will be the first thing I do tonight. I'm keeping my fingers crossed and will report back as soon as I'm done.
Thanks!
OK, that didn't work either. When the bootloader went to load the ROM from the Micro SD card I got the following message...
0028002
Not Allow
Any other suggestions??? Thanks
CJNYC said:
0028002
Not Allow
Click to expand...
Click to collapse
The NBH file you used doesn't match your CID. Use a NBH file that matches your CID.
You can see your CID by issuing bootloader command "info 2".
If you have an HTC branded Hermes (HTC TyTN) your CID will be QTEK_001, then you need an NBH file with this CID, for example "hermimg_QtekNOR_1.18.255.3_Ship.nbh" contained on HTC TyTN WWE rom.
pof...
That's the exact ROM I used and I do have an HTC branded TyTN. When I issue the "info 2" command all I get back is an "HTCSUSB>" prompt. Am I missing something?
Thanks
Probably mtty.exe doesn't parse the output of "info 2" correctly and that's why you can't see the CID, but if it is an HTC TyTN then your CID must be QTEK_001 and there should be no problems with the NBH you used... it is very weird that you get this error.
Did you try the "set 14 0" command to start OS after reset? If you can boot WM5 again you can run GetDeviceData.exe from your device to see your CID, otherwise you can use USB Monitor and look for the output of "info 2" there.
Another thing you can do is to start the TyTN 1.18 ROM upgrade using the normal procedure (RomUpgradeUt.exe), but capture the output of all the upgrade process using USB Monitor, and then export it to text file and attach it here. We will be able to see the error from bootloader and where exactly it stops the flashing process:
1) Disable activesync on your computer by right click on activesync icon -> connection settings -> uncheck "allow USB connections".
2) Put your device in BootLoader mode
3) Connect device to computer using USB cable.
4) Start USBMonitor.
5) File -> New session -> USB Monitor -> Select USB device where your phone is connected -> Check "request view" -> Finish
6) In the upper part there are two tabs: basic and complete. Click on "Complete".
7) click on RomUpgradeUt.exe and start the Rom Update Process, if everything went fine you should see all the USB traffic output on USB monitor window.
8 ) when rom upgrade fails, click on Edit -> Export and Save as type "ANSI Text files".
9) Save the file and zip it.
10) Upload the zipped file here or put it on xda-dev FTP if it is too big.
OK, I used USB Monitor and recorded the results of the upgrade attempt, which of course failed. Please see the attached file.
What do you think? Any hope?
Thanks...
-Craig
When the flash utility tries to get the CID from your device it gets this error:
CID: Wait interpreter timeout..
Click to expand...
Click to collapse
Info 2 should return:
Code:
"HTCS" + 8-byte CID + 4-byte checksum + "HTCE"
In your case the output of "info 2" shows this:
Code:
48 54 43 53 00 01 09 8C 5C 30 08 8C 66 17 09 7C HTCS...?\0.?f..|
48 54 43 45 HTCE
Your CID: 0x0001098C5C30088C (...?\0.?)
Output of "info 2" for HTC TyTN should show this:
Code:
48 54 43 53 51 54 45 4B 5F 30 30 31 D6 00 3D 07 HTCSQTEK_001.=.
48 54 43 45 HTCE
Normal CID for HTC TyTN: 0x5154454B5F303031 (QTEK_001)
I don't know what caused the CID to change, and it is not possible to change the CID on a NBH because signature will not be the same and you'll get a signature error. We don't know how to change the CID on the Hermes yet, probably someone will come out with a solution but now I don't know what to do....
Are you able to send back your device under warranty?
I'm going to try to ship it to the HTC repair center in Germany and see what they can do for me. Who knows how long this will take. I might pick up a Cingular 8525 when they are supposedly released on Friday and see how that goes. I'm not happy. I really like this device and simply wanted the Cingular network optimizations.
pof...I really appreciate the help and effort. In another thread, people are complaining that this same Cingular ROM is changing the CID's and locking phones. Oh well, back to the drawing board.
Thanks again!
CJNYC said:
In another thread, people are complaining that this same Cingular ROM is changing the CID's and locking phones.
Click to expand...
Click to collapse
Are you refering to user fun_key, not being able to downgrade after flashing cingular's 1.31 rom? He has checked and his CID remains the same, and I haven't heard of anyone having his phone locked for upgrading a ROM.
I've investigated into it, see my post here:
http://forum.xda-developers.com/viewtopic.php?t=63355&start=25
I guess your problem is that the rom upgrade flashed your bootloader and you cannot use the HERMIMG.nbh from the TyTN rom because it contains a lower bootloader version (1.04) while you have an higher bootloader version (1.06).
You can check your bootloader version by issuing the command "info 7".
Now you have tree options:
- wait for a rom upgrade with bootloader >= 1.06
- send your device to repair center
- wait until some xda-developer finds out how to downgrade the bootloader
I definitely understand this issue with the newer bootloader. Would it not stand to reason that I'd be able to re-run the Cingular ROM that failed or is this simply an issue now with the CID needing to match the original TyTN ROM?
Thanks again!
The TyTN has "flash from microSD" option much like the Wizard. On my 8125, IIRC, an SD based reflash ignored everything and put the base image + bootloader + ROMs back on; completely restoring the device to original factory specs.
I'm not sure if this is the same on the TyTN or not but it may be worth a try. The Wiki on this says that using the HERMIMG.NBH method to restore from SD may or may not ignore CID. At very least you could update the Wiki if it doesn't work
@CJNYC: I'm not really sure if your problem is related to bootloader version, CID or both.
@Sleuth255: He already tried sd-card flashing, if you follow the whole thread.
oops, now I see it. My bad...
Hello,
i try to flash bootloader 1.01 mfg according to http://wiki.xda-developers.com/index.php?pagename=Hermes_BootloaderMFG
It hangs after
USB> lnbs SPL-1.01.nbs 50020000
...
start NB image download
According to other threads this behavior exists if mtty can not find the file. But the file is in the same directory as mtty.
Does anybody has an idea what is wrong?
Thanks
Andreas
did you do the "Task 32" first? and if you did did you get "Level = 00"
yes, but i only one 0
USB>task 32
Level = 0
USB> lnbs SPL-1.01.nbs 50020000
i got some output at this point, but i cannot remember exactly
???
? 50020000
? 00000000
????
The last line was: start NB image download
My device is SuperCID. SPL 1.09
there's your problem then; you need SPL-1.04.
I suggest you load Hard-SPL and try again...
also, might I heartily recommend that instead you download my MFG pack and use SSPL with 1.01 rather than flash it to your device... or at least use my patched 1.01 (create an NBH)
I get that message whenever I do not type the name of the file correctly, like for example, sp1-1.01.nbs instead of spL-1.01.nbs (the latter being the correct spelling). Just my two cents..
I had 1.09 before, coz I updated with full RUU versions of roms (like 2.06.502.3 cingy or 2.05.255.1 HTC), and I had no problem to downgrade to 1.01 MFG and now to 1.01 oli... I also used mtty, device was supercid, used commands was
USB>task 32
Level = 0
USB> lnbs SPL-1.01.nbs 50020000
USB> task 8
If I remember correctly, task 8 automatically SW reset herm... maybe I am lucky one?
take a look at your mtty icon. Does it say MFC or does it look like a serial connector. If it says MFC then you have the wrong version of mtty.
my guess: it says "MFC"
Thanks for all your answers. At the moment a'm at work and cannot try your suggestions.
But i have some further questions:
>olipro: there's your problem then; you need SPL-1.04.
According to the wiki:
"This is a very special bootloader which can be flashed in any bootloader version BUT to flash it your Hermes must be SuperCID first..."
...can be flashed in any bootloader... what does this mean? i thougt i can flash it from 1.09. sinmae was able to do it. (or did i miss something)
>crazyut: wrong file name
i checked this several times. i typed the right name, but i do not now whats the working directory of mtty. i put the nb-file in the same directory as mtty and startet mtty from a dos-prompt. so this should be ok.
>Sleuth255: wrong version of mtty
i tried to investigate this yesterday. somebody said he has version 1.11a. i have version 0.01. it says MFS. so this should be the problem. but this is the version from the wiki:
http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoader
http://wiki.xda-developers.com/uploads/mtty.exe
where can i get the right version? (at google i found mttty (3 t))
Thank
Andreas
Use the mtty.exe included in this pack, mtty and nbs file in the same dir.
Any one know command to mtty for atom exec\orsio n725 or RoverPC G5.
Phone connect to pc by rs-232, standart command not work
PS sorry for my english
Sorry, just want to understand further, why you using a serial cable (RS-232) to connect to your PC. is your phone hanged at bootloader mode?
Winterice said:
Any one know command to mtty for atom exec\orsio n725 or RoverPC G5.
Phone connect to pc by rs-232, standart command not work
PS sorry for my english
Click to expand...
Click to collapse
mtty is made for HTC devices. Atom is made by Quanta. I've been looking for the same tool myself. have you tried putty? If I'm not mistaken, you are trying to reformat the DOC? or upgrade the device thru mtty?
I have looked into the things we can upgrade from SDCARD flashing, and DOC.IMG is one of the option. I think this will change the format of DOC. One way to get a copy of this DOC.IMG is to dump the ROM thru SDCard using buzz romdumper64.
Please let me know of your developments.
Phone in bootloader, i am try dump rom. if plug phone with USB mtty doesn't see phone. if use command 'r' phone write message Format DOC.OK
Sorry for my English.
This experiments with the MTTY.
This experiments to copy ROM to the SD card or file.
I'm Running MTTY.
connecting PC and the Rover G5 (Atom Exec/Orsio N725), using a serial cable (RS-232).
Run bootloader mode.
On the PC screen :
-----------------
*******Beginning System Initialization*******
Run Mode = 104 MHz
Turbo Mode = Run Mode
MemClk = 104 MHz
Bus Mode = NORMAL
SDCLK[1] = MemClk (SDRAM Clk)
SDCLK[0] = MemClk/2 (Sync. FLASH Clk)
Mode = RUN
Boot FLASH in Asynchronous mode
******************************************************
OEMInitDebugSerial using STUART888
Microsoft Windows CE Ethernet Bootloader built Jun 13 2006 20:41:44
Copyright © 2006 Microsoft Corporation
Portions copyright © 2006 Intel Corporation
Original MSC0 12801282
New MSC0 12807FF2
New MDREFR = 0x11E018
New SXCNFG 40044004
Flash type L18
main:InitDisplay()
InitLCDCtrl..
ClearFrameBuffer..0xA6000480
+Check LCM ID:
==PreBL_Ver = 0.0.0
==2nd_BL_Ver = 0.0.0
Ethernet Boot Loader Configuration:
0) IP address: 0.0.0.0
1) Subnet mask: 0.0.0.0
2) # bootme's: 0
3) Boot delay: 0 seconds
4) DHCP: Disabled
5) Reset to factory default configuration
6) Launch existing flash resident image at startup
7) Program RAM image into FLASH (Disabled)
8 ) Program SMSC MAC address
9) Boot device order: SMSC -> PCMCIA S0 -> PCMCIA S1
D) Download image now
E) Erase flash image
L) Launch existing flash resident image now
U) Download os image now (USB1.1)
O) Overwrite eboot image now (USB1.1)
H) Jump to DM
I) Sim Lock
------------------
But ...
There are undocumented commands.
If press "R" - a message on the screen
Formating DOC.
OK
So there are undocumented commands
we are interesting other command
It would help us if we get hold of Service Manual.
Winterice said:
Phone in bootloader, i am try dump rom. if plug phone with USB mtty doesn't see phone. if use command 'r' phone write message Format DOC.OK
Click to expand...
Click to collapse
Have you tried buzz grab_it ROM dumper? it worked perfectly well with the Atom. It dumped everything to SD Card. You just have to break it apart and identify the sections.
For the Atom:
diskimg.nb0
eboot.nb0
dm.nb0
flash.img
agent.mot
mot.mot
cpld.img
assetinf.img
extended.img
MDOC.img
what particularly interest me is MDOC.img because I believe we can change DOC format with this.
our device have 192 mb rom, i or Alex_beda try this dumper today
This dumper not working.
Message in the screen "cannot create file!"
Using the miniSD 2 GB Kingmax
May be need to use mini SD less 1 GB?
Or using any other dumper?
alex_beda said:
This dumper not working.
Message in the screen "cannot create file!"
Using the miniSD 2 GB Kingmax
May be need to use mini SD less 1 GB?
Or using any other dumper?
Click to expand...
Click to collapse
you have to modify the name of SDCard. It is named "memory card" in your device. the program looks for "Storage Card". Search this value using registry editor.
"Folder"="\Storage\Card"
jiggs said:
you have to modify the name of SDCard. It is named "memory card" in your device. the program looks for "Storage Card". Search this value using registry editor.
"Folder"="\Storage\Card"
Click to expand...
Click to collapse
Thank you!
I'm downloading dump in the miniSD card.
But...
Problem.
Dump size 128 MB maximum
ROM size in my divice 192 MB.
How downloading full size (192 mb)?
alex_beda said:
Thank you!
I'm downloading dump in the miniSD card.
But...
Problem.
Dump size 128 MB maximum
ROM size in my divice 192 MB.
How downloading full size (192 mb)?
Click to expand...
Click to collapse
Your ROM chip size is 192MB. BUT I think, your ROM system size is only 64mb. Same as ATOM. The rest is only persistent storage, extended partition, and checksum partition.
to verify, you can pdocread the memory layout of your device. don't forget to install the RAPI before pdocread; otherwise, it will not work.
my ELF's mac address may be lost
every times, when my elf restart,
a document named HTCExcpthLog_mmdd_hhmmss.txt will be build in SDcard at \storage card\HtcLog\
mmdd_hhmmss is the restart time.
We got Nokia 5.4 source code and firmware up. I have been looking deep into the source code for any tricks before building it.
However we have boot.img now and I think we should get magisk support here.
As excepted we have these results:
Code:
cp: can't preserve ownership of 'busybox': Operation not permitted
cp: can't preserve ownership of 'magisk32': Operation not permitted
cp: can't preserve ownership of 'magisk64': Operation not permitted
cp: can't preserve ownership of 'magiskboot': Operation not permitted
cp: can't preserve ownership of 'magiskinit': Operation not permitted
Found a way into adb sideloading!! which is good since this device almost has no recovery mode after last OTA. Time to sue HMD ?
Where the fk is EDL mode ?
All we need now is a way to change active slot from B to A
Or nvm I think I found a way to bypass downgrading permission. Will update soon
Currently stuck with Incremental OTA payload.bin
Need to extract it so I can edit things like dm verity, vbmeta, boot.img
This will probably be the end of the trick for the device. At least manually, for root access and further unlock chances
(this is the easy way)
I might try to use the full ota and see if I can bypass this weird adb sideload with this
tools/releasetools/ota_from_target_files.py - platform/build - Git at Google
I know this probably still is WIP but is I may ask, how did you flash the payload.bin file? And for adb sideload you can do
Code:
adb reboot sideload
than the device will reboot into sideload mode. After that you can just do
Code:
adb sideload <Path to file.zip>
and the ota will be flashed.
thegamingcat13 said:
I know this probably still is WIP but is I may ask, how did you flash the payload.bin file? And for adb sideload you can do
Code:
adb reboot sideload
than the device will reboot into sideload mode. After that you can just do
Code:
adb sideload <Path to file.zip>
and the ota will be flashed.
Click to expand...
Click to collapse
Already done. But we don't have downgrade permissions and we only have older OTA updates so it won't let me flash. I will have to build an official OTA rooted, with disabled verification, and fake version update to bypass.. probably everything.
And you can't flash payload.bin? I have been gathering as much information and experimenting a little since this is my very first time in the Android development community. And everything seems ready now and should work as intended cuz no place for theories here. First we had the whole source code and OTA. Now we have root access and verification methods. Development starts tomorrow. I will be slow cuz I'm still learning and I'm a lazy college student
Alpha_Radke said:
And you can't flash payload.bin? I have been gathering as much information and experimenting a little since this is my very first time in the Android development community. And everything seems ready now and should work as intended cuz no place for theories here. First we had the whole source code and OTA. Now we have root access and verification methods. Development starts tomorrow. I will be slow cuz I'm still learning and I'm a lazy college student
Click to expand...
Click to collapse
bạn có thể giúp tôi root nokia 5.4 được không
Can you help me root nokia 5.4?
Thang150898 said:
Can you help me root nokia 5.4?
Click to expand...
Click to collapse
I'm working on it
i always want to root nokia 5.4 but cant
@Alpha_Radke I am not expert on these things except I have a nokia 5.4 + linux knowledge and willing to test things.
Edit: I see in your other post you upload full ota.zip (1.7gb), however I dont see how this could work with sideload (e.g. if you replace boot.img with magisk patched version) as the cert inside would need to match the cert on /system/etc/security/otacerts.zip on the device afaik? https://boundarydevices.com/android-security-part-2-ota-updates/ explains that usually ota signature verified twice (once during OS being booted, then again inside recovery). I think we will need some signature bypass in sideload mode.
The pubkey inside your payload.bin from the other post is here, if we want to use sideload I think we need the private key corresponding to this (which is protected by HMD on their build servers), so it seems options are:
- leak/compromise hmd to steal the ota private key
- find signature bypass inside sideload (if this sideload is coded by HMD there is honestly a good chance)
- ignore sideload situation and try something else
The payload.bin you posted is a differential OTA, the boot.img inside (and actually all the files) is bsdiff2 file (its only 241 bytes). I extracted using https://github.com/vm03/payload_dumper and just modified it to not sys.exit on SOURCE_COPY. I think if you want to extract boot.img for magisk patching we would either need all OTA parts or a full OTA payload.
Files inside payload.bin:
Code:
$ for i in $(ls output); do echo -n $i,; xxd output/$i |grep BSDF; done
abl.img,00001000: 4253 4446 3202 0202 2700 0000 0000 0000 BSDF2...'.......
bluetooth.img,0000b000: 4253 4446 3202 0202 1b00 0000 0000 0000 BSDF2...........
boot.img,00000000: 4253 4446 3202 0202 1800 0000 0000 0000 BSDF2...........
devcfg.img,00001000: 4253 4446 3202 0202 7900 0000 0000 0000 BSDF2...y.......
dsp.img,featenabler.img,00002000: 4253 4446 3202 0202 6400 0000 0000 0000 BSDF2...d.......
hyp.img,00001000: 4253 4446 3202 0202 1800 0000 0000 0000 BSDF2...........
imagefv.img,00001000: 4253 4446 3202 0202 1800 0000 0000 0000 BSDF2...........
keymaster.img,00001000: 4253 4446 3202 0202 bb00 0000 0000 0000 BSDF2...........
modem.img,0000f000: 4253 4446 3202 0202 d6c8 0100 0000 0000 BSDF2...........
qupfw.img,00002000: 4253 4446 3202 0202 4e00 0000 0000 0000 BSDF2...N.......
rpm.img,00001000: 4253 4446 3202 0202 8000 0000 0000 0000 BSDF2...........
tz.img,00002000: 4253 4446 3202 0202 2f00 0000 0000 0000 BSDF2.../.......
uefisecapp.img,00001000: 4253 4446 3202 0202 8501 0000 0000 0000 BSDF2...........
vbmeta.img,00000000: 4253 4446 3202 0202 1900 0000 0000 0000 BSDF2...........
xbl_config.img,00001000: 4253 4446 3202 0202 4900 0000 0000 0000 BSDF2...I.......
xbl.img,00001000: 4253 4446 3202 0202 8200 0000 0000 0000 BSDF2...........
Another thing to note is that if you boot the Nokia 5.4 into sideload mode, after 5 minutes it will timeout and drop you into Android Recovery mode, sadly it looks quite limited with only reboot, enter fastboot or poweroff. When i went to fastboot mode it is not reachable via fastboot command from SDK, so i assume either proprietary driver needed (like odin) or something else
Yo Peeps just ordered this phone, does this help? https://www.techmesto.com/download-hmd-devicekit-tool-for-nokia-devices-flash-reset-etc/ 5.4 posted as supported
Jgjd691995 said:
Yo Peeps just ordered this phone, does this help? https://www.techmesto.com/download-hmd-devicekit-tool-for-nokia-devices-flash-reset-etc/ 5.4 posted as supported
Click to expand...
Click to collapse
I don't think it will since no one has a working username and password to login. Without that we can do nothing with the tool because we won't get beyond the login screen
@Alpha_Radke is this project dead?
Hi, any update about rooting the Nokia 5.4? Is dead this project?
Interested to know if there's been any progress into this phone as well. Anyone still trying this?
Hi,any progress?