Hello everyone.
With the development of the New ROM, I decided to describe this and that.
-How to Prepare files and packages.
-How to create stable SYS and OEM.
-XIP Porting (Kernel) - if it succeeds.
-Build/Mod. BLDR/BOOT Section
-Change PagePool
-Etc
Small introduction:
Subject shows the structure of folding and unfolding ROM.
Everything described here are doing at your own risk.
I do not answer with any damage to the device.
Please read carefully and proceed with caution.
Topic applies only Toshiba devices Tsunagi: TG01
Execute Image System:
This step tutorial will be further developed.
Once, I'll add this feature in my kitchen.
Add OEM Apps:
OEM - This package is derived from the *. cab file.
It must include:
- The *. dsm guid the value of the name,
- The *. RGU with the same value in the name, it must be in Unicode encoding.
It must also be free, the last line in the content of the text.
- Application *. exe, *. dll, or library
- A shortcut to the program / library - if it is needed. It is not mandatory.
- Content may be more developed (in the files / programs)
Such a package can be easily added to the root of the OEM.
If, of course, is properly filed
Dependence of the Application, the memory devices.:
How can you distinguish the memory which will hit your application / library?
This differs from the rule:
- Module - that is, a file that looks like a directory goes to RAM.
- File - normal-looking, *. exe or *. dll file, going to Storage memory
Porting XIP (Kernel) and insert this file to Image System:
[TUT][UTIL]Remote Porting XIP
Working good in my kitchen for Toshiba TG01
XPR to LZX Compression:
Open the file os.nb.payload in HEX Editor. Find this Lines:
Code:
F8 AC 2C 9D E3 D4 2B 4D BD 30 91 6E D8 4F 31 DC ř¬,ťăÔ+M˝0‘nŘO1Ü
01 00 00 00 01 00 00 00 01 00 00 00 34 00 00 00 ............4...
08 00 00 00 00 02 00 00 00 10 00 00 58 50 52 00 ............XPR.
And change to:
Code:
F8 AC 2C 9D E3 D4 2B 4D BD 30 91 6E D8 4F 31 DC ř¬,ťăÔ+M˝0‘nŘO1Ü
01 00 00 00 01 00 00 00 01 00 00 00 34 00 00 00 ............4...
08 00 00 00 00 02 00 00 00 10 00 00 58 50 52 00 ............LZX.
Save this file. Get this library -> cecompr_nt.dll, then insert to TOOLS folder from your Kitchen ROM.
Download cecompr.dll and overwrite it in your XIP. Build XIP, build ROM, see results. Now Image System takes less memory.
Small Support
Changes PagePool:
Use PagePool Changer
Porting/build BLDR/BOOT and insert this file to Image System:
[UTIL][UPG] buildbldr
Build Image System:
This function, have a my Kitchen.
Ultra Kitchen Edition - ROM Builder for Toshiba TG01
Modyfications SYS Directory
Remove TimeBomb:
Open file *.rgu from location ->SYS/Shell/, and remove two keys from this registry:
Code:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Shell\DeviceBeta]
"Today"="Beta"
"Expiry"="Expires: %02d/%02d/%04d"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Shell\DeviceBeta]
"About"="- BETA"
Now, Go to location -> SYS/Shell/, open file form module shell32.exe/S000 in HexEditor.
Search string 02 EB 7D 3E, and in both instances 7D change to BB.
from:
Code:
02 EB 7D 3E
to:
Code:
02 EB BB 3E
Remember, this sequence occurs twice
Thanks for Camelio
good idea, may be i'll try to understand something and build an italian version too, even if we are quit lucky with our tg01 'cause it's no brand at all.
Thanks for your great job with developement
Hey Nokser do you create wm6.1 rom for tg01?
Nokserze can you writa Polish version too?
here or in pdaclub forum, but I wont to understand anything, so it's more simple in our's language
Thanks for your job
Yes, of course
When you will to make this tourial? or you can write the tourial for stabil oem's now I want to make a rom but i can't create a stabil oem or a oem that's works... or you can tell me how i must put the oem.
Greats ALcAtRas
I give all my work in this, but first I must port WM6.5.5
Nokser, could we use the information you have gained about our device to port android?
Wm first, then we'll see Android
Nokser said:
Wm first, then we'll see Android
Click to expand...
Click to collapse
You think that is posible?There are a lot of people ho want that.
Everything is possible, but we shall see
Is this guide close to completion or has this been forgotten about?
I not forget.... I must gen. all options build structure ROM
Nokser said:
I not forget.... I must gen. all options build structure ROM
Click to expand...
Click to collapse
MAny of us are waiting for your light...
I know My friend
Small Update Thread
Nokser said:
Small Update Thread
Click to expand...
Click to collapse
Very good: I'm waiting for the next update impatiently. Do you know a good general tutorial, not device specific?
super_sonic said:
Very good: I'm waiting for the next update impatiently. Do you know a good general tutorial, not device specific?
Click to expand...
Click to collapse
You'll see ... if i end this tutorial
@Nokser:Can you help us to unlock t01a .It likes tg01 but it don't have code for unlocking .
Please...
Related
RElease soon.Have a look here
http://www.youtube.com/watch?v=-BafG8GS_TI
---------------------------------------------------------------------------------------
How to dump/backup original ROM
Microsoft Windows [Version 6.1.7100]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
E:\PocketPC\ROMs\its>pdocread -l
Copying E:\PocketPC\ROMs\its\itsutils.dll to WCE:\windows\itsutils.dll
410.75M (0x19ac0000) DSK1:
| 1.62M (0x19f000) Part00
| 3.25M (0x340000) Part01
| 90.63M (0x5aa0000) Part02
| 315.25M (0x13b40000) Part03
7.61G (0x1e6e00000) DSK2:
| 7.60G (0x1e6a00000) Part00
STRG handles:
handle cd904882 7.60G (0x1e6a00000)
handle 4f634f6e315.25M (0x13b40000)
handle 2f6aeea6 90.63M (0x5aa0000)
handle 4f6aee82 3.25M (0x340000)
handle 8f6aee3a 1.62M (0x19f000)
disk cd904882
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 4f634f6e
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 2f6aeea6
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 4f6aee82
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 8f6aee3a
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Dump :
pdocread -w -d DSK1: -b 0x800 -p Part00 0 0x19f000 Part00.raw
pdocread -w -d DSK1: -b 0x800 -p Part01 0 0x340000 Part01.raw
pdocread -w -d DSK1: -b 0x800 -p Part02 0 0x5aa0000 Part02.raw - imgfs
pdocread -w -d DSK1: -b 0x800 0x19ac0000 OS.nb
-------------------------------------------------------------------------------------------------------------------------------------------------
dl link
http://rapidshare.com/files/304417770/EUUs_Acer_S200_23506_WWE.7z
Thanks to : Deadman2k, xplode, stark wong, cmonex, fabio and all other friends here
I hope this will be usful
How to flash :
1) Unzip using 7zip.
2) it works on vista and windows 7, but i recommend xp service pack 2 with net cf 20. sp2.0
3)Important step : After unzip, look for a text file called as verion.txt.Edit it as per your device version, and then flash.
4) Follow the instructions and wait for, finish.Allow EXT ROM to install, but one can stop it by pressing camera button.
Known Issues :
SMS Fix.cab is attached as well.PLs install, next release i will integrate it in ext rom
Pls report any other if u face.
TF3D can be installed externally and cab is available here on the forum.Pls search
Kitchen info :
I will also release my scripts, so that anyone can cook their own versions.Pls bear for 2-3days for that
-------------------------------------------------------------------------------------------------------------------------
kitchen info :
How to cook own versions :
I have some scrip of my batch files.Pls follow and make your own kitchen.Please note that, one has to use EXTReloc for reallocation of modules, from deadman2k.I also atach the procedure to use EXTReloc.
@ECHO Off
TOOLS\BuildOS.exe
pause
ECHO Reloc MOdules
EXTReloc.exe
pause
copy flash.bin temp\flash.bin
copy xip_out.bin temp\xip.bin
cd temp
..\TOOLS\osnbtool -sp flash.bin
..\TOOLS\osnbtool -sp flash.bin.bin.nb0
..\TOOLS\osnbtool -d flash.bin.bin.nb0.os.nb 2 imgfs.bin
..\TOOLS\imgfsfromdump imgfs.bin imgfs-new.bin
..\TOOLS\osnbtool -c flash.bin.bin.nb0.os.nb 2 imgfs-new.bin
..\TOOLS\osnbtool -c flash.bin.bin.nb0.os.nb.new 1 xip.bin
..\TOOLS\osnbtool -extra flash.bin.bin.nb0.os.nb.new.new
..\TOOLS\osnbtool -2bin flash.bin.bin.nb0.os.nb.new.new.exa 0x00121200 -cutheader
copy /b /y flash.bin.header+flash.bin.bin.nb0.os.nb.new.new.exa.bin flash_new.bin
pause
How to use EXT Reloc
Hello in first place in some folder with extreloc xipport and xip bit, make a old kitchen style
\oem
\rom
\rom\xip <--- to this folder place a flat xip dump, you can dump it trought dumprom, is need only for build registry
\sys
start packagetoolsbuildos from ervious, make with it flat dump (his create it in \temp\dump)
now you can need to make new xip, dump original and donor xip with xipport (press dump button, after this make pkg (in example in orig folder you got original xip in donor folder you got donor xip) make out folder, move to this folder all files and modules except MSxip* and you got somesing like that
\out\romhdr.txt
\out\parthdr.txt
\out\files\OEMXIPKernel\*.* <---files
\out\modules\OEMXIPKernel\*.* <--modules
now move all files and modules except OEM and romhdr.txt parthdr.txt from donor xip
after this in xipport press undo button to got flatdump of new xip
now start extreloc, goto setting page in imgfs path, point it to \temp\dump set apporitate nk.exe type (wm6.1 or wm6.5) all other setting you can use but default
now goto work page, press import xipport and xipport start, press ReallocV in extreloc, goto xipport and press realoc P, after this press write map in xipport, goto extreloc and dublclick on physlast number, press realloc nk.exe gsiir ... button, goto xipport and press realloc P again. xip ported
in extreloc drag the vertical white line to the left and press realloc imgfs, close extreloc
in xipport press Build xip_out.bin this is is new xip
use imgfsfromdump to make new imgfs from \temp\dump folder
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
How to dump/rebuild EXTROM.bin
Once again stark wong has created a wonderful tool to dump and he;lp us create our own ext rom.Attached is the link to programe
usage : f1extromtool extrom.bin -> dump the cabs and other files
f1extromtool /b extrom.bin [your version] -> builds the extrom.bin with the files in the extrom folder which u dumped recently
How to add replace cab file names for customisation
- AFter dumping EXTROM.bin, open the folder and look for the file " CABPIACB.pil"
- open it in hex editor and change the names by editing it.Save the file.Make a backup of original CABPIACB.pil in case to be used for making original EXTROM.bin
dl link : http://www.studiokuma.com/tools/?section=misc-e
That's good news. Can't wait to flash. I use to be a TouchPro flashaholic and now I feel sic
ohhhh!
doesn Acer allow flashing WWE roms on region specific devices? I have a german ROM so...btw. A German 6.5.1 would be tres sexy
anyhow, looks great, looking forward to enjoying your work!
Great, I can't wait till this comes out. Please keep us informed here
What is the expected release for this?
Woot nice to know il have custom roms for my acer f1 =], now you just need to port a leo rom with manila 2.6, shoulndt be that hard, since the xperia has leo roms, which is not a htc branded phone, just htc manufactured, ask one of the cookers over at xperia they should give you an idea, that is if you dont have the knowledge but from what i've seen that you have already ported and cooked a rom for the acer f1 i bet you do, anyways good luck mate.
rafyvitto
Looks awesome!!!
Nice to see a custom rom developing so quickly. Good work hdubli.
Looks wicked, congrats hdubli : )
wow....that's great..
thanks for the good work hdubli....
will you consider releasing a kitchen for neo touch? i want to cook a chinese version rom for neo touch.
That means you also have a Hard SPL for the F1 ??????
Can't wait the French version
hdubli, you are the man! can't wait. i was hoping this would happen. all we need is good hardware, and the great cookers will take care of the rest!
Damn! I just watch that again (with polarized glasses), and that is just a sweet program. Thanks for all the work. I can't wait to try it out!
I don't know if I can wait to try this out. I'm out of town most of next week, so I hope I have it to play with while I'm gone. If not, It better be ready by the time I get back ;p
Nice work, releasing kitchen would be a good step.
Thank you my friend, can't wait to flash your rom. Only one question:which version of manila do you use? Is it 2.1?
tsourisg said:
Thank you my friend, can't wait to flash your rom. Only one question:which version of manila do you use? Is it 2.1?
Click to expand...
Click to collapse
manila 2.5 90% working.Just trying 2.6 if i can.
hdubli said:
manila 2.5 90% working.Just trying 2.6 if i can.
Click to expand...
Click to collapse
Exciting news hdubli, keep up the good work
hdubli said:
manila 2.5 90% working.Just trying 2.6 if i can.
Click to expand...
Click to collapse
You are my hero
woa great news!
the current shipping roms are not available to reflash them if needed, right?
also, if you are willing to make a German ROM, I could do a romdump on mine, if you tell me what to do
it would be nice if we had original acer roms to flash if needed.
thanks a lot for your work, will donate 100%!
very true bommel. Having the orignal rom for waranty purposes is pretty important I believe.
From the video, i can see acer f1 can run manila 2.5.
i think your f1 should have an opengl drivers(ES 1.1? ES 2.0 ? ) for running.
i have search many post, but it seem f1 with original rom don't come with the drivers.
can you give me the drivers ?
btw the newer builds would also be great, like 23502.
hdubli, no paypal account for donations?
Yesterday i brick my phone when try flash this beta TSS ROM in my X02T
http://forum.xda-developers.com/showthread.php?t=657694&page=3
Soo after fail i try with anothers ROMS too, like Mod-TG01TSS01.7z, Mod-TG01TSS02.7z (flash error, say invalid file), TG01TSS01.7z, TG01TSS02.7z (flash error, say invalid file), T01A_to_SP50_wm65.tsd, T01A_to_SP50_wm65-theduyet.enc and TG01WP-WM6.5-Orange-UK (flash error, say invalid file).
I still can use the SD downloader, i can flash "any" ROM whith pin method,
Before i brick my phone i make a RAW file of my phone and there is here:
http://cid-5bf4bd469b8aef18.skydrive.live.com/browse.aspx/X02T
txt is here:
------------------------------------------------------------------------------------
9.63M (0x9a0000) DSK1:
| 9.62M (0x99f000) Part00
423.00M (0x1a700000) DSK2:
| 1.62M (0x19f000) Part00
| 3.75M (0x3c0000) Part01
| 159.88M (0x9fe0000) Part02
| 257.75M (0x101c0000) Part03
7.42G (0x1daf80000) DSK3:
| 7.42G (0x1dab80000) Part00
STRG handles:
handle#0 8dda3d4a 7.42G (0x1dab80000)
handle#1 6e1e7b2e 257.75M (0x101c0000)
handle#2 ee1ed89e 159.88M (0x9fe0000)
handle#3 4e1ed87a 3.75M (0x3c0000)
handle#4 4e1ed832 1.62M (0x19f000)
handle#5 ee4ac72e 9.62M (0x99f000)
disk 8dda3d4a
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 6e1e7b2e
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk ee1ed89e
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 4e1ed87a
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 4e1ed832
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk ee4ac72e
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
------------------------------------------------------------------------------------
Please someone could help me Revive my phone !!!
Thanks alot
Toshiba make a new update for X02T, a small update i think with SMS, this file is X02T_from_SP00_to_01_000.tis, soo is TIS file, maybe this file have the key for revive my phone.
link is here:
http://toshibamobile.com/cgi-bin/softbank/x02t/update/uprom.cgi?sp=00
or
http://update.toshibamobile.com/update/x02t/sp00/X02T_from_SP00_to_01_000.tis
You flashed TG01TSS01.7z, don't you?
Your situation is the same as "xandetonetti".
Please the following Pin method.(from Orange in T01A case)
--------------------------------------------
This Pin method is short Pin 1 and Pin 2.
And, You can The power button pushed with the state maintained.
Then, Your T01A screen displays your ROM after five seconds.
--------------------------------------------
Did it work? If not, can you try as naxt.
We now know that the TSS Encryption Key of X02T is 44460046.
However, The Encryption of your device is tsw,
because you flashed tsw bootloader ROM into your X02T,
You can try the following ROM.
*Official Orange UK ROM
http://www.toshiba-europe.com/mobile/Images/TG01WP-WM6.5-Orange-UK.zip
[TG01WP_5005000176.tsw → TG01.tsw]
*Official docomo JP ROM (T01A_to_SP50_wm65.tsd is extracted by zip. )
http://update.toshibamobile.com/update/t01a/wm65/T01A_to_SP50_wm65.exe
--------------------------------------------------
tgtool -t01a -sp T01A_to_SP50_wm65.tsd os.nb.payload
tgtool -t01a -mp os.nb.payload T01A_to_SP50_wm65.tsd T01A_to_SP50_wm65.bin
--------------------------------------------------
You can download TSW TOOLS by cotulla from
this URL(http://cotulla.pp.ru/Misc.html), and
convert bin to tsw by this tool in TG01 mode.
[T01A_to_SP50_wm65.tsw → TG01.enc]
You can flash those ROM, maybe.
yamadori said:
You flashed TG01TSS01.7z, don't you?
Your situation is the same as "xandetonetti".
Please the following Pin method.(from Orange in T01A case)
--------------------------------------------
This Pin method is short Pin 1 and Pin 2.
And, You can The power button pushed with the state maintained.
Then, Your T01A screen displays your ROM after five seconds.
--------------------------------------------
Did it work? If not, can you try as naxt.
Click to expand...
Click to collapse
Thanks for you quick reply friend. i have 2 news!!
1 - The good news, is the short Pin 1 and 2 work!!! phone is alive again thanks very much friend..
2 - Bad news, my last try i flash the T01A ROM, soo my phone is DOCOMO now, but in english, and the TG01TSS01.7z dont flash anymore, say File is invalid!!!
I un7zip and rename for TG01.enc, after copy to PRG folder (this work in first time, but dont work more, maybe because i flash T01A for last)
But i need short the pin 1 and 2 any time when reset right? Soo how i can puth the SIM card, without revome the batery and Short pins 1 and 2?
1
I finaly able to insert the SIM card to phone after short pin 1 and 2, but now WM ask me for a Password for unlock my SIM? have you any idea what is this? or any way for flash the TG01TSS01.7z again?
2 - Bad news, my last try i flash the T01A ROM, soo my phone is DOCOMO now, but in english, and the TG01TSS01.7z dont flash anymore, say File is invalid!!!
Click to expand...
Click to collapse
Is the bootlogo of your X02T docomo?
If yes, the Encryption of your device is tsd,
You can flash tsd ROM and can not flash tss ROM.
You can try T01A_to_SP50_wm65-theduyet.tsd ROM.(rename to TG01.enc)
And, is the Pin method both Docomo and Orange ROMs necessary for
your X02T?
If yes, We can not do anything. Because we only have bootloder of
TG01 and T01A, not have X02T.
Sorry.
I finaly able to insert the SIM card to phone after short pin 1 and 2, but now WM ask me for a Password for unlock my SIM? have you any idea what is this? or any way for flash the TG01TSS01.7z again?
Click to expand...
Click to collapse
You must be use SoftBank SIM, or delete SIMUnlockP.exe in windows folder.
yamadori said:
Is the bootlogo of your X02T docomo?
If yes, the Encryption of your device is tsd,
You can flash tsd ROM and can not flash tss ROM.
You can try T01A_to_SP50_wm65-theduyet.tsd ROM.(rename to TG01.enc)
And, is the Pin method both Docomo and Orange ROMs necessary for
your X02T?
If yes, We can not do anything. Because we only have bootloder of
TG01 and T01A, not have X02T.
Sorry.
You must be use SoftBank SIM, or delete SIMUnlockP.exe in windows folder.
Click to expand...
Click to collapse
Yes the bootlogo is DOCOMO and the T01A ROM work good, but i only can flash ROM with .tsd, when i try with .enc say invalid file.
i will try delete this file for skip the password.
i cant find SIMUnlockP.exe in windows folder, have another way for evade the password?
With my Hermer i have a program called "Connection Setup" for easy config the phone, i just choise japan and Vodafone, you know where i can find this program or another like this?
and if my phone now is tsd Encryption, why o still need short pin? if i rename the TSS file for tsd i can turn she back to SoftBank?
Thanks very mush...
eekthecat said:
i cant find SIMUnlockP.exe in windows folder, have another way for evade the password?
With my Hermer i have a program called "Connection Setup" for easy config the phone, i just choise japan and Vodafone, you know where i can find this program or another like this?
and if my phone now is tsd Encryption, why o still need short pin? if i rename the TSS file for tsd i can turn she back to SoftBank?
Thanks very mush...
Click to expand...
Click to collapse
It seems that you have flashed a english rom on X02T sucessfully.
Congratulations!
i cant find SIMUnlockP.exe in windows folder, have another way for evade the password?
Click to expand...
Click to collapse
Your X02T can use only softbank SIM, because we do not find
the method of X02T SIM unlock as well as T01A.
and if my phone now is tsd Encryption, why o still need short pin? if i rename the TSS file for tsd i can turn she back to SoftBank?
Click to expand...
Click to collapse
No. The bootloader of X02T is not the same as T01A it.
There is no ROM of X02T bootloader yet. Therefore, method of PIN(1&2) is needed in ROM of T01A and TG01 bootloader.
By the way,
I will pass you this ROM, because your device bootloader is docomo.
http://www.mediafire.com/?qmznk0ygzxj
This ROM might be able to use "X02T_from_SP00_to_01_000.tis", or not.
Please enjoy it.
Thanks very much friend, but i think the file is corrupted, i try download 3 times, and get a error when try un7zip. Could you upload the ROM again plz
Thanks very much friend, but i think the file is corrupted, i try download 3 times, and get a error when try un7zip. Could you upload the ROM again plz
Click to expand...
Click to collapse
Please delete Cash and do download again.
And, please do unzip by this tool http://www.7-zip.org/.
I can not upload it because I can't use Broadband today.
yamadori said:
Please delete Cash and do download again.
And, please do unzip by this tool http://www.7-zip.org/.
I can not upload it because I can't use Broadband today.
Click to expand...
Click to collapse
Cash is deleted, i try with another with IE, firefox and Freedownload manager, also use 7zip for unzip, but the file is realy corrupted.
Don't worry if you cant upload again today, i will wait thanks alot.
upload again.
http://www.mediafire.com/?rwnm2wzjrnj
yamadori said:
upload again.
http://www.mediafire.com/?rwnm2wzjrnj
Click to expand...
Click to collapse
Thanks for upload friend, now work fine, but i cant flash this ROM. SD Downloader say : File Open Error!!!
I copy to prg folder, and try with .enc and .tsd, but both get the same error.
I still can flash ROM's like " [ROM][ENG] 6.5.5 (23563)+Sense 2.5(2011) v0.012.2 (26/04/10) Radio 5005.1600.05" but my SIM Card is SoftBank and i think the ROM Radio another, because i cant connect with SoftBank services.
OBS: I use the Convetion too for convert TG01 rom to T01A ROM
Now i able to flash you ROM, just rename the file for TG01WP_00.tsd, this is with Docome bootlogo, with my SoftBank Japanese Windows, but my i still can't use my SIM Softbank, windows report a SIM error and the Windows power off after seconds.
If i start the phone without my SoftBank SIM, widows work fine (in japanese, and with DOCOMO bootlogo) but if i start with SIM card, windows report something about SIMUnlockP and dont connect, after secs power off.
If i can only flash ROMS with TSD, is because my bootloader is Docomo now right? this make my phone only work with DOCOMO SIM'S?
hi,eecat, I have the same problem as you. I flashed a chinese rom to x02t, with pin 1 and 2 shorted method, I can boot the phone, otherwise, green light sparkle once then off. after the Chinese wm65 started, I inserted the softbank sim card, no signal. I am wondering have you solved that problem or do you have any idea to flash back to official softbank rom that I can use softbank sim card as normal? your Prompt reply will be highly appriciated.
Hi
I just changed some stuff like images in a kernel using Android Kernel Kitchen 0.3.1.
Now I wanna test my changes.
My questions is->
What are worst case scenarios possible?
I am ready to go for boot loops and etc. but are there any consequences that may cause real hard brick of my phone? (Like---> it will never start again! or you need to take it to service center for repair!)?
Jaskaran498 said:
Hi
I just changed some stuff like images in a kernel using Android Kernel Kitchen 0.3.1.
Now I wanna test my changes.
My questions is->
What are worst case scenarios possible?
I am ready to go for boot loops and etc. but are there any consequences that may cause real hard brick of my phone? (Like---> it will never start again! or you need to take it to service center for repair!)?
Click to expand...
Click to collapse
What you can expect are boot loops, inability to get even see the boot splash, non-working wifi/ USB / touch / camera/ anything that needs a driver, random reboots. Personal experience: yesterday I was playing with changing part of the initramfs without changing the whole boot.img. It turns out that I needed to update the header size and checksum. Without this, it would hang for some seconds and then reboot (or not start at all). This was all fixable from recovery.
What can happen if you are not careful is a brick because you flash the wrong partition. Otherwise, you can always enter recovery mode and flash the kernel (for the i9300, it is mmcblk0p5). If you are not sure, look for the magic ANDROID! header:
Code:
# dd bs=64 count=1 if=/dev/block/mmcblk0p5 2>/dev/null | hexdump -C
00000000 41 4e 44 52 4f 49 44 21 80 bc 44 00 00 80 00 40 |[email protected]|
00000010 2e 1e 05 00 00 00 00 41 00 00 00 00 00 00 f0 40 |[email protected]|
00000020 00 01 00 40 00 08 00 00 00 00 00 00 00 00 00 00 |[email protected]|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040
So, the absolute worst-case scenario is when you accidentally flash the wrong partition. If you picked your EFS partition and do not have a backup, then your IMEI and stuff are gone.
Note: be sure not to wipe your recovery partition (mmcblk0p6), that requires you restore the recovery using download mode (I have not experienced this yet).
Lekensteyn said:
What you can expect are boot loops, inability to get even see the boot splash, non-working wifi/ USB / touch / camera/ anything that needs a driver, random reboots. Personal experience: yesterday I was playing with changing part of the initramfs without changing the whole boot.img. It turns out that I needed to update the header size and checksum. Without this, it would hang for some seconds and then reboot (or not start at all). This was all fixable from recovery.
What can happen if you are not careful is a brick because you flash the wrong partition. Otherwise, you can always enter recovery mode and flash the kernel (for the i9300, it is mmcblk0p5). If you are not sure, look for the magic ANDROID! header:
Code:
# dd bs=64 count=1 if=/dev/block/mmcblk0p5 2>/dev/null | hexdump -C
00000000 41 4e 44 52 4f 49 44 21 80 bc 44 00 00 80 00 40 |[email protected]|
00000010 2e 1e 05 00 00 00 00 41 00 00 00 00 00 00 f0 40 |[email protected]|
00000020 00 01 00 40 00 08 00 00 00 00 00 00 00 00 00 00 |[email protected]|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040
So, the absolute worst-case scenario is when you accidentally flash the wrong partition. If you picked your EFS partition and do not have a backup, then your IMEI and stuff are gone.
Note: be sure not to wipe your recovery partition (mmcblk0p6), that requires you restore the recovery using download mode (I have not experienced this yet).
Click to expand...
Click to collapse
Kk, thanks.
But what do i do if it does not start at all like u said (what i want is that it should at least be able start in recovery or download if possible).
Since its my first time messing with kernel, i am total n00b then
If it cannot proceed to the "normal" boot, then get into recovery by holding Volume Up + Power + Home for ten seconds while booting (I usually do that when I see the Samsung logo end release when it has restarted, showing the logo again (about ten seconds).
From there, use Install from zip (if you have a "update zip" that contains boot.img and some metadata) or (what I do) use adb push to put the image in /tmp/. Then use dd to write the boot image. Example (I use Linux):
Code:
laptop$ adb push boot-new.img /tmp/boot.img
laptop$ adb shell
# cat /tmp/boot.img > /dev/block/mmcblk0p5
Just in case of hardware failure, I also verify the md5sum:
Code:
laptop$ md5sum boot-new.img
laptop$ du -b boot-new.img # determine file size, say 1234
(android) # dd if=/dev/block/mmcblk0p5 bs=1234 count=1 | md5sum
The two outputs must match, otherwise something went wrong (unlikely, but still).
Lekensteyn said:
If it cannot proceed to the "normal" boot, then get into recovery by holding Volume Up + Power + Home for ten seconds while booting (I usually do that when I see the Samsung logo end release when it has restarted, showing the logo again (about ten seconds).
From there, use Install from zip (if you have a "update zip" that contains boot.img and some metadata) or (what I do) use adb push to put the image in /tmp/. Then use dd to write the boot image. Example (I use Linux):
Code:
laptop$ adb push boot-new.img /tmp/boot.img
laptop$ adb shell
# cat /tmp/boot.img > /dev/block/mmcblk0p5
Just in case of hardware failure, I also verify the md5sum:
Code:
laptop$ md5sum boot-new.img
laptop$ du -b boot-new.img # determine file size, say 1234
(android) # dd if=/dev/block/mmcblk0p5 bs=1234 count=1 | md5sum
The two outputs must match, otherwise something went wrong (unlikely, but still).
Click to expand...
Click to collapse
I know all this but what i m saying is that can there be conditions where neither i will be able to boot recovery nor download (even by volume+power+home method)?
Unless you do really stupid things like overwriting /dev/block/mmcblk0 or other partitions on http://cleanimport.xda/index.php?threads/2362743/, you will be safe.
Jaskaran498 said:
I know all this but what i m saying is that can there be conditions where neither i will be able to boot recovery nor download (even by volume+power+home method)?
Click to expand...
Click to collapse
Recovery has it's own kernel. It doesn't use the one you're modifying
-----------------------
Sent via tapatalk.
I do NOT reply to support queries over PM. Please keep support queries to the Q&A section, so that others may benefit
Scroll down for recent updates;
Has anyone ever heard more from h311sdr0id about his post (see here) to get more info about this "state" that allows you to flash MDK over ME7 in Odin? I'm curious to see if we can use that state, maybe in QDL mode to somehow either push an image to the phone or communicate with it using some methods/commands that E:V:A refers to on this page and a few pages after and before. It's also possible that we then might be able to use a modified unbrick.img (see here) to restore an MDK bootloader. So far those are the two ideas that I think have the best chance.
Also in this thread I started with the intention of compiling the entire stock firmware for the Dev edition (OYUAMDK), I mentioned at the bottom that when flashing the stock MDK restore Odin tar on an ME7 phone users usually get a "SW REV. CHECK FAIL: FUSED: 3, Binary: 1" message meaning that your current fuse counter in aboot is set to 3 but the binary your attempting to flash is set to 1 so the flashing attempt will fail and I'm willing to bet if you're on VRUDMI1 and you attempt to flash the MDK restore you will get a similar message but the FUSED: value will be set to 4, you can see the counter upped in this post from jeboo here. However, with flashing the dev OYUAMDK aboot file on S4's with a ME7 bootloader users will receive a "SECURE CHECK FAIL: aboot" message instead, I don't know if we might be able to use dev OYUAMDK aboot file and bypass the fused counter entirely, since the dev edition has an unlocked bootloader and the fuse is an efuse, so software enforced, not a hardware enforced qfuse. If anyone wants to go into more detail, or wants to expand on these ideas we I can expand on this info or we can collaborate ideas in the Dev discussion thread.
Other points to consider:
If you know how to use IDA pro, and can help with the base address of the binaries, that is probably our best bet to find a vulnerability in aboot, you can see jeboo and djrbliss discuss this a bit (here) and you can see Ralekdev show his findings here, also this gives the explanation of why you see the "custom unlock" boot screen that people constantly post about in the Q&A thread. Both of these threads along with djrbliss' blog discussing the S4 aboot vulnerability that lead to Loki (here), and exploiting the TrustZone (tz.mbn) on Moto's bootloaders (here) are good starting points in trying to find a new vulnerability.
If you know how to hexedit, then hexedit aboot.mbn from MDK, ME7, OYUAMDK, and MI1. You can see ME7 and MI1 are similar in both size and content, while MDK and OYUAMDK are more similar to each other in size and content. Obviously OYUAMDK differs from the others in the way it checks the recovery and boot partitions, (in djrbliss' blog on the S4 exploit he says "This bootloader differs between "locked" and "unlocked" variants of the Galaxy S4 in its enforcement of signature checks on the boot and recovery partitions.") but we are able to flash all bootloader partitions from the OYUAMDK firmware restore Odin file I made except aboot, so if you have any ideas on how we might be able to exploit any of that, please feel free to share.
If you do hexedit a dd'ed partition (if you copy mmcblk0p6 from your phone to your pc) you will see that its padded with zeroes at the end. You have to cut the padded zeros from the dd'ed image in order for the partition to be registered as a signed partition in Odin, etc. To do this, use Linux, open a terminal and type
Code:
sudo apt-get install hexedit
then enter your password and hit enter. Then go to the folder that contains the partitions you want to hexedit (for instance type cd /home/Your user name folder/Desktop/S4partitionbackups/" where "your user name folder" is whatever your username is and "S4partitionbackups" is a folder you create on your desktop containing a backup of your partitions) If you don't have a back up of your partitions you can create them using something like the command below, substituting mmcblk0p6 and aboot.mbn with the partition(s) you are interested in.
Code:
adb shell su -c 'dd if=/dev/block/mmcblk0p6 of=/sdcard/backup/aboot.mbn'
then
Code:
adb pull /sdcard/backup/aboot.mbn /home/Your user name folder/Desktop/S4partitionbackups/
then
Code:
cd /home/Your user name folder/Desktop/S4partitionbackups/
Code:
hexedit aboot.mbn
Quick guide on Hexedit controls/keys
shift+> will take you to the end of the hex file
shift+< will take you to the beginning
page up/page down it will take you up a page and down a page respectively
ctrl+c you will exit the hex file without saving any changes
esc+t you will truncate the file at the current location
ctrl+x you will save the file with all changes you have done.
This is an example of a padded aboot.mbn, before hexediting, and prior to truncating the file a at the first "0" in the string "00 01" found between the end of the actual file and the padded zero's and repeating F's
View attachment 2353922
This is an example of a properly signed aboot.mbn after hexediting
View attachment 2353923
How to find start addresses
First you have to open the selected bootloader with a hex file editor and look at the header, converting for little endian you can find the start addresses and offsets
Code:
[B]sbl1.mbn = 0x2a000000[/B]
00000000 D1 DC 4B 84 34 10 D7 73 15 00 00 00 FF FF FF FF ..K.4..s........
00000010 FF FF FF FF 50 00 00 00 [COLOR=Red]00 00 00 2A[/COLOR] 40 72 01 00 ....P......*@r..
00000020 40 41 01 00 40 41 01 2A 00 01 00 00 40 42 01 2A @[email protected]*[email protected]*
00000030 00 30 00 00 01 00 00 00 04 00 00 00 FF FF FF FF .0..............
[B] sbl2.mbn = 0x2e000000[/B]
00000000 16 00 00 00 03 00 00 00 00 00 00 00 [COLOR=Red]00 00 00 2E[/COLOR] ................
00000010 40 51 02 00 40 20 02 00 40 20 02 2E 00 01 00 00 @[email protected] [email protected] ......
00000020 40 21 02 2E 00 30 00 00 12 00 00 EA 5F 00 00 EA @!...0......_...
00000030 62 00 00 EA 65 00 00 EA 68 00 00 EA 6B 00 00 EA b...e...h...k...
[B] sbl3.mbn = 0x8ff00000[/B]
00000000 18 00 00 00 03 00 00 00 00 00 00 00 [COLOR=Red]00 00 F0 8F[/COLOR] ................
00000010 20 20 04 00 20 EF 03 00 20 EF F3 8F 00 01 00 00 .. ... .......
00000020 20 F0 F3 8F 00 30 00 00 D3 F0 21 E3 D3 F0 21 E3 ....0....!...!.
00000030 00 70 A0 E1 09 02 A0 E3 00 D0 A0 E1 DB F0 21 E3 .p............!.
[B] aboot.mbn = 0x88e00000 offset = 0x285[/B]
00000000 05 00 00 00 03 00 00 00 00 00 00 00 [COLOR=Red]00 00 E0 88 [/COLOR] ................
00000010 10 56 14 00 10 25 14 00 10 25 F4 88 00 01 00 00 .V...%...%......
00000020 10 26 F4 88 00 30 00 00 06 00 00 EA F0 38 00 EA .&...0.......8..
00000030 F6 38 00 EA FC 38 00 EA 02 39 00 EA 08 39 00 EA .8...8...9...9..
[B] tz.mbn = 0x2a000000[/B]
00000000 19 00 00 00 03 00 00 00 00 00 00 00 [COLOR=Red]00 00 00 2A[/COLOR] ...............*
00000010 C4 3A 03 00 C4 09 03 00 C4 09 03 2A 00 01 00 00 .:.........*....
00000020 C4 0A 03 2A 00 30 00 00 09 00 00 EA 90 F2 9F E5 ...*.0..........
00000030 90 F2 9F E5 90 F2 9F E5 90 F2 9F E5 84 F2 9F E5 ................
[B] rpm.mbn = 0x00020000[/B]
00000000 17 00 00 00 03 00 00 00 00 00 00 00 [COLOR=Red] 00 00 02 00[/COLOR] ................
00000010 38 57 02 00 38 26 02 00 38 26 04 00 00 01 00 00 8W..8&..8&......
00000020 38 27 04 00 00 30 00 00 06 00 00 EA 1E 00 00 EA 8'...0..........
00000030 2C 00 00 EA 39 00 00 EA 46 00 00 EA 53 00 00 EA ,...9...F...S...
EDIT: 2/01/2014 - Updated OP to include where we're at
2/01/2014
1. Figuring out what Hellsdroid's method was - Unfortunately this seems unlikely as of now (figuring out what he did that is) On the other hand, @TMcGrath50 and I discussed a method we thought to be similar to his starting around here and then I learned how to use ida better as time went on and recently disassembled that I9505 S4 USB repair tool. I have not done a thorough analysis of the pseudocode yet though. But even so, this method has never been done before (as far as I know) and
in addition to assuming the information in the pic below is true, and we can in fact reset the emmc on our devices with Secure Boot 3.0 (would this be a way of getting around having to reset the Secure Boot bit in the pbl to "0"?) I still think this idea needs to be refined a bit before its worth exploring because some questions remain in regards to if it would even work in the first place. For example, when a JTAG solution was tested previously, the VRUAMDK aboot.mbn didn't flash on a device with VRUAME7 after all the partitions were wrote over with VRUAMDK partitions via JTAG, why? @jeboo may be able to help answer that.
Also, it was previously questioned whether or not the flash programmer (8064 hex) would need to be signed or not. As I have two S4's one thats working and one in QDL QHSUSB dload mode, in doing some recent testing through usb (S4 to S4) I was able to get some info back about my bricked S4, namely that I had sent it the wrong hex file ( see the last line here) because the dmesg and last_kmsg logs say something to the effect of "the the cpu clocks cannot start because its configured for the wrong device" and the last line from the my pastebin post says "8660" among other things as well.
Status - Unknown - More Research Required
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
2. Using a Developer edition S4 to unlock a retail S4 - So here's what we know, the dev kernel (boot.img) is flashable and will work with retail S4's, but the recovery.img and aboot will not. Flashing the dev recovery.img will succeed in Odin/Heimdall, but if you try to boot into recovery it will inform you that your device is "tampered" and and will void your warranty by setting the Knox warranty bit to 0x1. Before I discuss why aboot.mbn wont flash consider this; neither the Developer edition of the GS4 nor the Developer edition of the Note 3 has every received an OTA or a factory Odin tar. This is not by random chance. Every Developer edition owner has a unique MD5 for their aboot. If you couple this with the fact that Dev edition devices have retail stickers under their dev stickers, you will probably come to the conclusion that Samsung/Verizon/AT&T haven't released updates to dev devices because they would have to do it on a 'per device' basis, that or risk handing us a method to convert retail devices into developer edition devices. If the method by which Samsung uses device specific info to sign developer edition aboot partitions were discovered this may work, or if their method to determine if a device is a developer edition or consumer retail edition is similar to what Dan R (djrbliss) took advantage of then this could be a possibility.
3,4,5,6, coming up....updating...this will be a long post...advance warning.
Status - Possibly - More Research Required
This really sucks. Looks like the dev that knows how to downgrade from ME7 to MDK is locked up for a while.
h311sdr0id is currently indisposed and will probably not be getting out anytime soon. He has court next month. If anyone is interested in writing him, please send a message to his account and I will give you his info.
- Mrs. h311sdr0id
Travisdroidx2 said:
This really sucks. Looks like the dev that knows how to downgrade from ME7 to MDK is locked up for a while.
h311sdr0id is currently indisposed and will probably not be getting out anytime soon. He has court next month. If anyone is interested in writing him, please send a message to his account and I will give you his info.
- Mrs. h311sdr0id
Click to expand...
Click to collapse
Man... Samsung's really cracking down...
Sent from my SCH-I545 using XDA Premium 4 mobile app
Is it confirmed this is Samsung's doing?
Sent from my SCH-I535 using XDA Premium 4 mobile app
Travisdroidx2 said:
This really sucks. Looks like the dev that knows how to downgrade from ME7 to MDK is locked up for a while.
h311sdr0id is currently indisposed and will probably not be getting out anytime soon. He has court next month. If anyone is interested in writing him, please send a message to his account and I will give you his info.
- Mrs. h311sdr0id
Click to expand...
Click to collapse
WOW, this is news to me! It explains why I haven't seen him update his VS3 rom in awhile.
@Nicgraner
Sarcastic joke, or are you serious?
I noticed in the note 3 part of the forum a member started a petition to unlock the boot loader. Can someone start one or combine with the note 3 page?
Petitions just turn into complaint threads. I wanted to give this a last shot, so I posted alot of info and plenty of references with the intent that even less experienced s4 users could learn and eventually contribute to helping unlock this bootloader. I also offered some ideas as a starting point. Ive never joined irc's or google talk sessions with others in trying to solve things, I mostly read and learned on my own and im by no means a dev. But I don't think we can unlock this unless we stop complaining and one-uping each other and start working together. I wish that people would stop asking if devs are still trying to unlock this, or being pessimistic about it and start being part of the solution by reading a little and then helping contribute to a solution. All suggestions are welcome. But if you don't know what comprises the "bootloader", learning the flashing order of the partitions at least uptil tz.mbn would benefit you greatly.
P.S.
Just because your not a dev doesn't mean you cant help, most devs are knowledgeable about their devices, but some don't know much beyond how to use android kitchen.
Sent from my XT912 using xda app-developers app
Surge1223 said:
Petitions just turn into complaint threads. I wanted to give this a last shot, so I posted alot of info and plenty of references with the intent that even less experienced s4 users could learn and eventually contribute to helping unlock this bootloader. I also offered some ideas as a starting point. Ive never joined irc's or google talk sessions with others in trying to solve things, I mostly read and learned on my own and im by no means a dev. But I don't think we can unlock this unless we stop complaining and one-uping each other and start working together. I wish that people would stop asking if devs are still trying to unlock this, or being pessimistic about it and start being part of the solution by reading a little and then helping contribute to a solution. All suggestions are welcome. But if you don't know what comprises the "bootloader", learning the flashing order of the partitions at least uptil tz.mbn would benefit you greatly.
P.S.
Just because your not a dev doesn't mean you cant help, most devs are knowledgeable about their devices, but some don't know much beyond how to use android kitchen.
Sent from my XT912 using xda app-developers app
Click to expand...
Click to collapse
On that note, I thank you for developing the OYUAMDK FW. I have not tried it yet just waiting for another guinea pig or at least have a backup device to swap SIMs so that I can have something to use.
Samsung has their first Dev Conference today in San Francisco and hopefully there will be Devs there to get better insight on Samsungs position on ROMs and bootloaders etc...
Awesome analysis Surge, that hellsdroid thread piqued the interest of several devs, including myself. Unfortunately I believe his thread was a bit misleading, which may explain why he closed it. There has been no demonstrated method to boot vulnerable BLs (ie, loki-fiable aboot) once the qfuse has been incremented.
Some of us are looking at the binaries, but no exploit has popped out yet. I did find it interesting they updated SBL1 in the latest OTA, that may be a hint towards something..
jeboo said:
Awesome analysis Surge, that hellsdroid thread piqued the interest of several devs, including myself. Unfortunately I believe his thread was a bit misleading, which may explain why he closed it. There has been no demonstrated method to boot vulnerable BLs (ie, loki-fiable aboot) once the qfuse has been incremented.
Some of us are looking at the binaries, but no exploit has popped out yet. I did find it interesting they updated SBL1 in the latest OTA, that may be a hint towards something..
Click to expand...
Click to collapse
So I just started analyzing my emmc back up (took the entire 16gb mmcblk0 to make sure I didnt miss anything) have you looked through the emmc? I think the modem and apnhlos are more involved in the security checks than we previously thought. Plus these tima, tzapps, and apps.mbn etc files may have contributed to the failure of flashing the mdk aboot on the me7 device you guys were attempting, is there a reason you guys didnt include the mdk modem and apnhlos in your attempt to restore the mdk bootchain? I flashed the dev bootloader with the exception of the dev aboot, boot and recovery using 3 heimdall packages. The first contained the modem, apnhlos and sbl1-3. The second contained rpm and tz, and the third contained boot and recovery (as expected this package failed) the result was my device was now on the dev bootchain with the exception of aboot, boot and recovery and confirmed these results via hexedit. So I think we can rule out sbl3 being the main culprit in checking the fuses when trying to flash a new aboot, also I dont get the "fused 3 binary 1 aboot" failure message when I attempt to flash aboot anymore, just the "secure check fail aboot" message. I definitely think its worth looking into using the dev tz.mbn to find an exploit because I no longer ever see the "samsung custom unlock" boot screen and my device believes its unmodified, and reports its official. My device is so far from unmodified its ridiculous. That means the dev tz.mbn partition I flashed is behaving as if my s4 is a dev edition (see ralekdev's post I linked to in the OP)
Sent from my TouchPad using xda app-developers app
Surge1223 said:
So I just started analyzing my emmc back up (took the entire 16gb mmcblk0 to make sure I didnt miss anything) have you looked through the emmc? I think the modem and apnhlos are more involved in the security checks than we previously thought. Plus these tima, tzapps, and apps.mbn etc files may have contributed to the failure of flashing the mdk aboot on the me7 device you guys were attempting, is there a reason you guys didnt include the mdk modem and apnhlos in your attempt to restore the mdk bootchain? I flashed the dev bootloader with the exception of the dev aboot, boot and recovery using 3 heimdall packages. The first contained the modem, apnhlos and sbl1-3. The second contained rpm and tz, and the third contained boot and recovery (as expected this package failed) the result was my device was now on the dev bootchain with the exception of aboot, boot and recovery and confirmed these results via hexedit. So I think we can rule out sbl3 being the main culprit in checking the fuses when trying to flash a new aboot, also I dont get the "fused 3 binary 1 aboot" failure message when I attempt to flash aboot anymore, just the "secure check fail aboot" message. I definitely think its worth looking into using the dev tz.mbn to find an exploit because I no longer ever see the "samsung custom unlock" boot screen and my device believes its unmodified, and reports its official. My device is so far from unmodified its ridiculous. That means the dev tz.mbn partition I flashed is behaving as if my s4 is a dev edition (see ralekdev's post I linked to in the OP)
Sent from my TouchPad using xda app-developers app
Click to expand...
Click to collapse
So does this mean if I flash your OUYAMDK ODIN image my Dev Ed phone will think its OOB without custom unlock?
Theres a post in that thread where a dev owner achieved those results as well he only flashed a couple partitions, you can get more details there
Sent from my XT912 using xda app-developers app
thread cleaned of selling and or trading and the ensuing discussion.
Use Swappa.com for that.
neh4pres said:
Is it confirmed this is Samsung's doing?
Sent from my SCH-I535 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
I've always known Samsung to be like Google when it comes to consumer development. Google supports and encourages the freedom to modify Android, it being open source in the first place. Samsung doesnt mind, themselves; it's carrier security teams that require companies like Samsung to create their own methods of locking down the device for the average user. I'm quite impressed with the Knox bootloader and secure VM app. It may not be done anytime soon, but it can always be cracked. But, the fact that this code is so hard to modify, thanks to carriers, is actually a good thing.
Hey guys I am totally supporting this thread. Unfortunately i have no experience in this kinda stuff or else i would help. Good luck!
Much like most of us. Still out there Surge?
Sent from my SCH-I545 using xda app-developers app
Still here I use tw based roms so my motivation for wanting to unlock this isnt for AOSP or custom kernels. Its just the challenge, that and out of hate for Verizon lol. The Droid X sitting on my desk is a painful reminder of defeat. Cant let them win twice..
Sent from my SCH-I535 using xda app-developers app
Surge1223 said:
Still here I use tw based roms so my motivation for wanting to unlock this isnt for AOSP or custom kernels. Its just the challenge, that and out of hate for Verizon lol. The Droid X sitting on my desk is a painful reminder of defeat. Cant let them win twice..
Sent from my SCH-I535 using xda app-developers app
Click to expand...
Click to collapse
No doubt... can't believe i left my G-Nex for this locked down thing... unfortunately i had to craigslist an upgrade and couldn't snag one of these when they first came out.
i am also in full support of this thread! running stock MJ7 never rooted my phone once, i have taken all the OTAs i'm really crossing my fingers that someone can break this thing so i can finally root and install a stock google rom, i hate TW so much! with all the headache with safestrap and junk on the MI1 i was not wanting to root my device just to have a half assed recovery.
Does it mean anything that my S4 is still showing unlocked and custom? Should it still show that even if it is in fact locked?
Hello,
I was wondering if anyone has managed to get this working on the Realme GT as I wanted to look at the carrier policy for my phone, as i've edited the oneplus one successfully.
But was having issues on this one, doesn't seem to recognise the phone to connect to EFS.
Yes. I got it working (on c15 eu). I was testing the same method I used on my poco f3 and it works the same way.
I'm assuming you're rooted.
If so, while usb debugging and usb transfer files mode are on , use the commands:
adb shell
su
setprop sys.usb.config diag,diag_mdm,adb
This should create two new entries in device manager with a yellow icon (faulty driver). You now need to update the driver. The best way of explaining this is to link to a youtube video. It's in turkish and for the mi10t but it works for other phones. Here it is at the correct timestamp. But written in steps it's:
Right click on the device and update driver.
Browse my computer for drivers.
Pick from a list of available drivers from my computer.
Ports (COM and LPT)
"qualcomm incorporated" and "qualcomm hs-usb android diag 9022".
Do this for both entries. They should now both be named something like "qualcomm hs usb diag 9022 (COM6)" in the ports (COM & LTP) section in device manager (each has a different port number for me).
Anyway, after that, the phone shows up in qpst.
Good luck.
Awesome, will give that a go!
joebrit said:
Yes. I got it working (on c15 eu). I was testing the same method I used on my poco f3 and it works the same way.
I'm assuming you're rooted.
If so, while usb debugging and usb transfer files mode are on , use the commands:
adb shell
su
setprop sys.usb.config diag,diag_mdm,adb
This should create two new entries in device manager with a yellow icon (faulty driver). You now need to update the driver. The best way of explaining this is to link to a youtube video. It's in turkish and for the mi10t but it works for other phones. Here it is at the correct timestamp. But written in steps it's:
Right click on the device and update driver.
Browse my computer for drivers.
Pick from a list of available drivers from my computer.
Ports (COM and LPT)
"qualcomm incorporated" and "qualcomm hs-usb android diag 9022".
Do this for both entries. They should now both be named something like "qualcomm hs usb diag 9022 (COM6)" in the ports (COM & LTP) section in device manager (each has a different port number for me).
Anyway, after that, the phone shows up in qpst.
Good luck.
Click to expand...
Click to collapse
Worked perfectly. Thanks. Have you played about to unlock any bands?
unparalleled82 said:
Worked perfectly. Thanks. Have you played about to unlock any bands?
Click to expand...
Click to collapse
No. I haven't tried anything qpst wise with my gt yet. I'm not an expert but I thought you could only activate new bands if the hardware shipped with them enabled but there's an artificial carrier based policy/limitation that qpst could change. I think there's guides out there...
My interest was in locking my phone to a certain tower (pci) for better speeds. Unfortunately, I tried this on my poco f3 a while ago but it didn't work. I used these instructions.
I basically created a file in efs explorer (nv/item_files/modem/lte/rrc/csp/pci_lock)
with the pci hex code inside but it didn't have the right effect. I think that nv item might be outdated.
Yeah the only PCI band locking apps, I've seen are really expensive paid ones, so it can be done somehow.
Network signal guru does band locking and PCI locking on the paid version of the app.
Would be interested in knowing if you actually get it working.
unparalleled82 said:
Would be interested in knowing if you actually get it working.
Click to expand...
Click to collapse
Use the following at your own risk. Make a backup of your efs in qpst (start clients, software download, backup). Having said that, I've used this method successfully to lock the pci and earfcn. It relies on an nv item file:
/nv/item_files/modem/lte/rrc/efs/cell_restrict_opt_params
Navigate to:
/nv/item_files/modem/lte/rrc/efs/
If there is already a file called cell_restrict_opt_params you can make a backup and delete it as we will be replacing it.
Note down your desired earfcn and pci. I'll use earfcn = 500 and pci = 600 as an example.
Go to this hex converter and convert the earfcn and pci values (earfcn = 01F4 and pci = 0258).
Now create a hex file called cell_restrict_opt_params (you can use this program) in the following format:
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 F4 01 00 00 58 02 00 00 00 00 00 00
00 00 00 00
It should be 36 bytes. The 21st and 22nd byte should be the earfcn hex (backwards) with the 25th and 26th bytes being the pci hex (backwards). You can then transfer the file from your pc to the efs folder.
If you want to lock the earfcn only, it's the following format:
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 F4 01 00 00
F4 01 00 00
You will probably have to restart for the changes to take effect. Delete the file if you want to go back to the original state.
Good Luck.