Better Mobile App

STRTRK CID Unlock

I'm truly sorry about the delay.
I've finally got round to posting a a STAR100 SuperCID guide.
1. Get itsutils: http://www.xs4all.nl/~itsme/projects/xda/tools.html
2. Run pdocread.exe with no args. Take a note of the "uniqueid" value.
3. Run "pdocread -n 1 0x000000 0x10000 -b 0x4000 original-bdk1.nb" - you'll get a file.
4. Head over to http://www.spv-developers.com/strtrkCID/. Feed it the DOCID and the file you got from steps 2 and 3. It'll give you back anoter file.
5. Run "pdocwrite -n 1 patchedfile.bin 0x000000 0x10000 -b 0x4000" where patchedfile.bin is obviously to be replaced with the patched file you got from step 4.
6. There is no 6. Report feedback.
Click to expand...
Click to collapse
All credit goes to itsme - he wrote all the tools and scripts which made all this possible.

Spawning script: perl startrek_cidedit.pl cid1e62995dd1db197b00b697388760b5e3.bin -i DOPOD601 -c 11111111 -o supercid1e62995.bin 2>&1
decrypting
bufend=44bdd4609845fd0931a871b4a31ddba42d4b96386f9 e9c5dff947c035432fc15
result=b2c7c4eede400853eb232eba436f394b3d75a9adf4c e9a1e452b26ea9059dc59
sha64k=8a7e3a8462b8c851ac125710d44abc05da4916f215e 331f98420db7ae5d87a5d
buffer checksum failed
why ?

Looks like the DOCID value you entered is incorrect. It should be a long stream of hex numbers.

Fantastic !!! Working Ok on SPV F600. Now, we need how to simunlock this smartphone.
Thank you very much Zone Mr.

i run pdocread in step 1 and got a dos screen that desaper in a second,and were i find the file in step 2.

Zone-MR said:
Looks like the DOCID value you entered is incorrect. It should be a long stream of hex numbers.
Click to expand...
Click to collapse
thank you Zone-MR,can u tell me how to get a long stream of hex numbers.

wlinsong said:
thank you Zone-MR,can u tell me how to get a long stream of hex numbers.
Click to expand...
Click to collapse
i know how to do,thank Zone-MR very very much
is there someone know how to flash rom use T-flash Card?

someone can't get the docid ,because you must use the old one!

I tried to do first step but when I ran pdocread.exe I get the following message :
Could not update itsutils.dll to the current version, maybe it is inuse?
try restarting your device, or restart activesync
or maybe your device is application-locked.
I've app-unlocked my device, activesync works ok, and restarting does not help. Phone is Qtek8500.
Any ideas?
Thanks

Is the script to calculate CID area for startrek available?
I think this should use the same method on Artemis or Herald, the problem is that they have G4 DOC and we'll not be able to use pdocwrite, but on those phones we're already able to place a hacked SPL in mem with psetmem.exe and jump into it's address with modified haret version. If we have the right CID area we can use the hacked SPL to flash it.

sorry for the ignorance...
I have downloaded itsutils but where is the dpocread.exe??
do I have to connect to the device with the mtty??
Maybe a bit more explanation

I've CID unlocked my Qtek 8500 and installed new ROM 3.6.251.0. Thanks Zone, great work!
Maybe it would be useful to write more detailed instructions, so here it is :
1. Application unlock your phone using regeditstg and do the following :
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1001 = 2 -->Change the value data from 2 to 1
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1005 = 16 --> Change the value data from 16 to 40
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1017 = 128 --> Change the value data from 128 to 144
Reboot the phone
2. Run SDA_ApplicationUnlock tool. Reboot the phone after it finishes.
3. Download itsutil.zip from http://www.xs4all.nl/~itsme/projects/xda/tools.html , version from 2005-6-28. There is even newer version, but with that version you can not use pdocread without arguments.
4. Connect the phone with activesync
5. Run Command Prompt, go to subfolder named "build" in itsutils folder, and run pdocread without arguments
6. Note the value of "uniqueid". It will be something like : "00 00 00 00 12 03 02 14 3b 07 1b b2 04 05 07 54"
7. run pdocread again with these arguments : "pdocread -n 1 0x000000 0x10000 -b 0x4000 original-bdk1.nb". This will make original-bdk1.nb file in build folder (where the pdocread is located).
8. Upload this file and value of uniqueid to http://www.spv-developers.com/strtrkCID/. It will open a new page after few seconds. Go to bottom of the page and click the link "Download patched BDK1"
9. Download the file (it will be named like "supercidxxxxxxx.bin) to "build" folder
10. Run the pdocwrite from command prompt with these arguments : "pdocwrite -n 1 supercidxxxxxxx.bin 0x000000 0x10000 -b 0x4000". Replace supercidxxxxxxx.bin with the original name of downloaded file from step 9.
11. Wait 15-20 seconds and that is it. Reboot the phone and install the ROM you like

It works! I've got now 3.6.251.0_02.67.30 on my Qtek!
Thank's, damird, your guide is unreplaceble for such lamers like me
But maybe anyone can suggest me were can i find and how to install (if it possible) Russian t9 or only russian lang to input? Or maybe how to rollback to original ROM with this that lang... (1.02.261.1)
Thank's
added:
Problem's gone, Russian T9 added.

Damird!
Cheers mate

Hello, can you share with us this script to calculate CID area in StarTrek?
With this script we can SimUnlock the StarTrek very easy (at least I think...)
Thank you very much.

I'm confused here... is CID unlock not the same with SIM unlock?
my carrier is tmob but I'm getting cing 3125 at ebay so I need to SIM unlock the phone for it to work on tmob right?

wow, pof, I can't wait for it! i had bought one herald in China but wireless was disable by default. I hope I could unlock the CID and get a WWE rom to enable the wireless.

sokelut said:
I'm confused here... is CID unlock not the same with SIM unlock?
my carrier is tmob but I'm getting cing 3125 at ebay so I need to SIM unlock the phone for it to work on tmob right?
Click to expand...
Click to collapse
Correct, you still need to pay to carrier unlock the phone. Check the wiki for links to a few services that are known to work.

CID unlock? Error installing ROM
I'm getting an ERROR [294] INVALID VENDER ID
I did the CID unlock
It starts to install the rom but when it gets to 4% I get this error. How do i fix this?
Can anyone help?!

Need a little clarification
Im stuck in steps 3-11. I've downloaded itsutils and I don't know how to proceed.

Bootloader Cracking : Devs only

NEW - March 2011
A method of booting custom kernels (using kexec) has been developed. Thanks Bin4ry, zdzihu, MrHassell, blagus, and all other devs who are working hard to make this stable.
The bootloader protection has been bypassed!
zdzihu said:
Bootloader is broken/bypassed!
Big bad huge font to avoid confusion =)​
@Goroh_kun:
Buddy, I know you're still reading this forums so... I just want you to know that you are absolutely BRILLIANT. You're a STAR.
BIG thanks for all your contributions into this project! Nothing, and I mean NOTHING would happen without you.
@devs:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
@SE: lads, it's your turn now - please unlock it already. I promise we won't brick our phones
@all: DON'T ask for details. I will post here when I'm ready to do so. Today (I guess?) is the Arc release date and stuff, I don't want to mess around...
Still busy working abroad,
Cheers,
z
Click to expand...
Click to collapse
Link to 2.1 alpha kernel (2.6.29)
http://forum.xda-developers.com/showpost.php?p=12578251&postcount=848
OLD
Important info!
http://forum.xda-developers.com/showpost.php?p=12298790&postcount=811
Link to FlashTool
http://forum.xda-developers.com/showthread.php?t=920746
Here are some posts:
MrHassell said:
Yes and yes - while rebooting and as zdzihu previously reported kexec is viable.
http://forum.xda-developers.com/showpost.php?p=8714275&postcount=407
zdzihu
override partition table using kernel command line. Tried (via kexec) and it worked.
Code:
mtdparts=msm_nand:[email protected](appslog),[email protected](cache),[email protected](system),[email protected](userdata),[email protected](loader)
Bin4ry - tawrite - http://forum.xda-developers.com/showpost.php?p=8931422&postcount=442
cat /proc/mtd
mtd0 cache
mtd1 appslog
mtd2 userdata
mtd3 system
My final post on the subject. Have better things to do now the media have landed au reviour.
Click to expand...
Click to collapse
Bin4ry's kexec kit posts
http://forum.xda-developers.com/showpost.php?p=12240639&postcount=708 - V1
http://forum.xda-developers.com/showpost.php?p=12245719&postcount=711 - V2
http://forum.xda-developers.com/showpost.php?p=12260334&postcount=724 - V3
MrHassell's V3 test log
http://forum.xda-developers.com/showpost.php?p=12261764&postcount=729
21st March 2011, onwards
Bin4ry said:
Can you try to run it on chargemon script instead of xRec?
So that we can run it at the very beginning of boot process. Maybe this is a solution!
This should work in the chargemon script:
exec /data/local/tmp/run.sh
WARNING!
JUST TRY THIS IF YOU KNOW WHAT YOU ARE DOING !
Regards
Click to expand...
Click to collapse
Androxyde said:
chargemon the safer way :
Just before recovery if then else :
if [ -e /data/local/tmp/kexec ]
then
rm -r /data/local/tmp/kexec
exec /data/local/tmp/run.sh
fi
so from the OS, touch /data/local/tmp/kexec the reboot and it will boot the kexec script and remove the kexec file so that the next boot or reboot will go fine
Click to expand...
Click to collapse
Bin4ry said:
So, 2 users with bb58 had booted fine then WLOD.
Seems the initial idea is working
Now fix the problems and all is good ?
Regards
Click to expand...
Click to collapse
DooMLoRD's test
http://forum.xda-developers.com/showpost.php?p=12266289&postcount=750
Bin4ry's edited chargemon file
http://forum.xda-developers.com/showpost.php?p=12266422&postcount=753
Comment from DooMLoRD - actually about the above file.
DooMLoRD said:
just an additional comment...
the following chargemon will work only for recovery flashed through Flashtool v0.2.8 for stock roms only
also please do not try that chargemon on CM7RC2 roms (u wont be able to get into the OS cause recovery on CM7RC2 is shifted to /system/recovery/
also the line chroot / /init will work for 2.3 roms but is not compatible with 2.2 roms... for 2.2 roms u need /system/bin/chroot / /init
Click to expand...
Click to collapse
x10b's test
x10b said:
boot.img installed >> boots normal got my radio, wifi , everything works fine...
FW : 2.1.1.A.0.16
BB : 2.1.58
test ok......
Click to expand...
Click to collapse
x10b's test video
http://forum.xda-developers.com/showpost.php?p=12287032&postcount=798
DooMLoRD's edited (universal) chargemon file
http://forum.xda-developers.com/showpost.php?p=12267053&postcount=762
Important for 'non-devs' - also look at DooMLoRD's post ahead
wolfilein said:
@all
you shouldn't flash the file with xrecovery!
you should extract it to
/data/local/tmp/
on you phone
and replace the /system/bin/chargemon with the one bin4ry has posted some posts ago
after that make it executable
with
chmod 755 /system/bin/chargemon
then create the file /data/local/tmp/kexec
with
touch /data/local/tmp/kexec
and then reboot you phone should load the new kernel
Click to expand...
Click to collapse
DooMLoRD's post in reply to above:
http://forum.xda-developers.com/showpost.php?p=12267467&postcount=766
jerpelea said:
cm7 boots with custom kernel
Click to expand...
Click to collapse
More testing:
DooMLoRD said:
test with Stock SE ROM FW: 2.1.A.0.435 | BB: 2.1.54
booted into OS but no radio, strange question mark symbol on top of battery symbol (in notification bar)... phone rebooted in few seconds couldnt get into "About Phone"... though no LED notifications of any sort... even have made a video of boot up process [it look good on handset ] will post it here in a while
EDIT:
on second attempt tried to get to "About Phone" asap... under "Kernel Version" it was "unknown"... and then the system immediately rebooted...
keep up the great work Bin4ry and all other devs...
Click to expand...
Click to collapse
DooMLoRD's bootup video
http://forum.xda-developers.com/showpost.php?p=12269301&postcount=775
Androxyde said:
I am on stock firmware A.0.16
I modded my chargemon to implement booting cust kernels from it and a gscript script shortcut on the desktop to reboot.
I tried these :
Reboot custom kernel with stock BB .58 : booted / no radio / reboot in less than 1 minute
Reboot custom kernel with BB 55 : same as with .58
Reboot custom kernel with BB 52 : booted / no radio / no reboot
Reboot stock rom with BB 52 : no radio
So with my last try I cannot conclude anything about the "no radio"
Will keep you informed with my further tests
Click to expand...
Click to collapse
More tests from DooMLoRD
http://forum.xda-developers.com/showpost.php?p=12272634&postcount=784
http://forum.xda-developers.com/showpost.php?p=12282471&postcount=789
http://forum.xda-developers.com/showpost.php?p=12303304&postcount=812
Bin4ry's kernel patches, config and build script from zdzihu:
http://forum.xda-developers.com/showpost.php?p=12272201&postcount=781
Bin4ry's kernel based on SE .435 kernel sources
http://forum.xda-developers.com/showpost.php?p=12275044&postcount=786
Aeny's tests
Aeny said:
x10i | J's CM7 RC2 V10a | BaseBand 2.0.46 | boot.img: 22.03.11-00_25
-Same behavior as BB 2.0.52
-(Stock kernel + this BaseBand = WLOD reboot loop.)
x10i | J's CM7 RC2 V10a | BaseBand 2.0.49 | boot.img: 22.03.11-00_25
-Same behavior as BaseBand 2.0.52
x10i | J's CM7 RC2 V10a | BaseBand 2.0.52 | boot.img: 22.03.11-00_25
-Screen not waking up by pressing any buttons, to wake up press any button, then press the screen. If "Screen-on" and/or "Screen-off" animations are enabled in CM-Settings then screen cannot be woken up at all.
-Battery shows a percentage, but does not indicate charging, however the battery level is going up.
-Time seems to update once every few (10~11) minutes instead of every minute & always starts counting from 1/1/1970 -1h:00m at boot.
-WiFi shows "error" under settings but does magically work, just can't be turned off.
-Bluetooth doesn't want to turn on.
-Baseband: "Unknown".
-Kernel Version: 2.6.29Bin4ry "[email protected] #1".
-no reboots (running 15minutes).
-screen doesn't auto-turn off but dims instead.
-Battery status shows as "unknown" under settings -> about phone -> status.
-No USB.
-LED doesn't light up while charging.
x10i | J's CM7 RC2 V10a | BaseBand 2.1.54 | boot.img: 22.03.11-00_25
-Freezes after 2~5seconds(can't see if WLOD because LED doesn't work).
-(Stock kernel + this BaseBand = WLOD reboot loop.)
x10a | J's CM7 RC2 V10a | BB 2.1.54 | boot.img: 22.03.11-00_25
-Freezes after 2~5seconds->reboot(can't see if WLOD because LED doesn't work).
-(Stock kernel + this BaseBand = WLOD reboot loop.)
Click to expand...
Click to collapse
Aeny said:
x10i | Build: 2.1.A.435 | BaseBand: 2.1.54 | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry [email protected] #1
x10i | Build: 2.1.A.435 | BaseBand: 2.1.58 | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry [email protected] #1
x10i | Build: 2.1.A.435 | BaseBand: 2.1.54(a) | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry [email protected] #1
x10i | Build: 2.1.A.435 | BaseBand: 2.1.55(a) | boot.img: 22.03.11-00_25
-Booted into OS: YES
-Radio: NO
-Reboot in few seconds: YES
-Questionmark on battery: YES
-BaseBand: Unknown
-kernel: 2.6.29Bin4ry [email protected] #1
Back to CM7 for me, SE's rom felt like playing a game @ 2FPS.
~Aeny
Click to expand...
Click to collapse
Ahmed radi's tests
Ahmed radi said:
boot.img: 22.03.11-00_25 / FW: SE 2.1 / BB 2.1.54
its work great !
boot normaly then radio work and WiFi also work !
boot.img: 22.03.11-00_25 / FW: SE 2.1 / BB 2.0.52
freeze on SE logo fo about 5~9 sec | no radio (insert SIM) | Wifi work
@ Bin4ry
good look bro
Click to expand...
Click to collapse
Ahmed radi said:
@ DooMLoRD
good now we have conferm that bin4ry kernel work with .54
i try also 52 but there is no radio !
i reflash the phone with 54 BB but also get no signal !
any idea about this ?
@bin4ry
could we convert the .img to .sin ?
Click to expand...
Click to collapse
Bin4ry said:
No, sin is the signature header. For that we need the signing key and we don't have it!
Regards
Click to expand...
Click to collapse
Ahmed radi said:
good lack Bin4ry !
test report :
X10 2.1 .435
BB54
run gr8 ,with Xda then reboot in se rom with radia and i test wifi and its work also!
edit :
BB58 also just like above !
>after we have sacsesfully loud Bin4ry kernel , could we have muiltitouch(not just dual) ? thanx
Click to expand...
Click to collapse
More info from Bin4ry
http://forum.xda-developers.com/showpost.php?p=12285626&postcount=795
shyvue's test
shvyue said:
I'm new to this but what i did is, copy all files from bootkit to /data/local/tmp
adb shell
$ su
# chmod 06755 run.sh
# ./run.shls
Phone shows fast-usb reboot, then a cute dog at top-left, then xda-developer with brown background.
SE stock image:
2.1.A.435
x10i-2.1.58 white led after xda-developer image then reboot with SE logo, etc
x10i-2.1.54 white led after xda-developer image then reboot with SE logo, etc
Click to expand...
Click to collapse
mpasanthosh's test
http://forum.xda-developers.com/showpost.php?p=12311351&postcount=816
Starting from 14th January 2011
blagus said:
Hi to all developers!
I haven't read whole thread, but I'm sure bootloader hasn't been cracked yet.
I spoke to a source who know really a lot about SE phones. He has been investigating X10 a lot and I got some info from him. He might be able to give me some further info but only if you are willing to read and try to accept my post and not just tell me "Xperia is different SE phone".
Believe me, he knows a lot about how X10 boots/works, and what's happening inside it (software part). He's been investigating phones since DB2020, and knows something about phones even before that.
As first, when I told him about "bootloader" he wasn't 100% sure what is that.
Most correct structure of X10 boot process and all "parts" involved is:
first, "real" ROM, which is actually one time programmable and can't be ever reprogrammed, is started.
In EROM, there's signature which is checked by ROM at beginning of boot - if signature is OK, ROM proceeds with running EROM and leaves it to continue boot process.
That is: checking signatures of everything that it runs directly, and then launches it if signatures are OK.
He also said that ROM is very incorrect name for phone's firmware - because ROM is actually thing that I mentioned above. Of course, you don't have to rename all ROMs to FW now, however it would be good if at least here in development thread correct names are used because that would help you, me in understanding what you're talking about - because I have knowledge from A1/A2 series and now he proved me that I was right about what I was saying - and him in understanding and possibly some further small tips.
He said that the thing that launches actual firmware - Android, is S1Boot, and it actually is in some structural way connected with A1's EROM and A2's SEMCBOOT.
(That is the thing I've been trying to say some time ago however no one was listening to me, nor wanted to check it - everyone was just saying "No, this phone is different from other SE phones.)
That then means that getting developer (more understandable - "brown") loader.sin - which actually contains S1Boot, or as you probably call it, bootloader - won't help you because in that S1Boot, there are flags that define if brown image will be accepted or not.
Also, in ROM there is root certificate (Qualcomm), "first in the chain" he said, not Red - retail, or Brown - developer one. S1Boot is also signed with that root certificate, and even existing S1Boot in our Xperias contain both Red and Brown certificates (unlike on A1/A2, where there is either red which accepts just red flashes, or brown which accepts them all), and only thing that differs is flags which tells EROM/S1Boot should it accept brown flash or not.
Note: Do not mix root certificate that is S1Boot signed with, and Red/Brown located inside it!
You can easily check this by opening existing, "usual" available for download here loader.sin in Notepad and you'll first find few certificates - S1_loader_root, S1_EROM_root, etc. and after that S1_loader_test, S1_EROM_test, etc. - same names, but instead of root it says test - this proves that there are both red and brown certificates.
He also said that
"brown sin-s can be self-produced... usually the brown RSA keys are available".
That means that if we put brown RSA key before header of pre-patched loader.img, we would get brown signed loader.sin, and we would just have to find a way to change flag to make the phone accept that brown image.
About pre-patching: yes, S1Boot has to be patched in order to accept unsigned flashes - whether it's just changing those flags, or rewriting it - however in that case still original root certificate must stay inside because it's checked by ROM.
And last thing is that he said that "SE used to disable Jtag on retail phones".
I remember that someone here mentioned Jtag but I don't know what was the result.
To receive further help/tips from him, following questions must be answered:
Question 1: To what exactly do you refer when speaking about bootloader? Now when I explained about S1Boot, can we actually say that bootloader = S1Boot (similar to) > A1's EROM (similar to) > A2's SEMCBOOT?
Question 2: What's contained in boot.img, if S1Boot is inside loader.img/loader.sin?
Best regards
Click to expand...
Click to collapse
25th January 2011
Bin4ry said:
Anyone wants to try my modded kexec-tool? I hope i have found a solution, but don't know yet, because my netbook still compiles the kernel ..... (for another 20 hours )
Regards
Bin4ry
Click to expand...
Click to collapse
Bin4ry said:
Since Maxrfon didn't answered my last mail again (he's very busy now) i had spare time and worked on this little tool once more =)
I hope we can boot another kernel with kexec-tool now.
for that we need a zImage and a initrd + some bootparameters for the kernel (root partition)
So if anyone want to try i would be lucky. My compilation was broken and now i have to start again :'(
So i anyone here wants help to try i would be lucky =)
Regards
Click to expand...
Click to collapse
26th January 2011
Bin4ry said:
Yes a initrd is needed, because i have not found the initrd location in virtual memory now, so i cannot point to it from kexec
Code:
kexec -l /zImage --apend="root........" --file="/initrd"
kexec -e -f
also you should appen the root partition.
It would be nice if someone could upload a zImage, i'm still stuck in compiling it *LoL* ****ing netbook is compiling 15 hours and then it aborts with some errors ^^
Regards
Click to expand...
Click to collapse
blagus said:
Put kexec in /system, chmod 777
Put ramdisk_orig.tgz and zImage to / and chmod 777
Code:
# kexec-tool -l /zImage --append="/" --initrd="/ramdisk_orig.tgz"
# kexec-tool -fe
After reboot zImage and initrd dissapear from /
Maybe if I put them in /system... I'll try that and let you know result.
Click to expand...
Click to collapse
Bin4ry said:
@Shamux thanks for the kernel.
@blagus:
You have to append the root partition to kernel parameters, else it will not detect it!
It's just like you want to boot a normal kernel on pc
Try adding --append="root=/dev/blablabla rw"
check which one is root partition (don't know now) and then check again if it works.
What we really neew is some kmsg log or smth.
Also Z mentioned to compile the kernel with semc-es209ra-capk config.
A minimal config will be a better way to start because something is breaking up we cannot find it.
But if we can boot minimal kernel, we can try to add more and more step by step and find the problem =)
Regards
Click to expand...
Click to collapse
blagus said:
Hmm... then, a little bit of experimenting is required...
I've got new info regarding bootloader cracking, from my source again
In theory it's very simple and you probably know that already: we calculate prime numbers that public key is made from - one key is enough, second can be calculated with
key ÷ 1st prime formula. But, you already know that.
Now, how to get these keys? Probably you know that too but let me repeat:
with OpenSSL we can get certificates from loader.sin. For example, this is interesting part of S1_loader_root (root certificate):
Code:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ea:a5:f7:7d:bd:67:21:33:04:00:ea:91:b0:c6:
cd:38:6c:aa:da:60:c1:77:e2:24:67:be:b7:da:4f:
e6:e5:92:fd:5b:b4:1a:97:54:cb:2f:7d:b1:63:e3:
d4:43:b9:a6:91:70:36:9f:5f:3a:7a:0e:2c:a7:44:
3b:40:84:0f:40:79:4a:b7:e8:58:d7:47:15:29:79:
07:b7:65:7b:d3:6d:40:10:29:78:c5:8f:51:b0:6e:
38:a9:97:1c:ff:1e:e5:bc:0d:22:1c:08:22:db:ad:
40:6f:2f:28:8a:8f:5c:38:d3:2a:96:72:48:66:28:
07:80:11:f1:62:f9:d3:40:a7
Exponent: 65537 (0x10001)
Modulus here is public key.
Just give this modulus to the CPUs and GPUs and let them calculate primes.
With these primes, calculation of private key should be trivial.
Update: this key is what we need to crack, that's it. Then, we can even make our own certificate - just like now there are, for example, s1_loader (Red, retail) and s1_loader_test (Brown, developer), we can make our own s1_loader_xda... and then, if it's issuer is S1_Loader_Root_f851 (like it is in root certificate attached here), and it is present in all parts of loader.sin (signature, signature of loader payload data) then phone will accept it.
Yes, that's right: this "Modulus" number above is the one that we need to crack in order to modify bootloader.
Update: if there's something confusing in this certificate, it's probably the fact that it's issuer and subject are same: yes, it's self-signed. But unfortunately, it won't work if we make our self-signed certificate
Click to expand...
Click to collapse
arkedk said:
Don't know if this is any help or useful info for any of the devs.
But managed to check the code in the lib_s1_verification.so file
Here's the boot sequence.
These files is what I know has something to do with the s1:
/lib/lib_s1_verification.so
/bin/linker
/bin/s1_verification_test
I don't know what I'm looking at here, but just wanted to see if I could make some kind of contribution to get the bootloader opened up.
Also attached the dedexed files from within semc_bootinfoif.jar if those are useful to anyone.
Assuming this is the Booting Sequence:
Click to expand...
Click to collapse

I tried typing in 'adb root enable' and this appeared (see attachment).
If we can get a developer rom somehow, we could enable root.
If unclear, it says that 'adbd cannot run as root in production builds'.
I think that Sony Ericsson's adb drivers are causing this. If we could hack into the official android one, we could maybe unlock some adb commands (adb shell doesn't even allow any command to work!)

Very good idea to start a new thread. Please someone of the moderators delete all future comments that are not related to root!
I finally compiled the tardis program but it doesn't work
Here my original post :
-----
This didn't work on X10. But possibly someone will try it on other devices.
Usage: ./tardis <BIG FILE>
Big file should be ~ 100mb
------
-Bin4ry

Gathered Information about the kernel and mount points so far:
Kernel Version: Linux version 2.6.29-rel ([email protected]) (gcc version 4.2.1) #2 PREEMPT Wed Mar 10 16:53:36 JST 2010
(notice it's been compiled on march 10 so it might have been patched until february)
Internal flash partitions:
/dev/block/mtdblock2 /system yaffs2 ro 0 0
/dev/block/mtdblock3 /data yaffs2 rw,nosuid,nodev 0 0
/dev/block/mtdblock1 /cache yaffs2 rw,nosuid,nodev 0 0
/dev/block/loop0 /cdrom iso9660 ro 0 0
4Mb ramdisk: tmpfs /sqlite_stmt_journals tmpfs rw,size=4096k 0 0
Inside the software update package, there are a lot of files:
update.xml -> update template, it says not to erase amss_fs.sin, maybe that's why it's empty...
preset.ta ->
Inside there's this:
Code:
// preset.ta has same format as TA file generated by FXTool
// Specification document: 69/159 35-LXE 108 116 Uen, Rev PA3
// Format:
// [TAPartition<HEX8>]{1}
// [UnitID<HEX32> UnitSize<HEX16> Data<HEX8>{UnitSize}]{n}
// (c) Sony Ericsson Mobile Communications AB, 2009
02
000008FD 0010 00 00 08 00 05 00 00 00 0E 00 00 00 08 00 00 00
00000961 0004 FE FF FF FF
amss_fs.sin -> no idea...but it seems empty as the cache 639 byte
apps_log.sin -> template for wiping mtdblock0 partition? (639 byte)
cache.sin -> template for wiping cache partition (like data partition, 639 byte)
fota0.sin -> ?
fota1.sin -> ?
boot.sin -> our beloved boot.img? (5.4 mbytes)
recovery.sin -> it looks like we have a recovery mode after all (not just safe mode)
dsp1.sin -> dsp firmware?
amss.sin -> Radio firmware?
metadata.dat -> 536 bytes, I guess it will be package metadata
simlock.ta -> 1,3 kb
system_S1-SW-LIVE....sin -> 195Mb, system partition
userdata_S1-SW-LIVE....sin -> 4,8kb, template for wiping data partition, maybe it has some file in there... haven't checked yet.
Things I tried so far:
m7 exploit. It seems fixed on this kernel (that or it might need some tinkering to the code)
exit_notify() local root exploit. suid_dumpable is 0 on /proc, so useless
h00ly**** exploit. Bin4ry tried this, but it seems it didn't work either.
Good thing: Sony Ericsson update service is programmed in java, and lollylost100 has already managed to make the program dump update images decrypted, so we might have a chance with that.
Also, bootloader starts if you take out the battery, plug usb and then turn it back in. It goes on for 10 seconds, after that, it times out and reboots to normal. So maybe if we don't mess with the bootloader we can restore it no matter what happens to the rest of the flash (don't trust this much)
About the mtd partitions, there are only four visible to Android, but there have to be more.
Radio partition, recovery partition (if it flashes it will be somewhere, unless its just a kernel+ramdisk that boots when in 'safe mode'), bootloader and such. Where are they hidden?
I have a copy of the running configuration for the kernel from .16 version, if anybody wants, I can put it somewhere.
If you wan't to retrieve it from your phone just do:
cat /proc/config.gz > /sdcard/config.gz
from adb/local terminal.
@HunteronX: that error it gives you is because you need a dev firmware, or being able to do a 'su', to get root access, it's not a driver problem. If you do "adb shell" you get a terminal with user id 2000 (shell), but no way of getting id 0 (root) with official firmware (unless hacking).By the way, that post you pasted from me is very outdated and there's not much useful information so you can remove it from the first post Thanks for starting a new thread, hopefully we'll manage to keep it clean!
Regards, Biktor

biktor_gj said:
update.xml -> update template, it says not to erase amss_fs.sin, maybe that's why it's empty...
Click to expand...
Click to collapse
Code:
<?xml version="1.0" encoding="utf-8" ?>
<UPDATE>
<NOERASE>amss_fs.sin</NOERASE>
</UPDATE>

HunteronX said:
I tried typing in 'adb root enable' and this appeared (see attachment).
If we can get a developer rom somehow, we could enable root.
If unclear, it says that 'adbd cannot run as root in production builds'.
I think that Sony Ericsson's adb drivers are causing this. If we could hack into the official android one, we could maybe unlock some adb commands (adb shell doesn't even allow any command to work!)
Click to expand...
Click to collapse
This information is Wrong.
ADB is not allowed to run as root on Any production builds, not only Sony Ericsson.
Also all "normal" ADB commands work.
My Contribution: The only Directory where you can put native executables is /data

sim-value said:
This information is Wrong.
ADB is not allowed to run as root on Any production builds, not only Sony Ericsson.
Also all "normal" ADB commands work.
My Contribution: The only Directory where you can put native executables is /data
Click to expand...
Click to collapse
confirmed, all production build android we couldn't enable root. that is too easy.
we do can write and excute in /data. It use to be an exploit moving data form
/data to /system but now that hole is close, thoe move request get kill on the way.
Still no sign of recovery or bootloader access. ADB reboot won't help as you will get the normal bootup screen.
SEUS flash mode can be turn on and detect USB SEMC Flash Device in Linux and Mac OS, but after 20 - 30 second
it will shut it self and reboot in normal mode. there might be some trigger here.

funfobia said:
confirmed, all production build android we couldn't enable root. that is too easy.
we do can write and excute in /data. It use to be an exploit moving data form
/data to /system but now that hole is close, thoe move request get kill on the way.
Still no sign of recovery or bootloader access. ADB reboot won't help as you will get the normal bootup screen.
SEUS flash mode can be turn on and detect USB SEMC Flash Device in Linux and Mac OS, but after 20 - 30 second
it will shut it self and reboot in normal mode. there might be some trigger here.
Click to expand...
Click to collapse
Ok, thanks for telling me that - looks like i've got a lot to learn...
@biktor_gj I've hopefully now removed all the information you wanted.

/data is not the only place where you can run binaries, you can also execute them from /sqlite_stmt_journal ramdisk. The only issue is after rebooting the phone files will disappear, but /data has the nosuid flag enabled on the mount command, but that flag doesn't exist on the sqlite tmpfs.
Regards

I just sniffed yesterday the packets when SEUS is connecting to the Sonyerricsson Serve.
What I found out is that SEUS is requesting following IP: 195.95.193.10
If you enter this in your browser it returns following:
ma3.extranet.sonyericsson.com
There you can download a software called EMMA. Someone knows what's that for a software?

goroh_kun said:
I uploaded mtd dump program for xperia with my mtd_nand_ex module.
It includes souce code, and static linked binary.
http://hotfile.com/dl/52240500/a1a6e72/mtd_raw_dump.zip.html
With normal mtd-utils(nand-dump), you can't rip complete nand image.
so I have to change mtd mode to RAW MODE.
the raw image includes OOB(Out Of Band) area, so we have to
calculate ECC（Error Correction Code） to get its executable image.
Click to expand...
Click to collapse
I write program to rip original image from mtd raw image.
http://hotfile.com/dl/52522564/4d776ac/mtd_analyze.zip.html
I'm working to figure out how oob area works.
if you have any information please contact me, or write message here!

Try another method to run modified kernel.
hi, all
I found that the method modifying boot or recovery area is not good way,
because these partition are signed with SE signature, and it seems that
bootloader check its SHA hash and signature everytime on boot process.
so I try another approach that
execute another kernel, from original SE kernel like kexec method.
but original SE kernel is not configured with CONFIG_KEXEC.
so I have to modify kexec interfaces from system calls to proc filesystem
access.
http://hotfile.com/dl/52604229/240e97c/kexec_ex.zip.html
http://hotfile.com/dl/52609760/96288b5/kexec-tools.tgz.html
It seems work to boot new kernel. you have to build kernel with initrd image.
wait for details..

we have 2 options
patch loader or go kexec

flash tools for x10 nand
happy play
http://hotfile.com/dl/53734913/3b68720/flash_tools.tar.bz2.html

rosco16 said:
Great!!!
If you had flashed NAND ...is it correct to say that x10 is root 100% already ??
cheers
Click to expand...
Click to collapse
NO
- we can dump and flash nand (tested tools)
- SE boot (kernel is signed like .sin files) and our boot is not signed so it will not boot
WE need kexec to load our kernel or patch bootloader not to check for signed kernel
@custom rom Cyanogen V6 alpha is compiled but we can not boot it

zephyrix said:
Dump the bootloader, patch it, then rewrite.
Click to expand...
Click to collapse
)
you are so funny
if it was that simple we would do it

zephyrix said:
Dump the bootloader, patch it, then rewrite.
Click to expand...
Click to collapse
First, bootloader and fota applications have some kind of lock and cannot be read (unlike boot, recovery amss & dsp). Second, to patch a bootloader you need to disassemble it, find all the points where it checks for signatures, and patch them. Then you need to test it, and if you mess it once, 400$ phone to the trash. Much more useful to have kexec working, since with it you could, in theory, boot the bootloader from ram, to check if patching goes good and do all the testing withour breaking anything. And you could run a kernel of choice.
Things aren't as easy as that I'm affraid...

How to dump bootloader
Hi, all
try this to dump your bootloader.
http://hotfile.com/dl/53890681/9e4b303/spldump.zip.html
the SPL image remains in internal RAM address 0x0 - 0x100000.
I wrote a driver to dump this area through /proc/splimage.

goroh_kun said:
Hi, all
try this to dump your bootloader.
http://hotfile.com/dl/53890681/9e4b303/spldump.zip.html
the SPL image remains in internal RAM address 0x0 - 0x100000.
I wrote a driver to dump this area through /proc/splimage.
Click to expand...
Click to collapse
I love you goroh, thank you very very much
On a side note, is it just me or it is full of checks everywhere?

biktor_gj said:
I love you goroh, thank you very very much
On a side note, is it just me or it is full of checks everywhere?
Click to expand...
Click to collapse
yep is full
thanks goroh
but dump seems to be wrong
after 0x3000 is padding
next block is at 0x100000
@kexec we need to somehow patch it to load the loader

[Dev] Bootloader unlocked!- ONLY FOR DEVELOPMENT, DO NOT SPAM-

MSM7227 S1Boot has been patched to ignore SIN header signature by the_laser.
You need phone which you either did not unlock by cable, or phone which you unlocked via SEtool2 only.
If you unlocked with Omnius, in C:\ProgramData\Omnius for SE\Backups\Xperia X8
you have file called: Xperia X8_IMEI_DATE_SIMLock.opd
Restore that TA backup, then use semc.cmd in the_laser's release to unlock bootloader - you'll restore SIM lock this way!
Currently there is no unlocked bootloader for Omnius unlocked phones.
Read all instructions here: http://forum.xda-developers.com/showthread.php?p=17338716#post17338716

What will this allow:
* custom kernels
* better/fully working Gingerbread
* no need for chroot to avoid init crash bug
* overclock/Synaptics fake DT/Cypress real DT/MDDI fix built in kernel
This will not enable:
* real DT on Synaptics digitizer

Greetings.
warning.
if you are not developer, please quit reading that post.
wait for user friendly tool with one big button.
here ( View attachment msm7227.7z ) is toolset to permanently "unlock" semcboot of msm7227 semc phones.
that means, you can use own kernel and so on.
steps,precautions, etc.
unpack archive to any directory.
if you using eset antivirus or similar ****, it will find evil virus in adb.exe.
ignore that, it is not virus in any way, it is standard android debug bridge, bundled in one file to save space and usability.
now, if your phone unlocked officially:
flash phone with standard 2.0,2.1 android firmware,because kernel mapper module compiled for "2.6.29" kernel.
of course, enable "usb debugging"
run msm7227_semc.cmd,
( if you want, examine it before run, it is pretty straightforward. )
you will get similar output
Code:
process requires standard 2.x android firmware.
Press any key to continue . . .
Getting ROOT rights.
1743 KB/s (585731 bytes in 0.328s)
error: protocol fault (no status)
Waiting ...
Removing NAND MPU restrictions via SEMC backdoor. Permanent. Require ROOT rights.
192 KB/s (3087 bytes in 0.015s)
success
Waiting ...
Getting ROOT rights.
Waiting ...
Writing patched semcboot. Two step process
First, we need get access to semcboot area
504 KB/s (8064 bytes in 0.015s)
Second, we need to write semcboot ;)
1130 KB/s (596916 bytes in 0.515s)
successfully wrote 0003ff00
Press any key to continue . . .
bingo, your phone now has unlocked bootloader.
if your phone unlocked by setool2 software, use msm7227_setool2.cmd
if your phone unlocked by 3rd-party software other than setool2, do not run anything -
it will disable radio capability of your phone and you will need to unlock phone by setool2 software.
hopefully, mizerable flea and mOxImKo will release something similar for your phone.
okay, now about other details.
1.
unlocked bootloader require unlocked loader, yep ?
loader\loader.sin is special unlocked loader, which will be accepted ONLY after your "unlock" semcboot with previous steps.
to distinguish unlocked semcboot and original semcboot, first letter in version tag of semcboot output will be lower case, i. e. "r8A029"
( same applies for loader version tag )
so, all that stuff with signatures are not for us, so i removed them - loader will ignore signature part of SIN file.
2.
we should make SIN file somehow, right ?
for that i prepared "dumb" bin2sin utility.
Syntax : bin2sin [input] [partition info, 32 digits] [type] [block size]
Click to expand...
Click to collapse
[input] - is input binary file.
[partition info]
android implementation on s1 semc qualcomm phones based on partitions,so we MUST define it for our file.
you can get required partition info from standard semc sin files, it is first 0x10 bytes of DATA, right after header, i.e.
e10 kernel partition info
03000000010000402001000040000000
Click to expand...
Click to collapse
[type] - partition type, 9 - partition without spare, 0xA - partition with spare.
kernel partition is partition without spare.
if that parameter omitted, type = 9
[block size] - nand block size, if omitted, it is standard size 0x20000
there is example in sinTools\example_build.cmd
3.
kernel should be prepared specially to be accepted by semcboot.
for that there is tool bin2elf.
Syntax : bin2Elf.exe [nbrOfSegments] [EntryPoint] [Segment1] [LoadAddress1] [Attributes1] ...
Click to expand...
Click to collapse
we need 2 segments:
segment 1 is unpacked linux kernel image, i.e.
( e10/kernel/arch/arm/boot/Image )
it looks like entrypoint and load address for segment 1 is always same for all msm7227-based semc phone, it is 0x00208000
attributes for image 0x0
segment 2 is ramdisk.
it looks like entrypoint and load address for segment 1 is always same for all msm7227-based semc phone, it is 0x01000000
set attributes for ramdisk 0x80000000, that is extremly important.
there is simple kernel example in sinTools\example_build.cmd
ps.
@blagus:
NAND MPU disabler has only one relation to rFoNe - he took it from setool2, together with entire idea for msm7227 bypass.
your 6-wings friend with many nicks done exactly same.
NAND MPU has nothing to do with memory firewall, so it will not help with kexec things, however, who will care now.

Thread closed because i'm boring of all this OFF TOPICS.
@ Blagus: you can open it when you have something to post.
@ Others: Use topic in general forum from NOW.
EDIT: After 3 hours i'm going to open again this thread, WARNING every off topic here will gain an infraction as " Failed to cooperate with a moderator", so, don't blame on me when you will see the infraction point.

Interop-Unlock Lumia 800 plus bootloader and NAND access [Q&A]

*Updates*
Added ROMs & updated Links and Q&A - 21/04/2012
Updated Links - 16/04/2012
Now is possible to downgrade Nokia bootloader to Qualcomm one on the Lumia 710 More Info - 15/04/2012
Questions & Answers
Q: I've a Lumia 800 or 710 can I Interop-Unlock it?
A: The short answer is yes if you have a Lumia 710 - you must firstly downgrade your bootloader - and "maybe" for the Lumia 800, because only some of them can be Interop-Unlocked at the moment.
Q: I've got a Lumia 710 how can I downgrade my bootloader to the Qualcomm one?
A: You must flash this firmware with Nokia Care Suite (mirror splitted in two parts: Part1 Part2)
Q: Cool how can I discover if I'm a lucky owner or not?
A: For first go to "Settings -> About -> more info" and if your "Hardware revision number" ends with 2.4 you are probably screwed out.
Q: I've got 2.4 hw rev how can I check eventually?
A: You don't need to check if your hw rev is 2.4 and your Lumia came with firmware 11500 or higher you have the new nokia bootloader.
Q: I've got 2.3 hw rev how can I check if I'm eligible?
A: If you've got hw rev 2.3 but you have flashed your device with a firmware 11500 or higher - flashed mean with Nokia Care Suite because Zune doesn't update your bootloader - you have the new Nokia Bootloader; if you want eventually to check see below "check if my device is interop-unlockable".
Q: So at the moment which can be interop-unlocked?
A: As for now can be interop-unlocked hw rev 2.3 with firmware version 11141 or below.
Q: I've got the NOKIA DLOAD can I put the Qualcomm bootloader?
A: Yes but ONLY if you have a Lumia 710, on the 800 is not possible at the moment.
Q: Can I get the Qualcomm bootloader by downgrading my Lumia ?
A: No, you can't flash the Qualcomm bootloader with a backup, as explained here.
Q: I have interop-unlocked my Lumia but now I can't access Windows Live services!
A: You can find your solution here.
Q: I've got the NOKIA DLOAD how can I flash my device?
A: You can ONLY flash your device with Nokia Care Suite.
Q: I've got the Qualcomm bootloader how can I flash my device?
A: You can ONLY flash your device with Qualcomm QPST.
The Story so far: Nokia Interop-Unlock plus bootloader and NAND access
As many of you may have seen our beloved user biktor_gj found firstly that some Lumia 800 and 700 have Qualcomm unlocked bootloader that expose the entire nand of the device as removable media and permit to read write it. This discover lead to make custom rom as you can easily write raw data back to the NAND with dd linux - or any unix like variant - with the modifications for gaining Interop-Unlock.
As for now we have a tested Lumia 800 Rom that lead us to a Interop-Unlocked Lumia 800, pay attention that the devices, as stated Heathcliff74 here, is not fully rooted and need more patching.
Check if my device is Interop-Unlockable
Shut down your device
Hold pushed VOL + and POWER
Plug into your USB, you will hear a short vibration
If you are running Windows it will ask to format an USB drive, say no!
if you are running Linux you will se something like this:
Code:
[ 655.912077] usb 2-2: new high speed USB device number 9 using ehci_hcd
[ 661.797096] usb 2-2: USB disconnect, device number 9
[ 765.836050] usb 2-2: new high speed USB device number 10 using ehci_hcd
[ 765.968707] usb 2-2: config 1 has an invalid interface number: 20 but max is 1
[ 765.968713] usb 2-2: config 1 has no interface number 1
[ 766.869700] usbcore: registered new interface driver uas
[ 766.905673] Initializing USB Mass Storage driver...
[ 766.905816] scsi2 : usb-storage 2-2:1.20
[ 766.906108] usbcore: registered new interface driver usb-storage
[ 766.906110] USB Mass Storage support registered.
[ 767.906264] scsi 2:0:0:0: Direct-Access Qualcomm MMC Storage 2.31 PQ: 0 ANSI: 2
[ 767.964504] sd 2:0:0:0: Attached scsi generic sg2 type 0
[ 767.968542] sd 2:0:0:0: [sdb] 31047680 512-byte logical blocks: (15.8 GB/14.8 GiB)
[ 767.969066] sd 2:0:0:0: [sdb] Write Protect is off
[ 767.969069] sd 2:0:0:0: [sdb] Mode Sense: 0f 0e 00 00
[ 767.970061] sd 2:0:0:0: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 767.977005] sdb: sdb1 sdb2 sdb3 sdb4 < sdb5 sdb6 sdb7 sdb8 sdb9 >
[ 767.977264] sdb: p9 size 30632075 extends beyond EOD, enabling native capacity
[ 767.983196] sdb: sdb1 sdb2 sdb3 sdb4 < sdb5 sdb6 sdb7 sdb8 sdb9 >
[ 767.983463] sdb: p9 size 30632075 extends beyond EOD, truncated
[ 767.988075] sd 2:0:0:0: [sdb] Attached SCSI removable disk
then you can Interop-Unlock your Lumia with one of the following ROM:
Lumia 800: Interop Unlock (no full unlock yet)
ROM based on: RM819_059P453_1600.2487.8107.12070_002
Mediafire folder access: http://www.mediafire.com/?kknt4lnc3tn7w
http://www.mediafire.com/download.php?yx44fkyfgu41yne
http://www.mediafire.com/download.php?86qevy94hm0zrsa
http://www.mediafire.com/download.php?vdbyehr99i7dirq
http://www.mediafire.com/download.php?47d57h9avew1bxa
Lumia 710: Interop Unlock (no full unlock yet)
ROM Based on: RM803_059N2L6_1600.3015.8107.12070_010
Mediafire folder access: http://www.mediafire.com/?9z6og65ozgrnr
http://www.mediafire.com/download.php?d3bj3dkfbffbakn
http://www.mediafire.com/download.php?l35zjaebdrsm315
http://www.mediafire.com/download.php?ys5bapu8ubezybo
http://www.mediafire.com/download.php?tnadd4uuoxhatv3
CAUTION: these images AREN'T TESTED. Use at your own risk.
PLEASE DO A FULL BACKUP OF THE NAND BEFORE PLAYING AROUND
if you want to flash this is the procedure on linux:
dd if=./os-new.nb of=/dev/sdX9
Where X is the disk detected by your linux distribution.
After that, you'll need to hard reset the phone:
Hold Power button for 10 seconds to exit Qualcomm's disk mode, and press and hold POWER+VOLUMEDOWN+CAMERA until you feel the phone vibrate.
After that, RELEASE power button but KEEP HOLDING volume down + camera for five or more seconds.
This will trigger the hard reset.
If when you plug your device and you see NOKIA DLOAD for now your out of luck because your bootloader is locked and you can't flash the roms above.
Lumia 710 & 800 ROMs
Full Unlocked ROM for Nokia Lumia 710 by lucifer3006:
Direct: http://xdafil.es/Lumia710/ROM/full-unlock-os-new.nb
Zipped: http://xdafil.es/Lumia710/ROM/Zipped
Full Unlocked ROM for Nokia Lumia 800 by biktor_gj:
Direct Link: http://xdafil.es/Lumia800/ROM/full-unlock-os-new.nb
Zipped Files: http://xdafil.es/Lumia800/ROM/Zipped
Qualcomm Disk layout
Completed the file uploads: http://www.mediafire.com/?kknt4lnc3tn7w
Dump_in_parts.part*.rar : Dump of the OS partition (IMGFS dump)
Dumpmap-imgfsobjects.zip: logs and stuff from OSBuilder
sd*.rar: compressed DD dumps of the rest of the filesystem
NOT INCLUDED:
Partition #5: contains product code and stuff from phone, 64kb
Partition #4: Extended partition container for partitions 5-9
Partition #9: Cannot post that enormous partition, 15Gb in size (but should be enough with the dumped os).
LUMIA 800 FLASH FILE SYSTEM LAYOUT:
Partition Begin End Blocks ID
/dev/sdb1 * 1 1000 500 4d Initial Bootloader - SECBOOT
/dev/sdb2 1001 4000 1500 46 Second stage loader? - OSBL, also looks like it has the download mode and seems to init LCD, enable USB etc.
/dev/sdb3 4001 304000 150000 c W95 FAT32 (LBA) - Writable partition with EMMCBOOT, AMSS etc.
EMMCBoot is responsible for loading Windows Kernel (nk.exe). I got a copy of Samsung Galaxy i9001's emmcboot.mbn, and putted it in there. It tries to start, but seems to crash (expected). But hey! it tries to boot it (it even vibrates for 1/10 of a second), so getting something else (did anyone say...android?)running on this phone should be easier than in lots of other phones... Does anyone have u-boot ports for Qualcomm 8255?
/dev/sdb4 304001 31037579 15366789+ 5 Extended partition which holds the OS
/dev/sdb5 304006 304133 64 ef EFI (FAT-12/16/32) - Linux detects it as an EFI partition, but it's just 64Kb size, and seems to have some markers, not sure yet what it is, but could be anything from IMEI and simlock to an actual efi partiton for WinCE...
EDIT AGAIN: this partition contains phone serial number and product code, and possibly imei and simlock. For sure its not an efi partition
/dev/sdb6 304134 310277 3072 58 3Mb size
/dev/sdb7 393216 399359 3072 4a 3Mb size
/dev/sdb8 399360 405503 3072 4b 3Mb size
These three partitions have similar start and end data on their partitions, no idea what they are, since I haven't been able to see if it's even a file system. All the documentation I see seems to tell Windows Mobile uses exFAT for the filesystem, but can't seem to find its header anywhere on the flash... still looking. It could even be where WinMo stores application installers for first boot on the device (but could be perfectly wrong)
All of them start with the following header (hex):
7D 8D 27 82 D7 40 F8 90 53 22 82 43 6D EC 6F 69 49
/dev/sdb9 524288 31156362 15316037+ 48
This las partition is 15Gb size, and contains all the Operating System and all the data on the phone.
Anyone know about how does Windows Phone manage filesystems on NAND? Some help would be really appreciated...
The file system for the 15Gb partition has _wmstore header, still incompatible with some kitchens, but still looking...
Here's part of the header:
Code:
_wmstore
!zLH?k
_wmpart_B
_wmpart_S
_wmpart_S
_wmpart_N
_wmpart_U
_wmpart_D
_wmpart_I
_wmpart_P
_wmpart_U
PSBdX
GFCB
SRPX
LK Bootloader for Lumia
beldi setupped a git repo of LK Android bootloader for Lumia devices here
Code:
*** Compiling the LK Android bootloader ***
** Tested on Ubuntu 11.10 with Lumia 710 **
1) Get the toolchain and install:
wget https://sourcery.mentor.com/public/gnu_toolchain/arm-none-linux-gnueabi/arm-2009q1-203-arm-none-linux-gnueabi-i686-pc-linux-gnu.tar.bz2
sudo tar xvf arm-2009q1-203-arm-none-linux-gnueabi-i686-pc-linux-gnu.tar.bz2 --directory /opt/
2) Compile the bootloader:
PATH=/opt/arm-2009q1/bin:$PATH TOOLCHAIN_PREFIX=arm-none-linux-gnueabi- PROJECT=msm7630_surf make EMMC_BOOT=1
3) Get your Lumia into diagnostics mode (turn it on using VOL UP + VOL DOWN + POWER)
4) BACKUP EVERY SINGLE FILE FROM THE 150MB PARTITION! (Just to be safe)
5) Replace the image/emmcboot.mbn file with your freshly compiled LK bootloader
cp <repo dir>/build-msm7630_surf/EMMCBOOT.MBN /media/<mount point>/image2/emmcboot.mbn
6) Unmount the bootloader partition from your PC and pull the phone's battery
7) Turn on, wait a few moments, and plug the phone to the PC
8) Test the fastboot connection:
fastboot devices
fastboot getvar version
for now is working only the fastboot protocol but nothing more, is in current alpha stage.
For ANY NON TECHNICAL question please post here instead of posting into the dev thread.
Links.
NAND access + InteropUnlock for Lumia 710 & 800 Dev Thread ONLY tech posts.
Unlocks explained by Heathcliff74Here
Qualcomm Product Support Tool (QPST™) 2.7 Here
Nokia.WIndows.Phone.Test.Introduction: Here
OSBuilder V 1.4.205 (16.04.2012) : Changelog & Download

i have lumia 710 qualcomm.
I have updated twice via NCS before gettiing a qualcomm bootloader. Just downloaded 12050 firware ang later i wasnt able to update via NCS.
I performed a nund backup. But i'm afraid to flash rom. One 710 was killed, i dont want to have the second. Will wait for the tested rom and then flash.

Done the procedure, strange that mine shows nothing at all....it's just straight up blank screen after the short vibration, then does the standard vibrate and boots like normal. No sign of Qualcomm or Nokia DLOAD....
To mention, running Windows 8 CP.

I think you can put in the first post :
Q : I have Nokia DLOAD, how can I get the Qualcomm bootloader ?
A : For now, you can't.
Q : Can I get the Qualcomm bootloader by downgrading my Lumia ?
A : No, you can't.

updated with questions and answers! thanks x3n0n.
Can a mod sticky if judge it fine?

sHaHiN786 said:
Done the procedure, strange that mine shows nothing at all....it's just straight up blank screen after the short vibration, then does the standard vibrate and boots like normal. No sign of Qualcomm or Nokia DLOAD....
To mention, running Windows 8 CP.
Click to expand...
Click to collapse
If nothing is showed and nothings happens you have a nokia locked bootloader, if not you would have be prompted by a "format USB drive".

suzughia said:
If nothing is showed and nothings happens you have a nokia locked bootloader, if not you would have be prompted by a "format USB drive".
Click to expand...
Click to collapse
Just to let you know, easiest way of doing it, as mentioned by JaxBot is to switch off phone, hold volume + and volume -, the first vibration, plug in USB.
For Windows users and Noobs like me, easiest way to check, is to go to Computer Management > Device Manager > other devices, check that when you connect the USB.

My lumia have revision number 2.3 and 12070 firmware. i updated my phone using Zune. but i still have nokia DLOAD when pressing Volume UP+DOWN and connect it to USB. according to the Q&A :
If you've got hw rev 2.3 but you have flashed your device with a firmware 11500 or higher - flashed mean with Nokia Care Suite because Zune doesn't update your bootloader - you have the new Nokia Bootloader;
Click to expand...
Click to collapse
it means, even i updated my lumia via Zune, my Bootloader have been updated to the new one. am i correct? because it showed Nokia DLOAD when i am connecting the phone. :/
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

suzughia said:
Q: I've got 2.4 hw rev how can I check eventually?
A: You don't need to check if your hw rev is 2.4 and your Lumia came with firmware 11500 or higher you have the new nokia bootloader.
Click to expand...
Click to collapse
I have HW Rev 2.4 and firmware 11451 which i get through zune and i still got the nokia dload

I have my lumia 710 with revision 2.1
I had a locked bootloader, but I have unlocked it while flashing 12050 firmware with NCS. Really interesting
---------- Post added at 01:17 PM ---------- Previous post was at 01:05 PM ----------
http://narod.ru/disk/45935058001.2aaca38c9acf622332f4a81b5bf0e331/RM-803.rar.html
the same files but uploaded to mediafire:
file 1: http://www.mediafire.com/?79z739zzf5cuhxa
file 2: http://www.mediafire.com/?6fed8oaz87j9ln9
.not sure, but I think I've flashed my lumia 710 with this firmware and had unlocked my bootloader

saud__19 said:
I have HW Rev 2.4 and firmware 11451 which i get through zune and i still got the nokia dload
Click to expand...
Click to collapse
Hw rev 2.4 seems to have locked bootloader either on firmware below 11150
xorizont said:
I have my lumia 710 with revision 2.1
I had a locked bootloader, but I have unlocked it while flashing 12050 firmware with NCS. Really interesting
---------- Post added at 01:17 PM ---------- Previous post was at 01:05 PM ----------
http://narod.ru/disk/45935058001.2aaca38c9acf622332f4a81b5bf0e331/RM-803.rar.html
.not sure, but I think I've flashed my lumia 710 with this firmware and had unlocked my bootloader
Click to expand...
Click to collapse
Can you post your product code that you flahed so we can grab it from nokia care? are sure of your status?

My product code is 059M5Z4.
you see, this firmware was uploaded to navifirm, 3 days later deleted and new version esp uploaded. Try downloading the file, that I linked
---------- Post added at 02:06 PM ---------- Previous post was at 02:03 PM ----------
And yes, I'm sure that my bootloader is unlocked. When I enter Qualcomm mode windows 7 wants to format it. And with Linux I gad grabed a nand backup

can you attach some pics?

suzughia said:
can you attach some pics?
Click to expand...
Click to collapse
here they are.

I'll flash that Lumia 710 firmware over my Lumia 800 to change the firmware then.
Then I'll flash a standard Lumia 800 firmware (minus bootloader) over that.
Should work right?
Are you sure your bootloader was actually locked (DLOAD) before?
Not all Lumia 710 firmwares have the new bootloader. So you could have flashed the new 12050 and it wouldn't have changed your existing bootloader (keeping it unlocked).

xsacha said:
I'll flash that Lumia 710 firmware over my Lumia 800 to change the firmware then.
Then I'll flash a standard Lumia 800 firmware (minus bootloader) over that.
Should work right?
Are you sure your bootloader was actually locked (DLOAD) before?
Not all Lumia 710 firmwares have the new bootloader. So you could have flashed the new 12050 and it wouldn't have changed your existing bootloader (keeping it unlocked).
Click to expand...
Click to collapse
i've flashed twice with NCS, so i think it was closed

if pics in previous post cant be opened, here the zip file with it

xorizont said:
I have my lumia 710 with revision 2.1
I had a locked bootloader, but I have unlocked it while flashing 12050 firmware with NCS. Really interesting
---------- Post added at 01:17 PM ---------- Previous post was at 01:05 PM ----------
http://narod.ru/disk/45935058001.2aaca38c9acf622332f4a81b5bf0e331/RM-803.rar.html
.not sure, but I think I've flashed my lumia 710 with this firmware and had unlocked my bootloader
Click to expand...
Click to collapse
First up I noticed it has a smaller than normal nokia_osbl.esco
I opened up nokia_osbl.mbn in a hex editor and wahlah, it's a qualcomm bootloader!
Who at Nokia screwed up? I don't care, I'm flashing it.
It seems to have qualcomm bootloader + cert.

xsacha said:
First up I noticed it has a smaller than normal nokia_osbl.esco
I opened up nokia_osbl.mbn in a hex editor and wahlah, it's a qualcomm bootloader!
Who at Nokia screwed up? I don't care, I'm flashing it.
It seems to have qualcomm bootloader + cert.
Click to expand...
Click to collapse
So is this easily flashed through NCS by placing the qualcomm nokia_osbl.esco file in a standard RM-801 package folder?

Only you have a way to provide a valid cert for passing NCS check, if so everyone would had have the Qualcomm bootloader from time, so the answer is no, you can just sticky the qualcomm bootloader and flash
Sent from my Lumia 800 using XDA Windows Phone 7 App

2020 and 2019 ZTE blade impossible to root ?!

They say, that unfortunately, a majority of new Unisoc (Spreadtrum) chips have bootloaders that cannot be unlocked without a key, which is not provided by the SoC manufacturer, and is beyond the control of the ODM. Many low-end Android smartphones are powered by such chips, and the end result is that root is impossible on those devices, i.e. ZTE Blade A5 2019, Doogee N10, etc. (Unisoc SC9863A)
Some have obtained the source code of the U-boot bootloader used on those devices, however, the algorithm for the key verification is stored on the Trusted Execution Environment, which means it cannot be extracted (the TEE is a SecureEnclave-like device, with no possible direct access to it's memory or storage, besides de-capping it and reading the bits with an electron microscope) -- more info here: https://source.android.com/security/trusty
However, Spreadtrum actually does verify the whole boot process, meaning that booting a modified binary is impossible. If you change the boot partition, it will infinitely reboot with a black screen and vibration. If you leave the boot as-is, but change system, it will get to the splash screen and then reboot. etc.
It genuinely does cryptographicaly verify the signature and hash of every partition. Which is great for security, in theory, unless the OS has preloaded spyware, but the secureboot process prevents you from removing it.
Been there, and I didn't even realised the cause.
MTK is quite good, but it's becoming worse in the perf/$ ratio, i.e. the SC9863A is a octa core A55 chip at 1.5GHz, while similar MTK devices are dual core A7 at 1.2 GHz. The architecture improvements alone are excellent, not mentioning the extra cores and higher clock speed.
The key is most certainly not the same, because I doubt they would go through the trouble of doing actual secure boot verification, and storing the data in the TEE, and just have the same key. Additionally, the U-boot code I obtained lies to the user about commands not being found, if the command doesn't contain a valid unlock key.

there is a dedicated thread on hovatek forum for rooitng this chipset

that thread on hovatek is thrilling...

Hovatek forums indicate you need a PAC or FDL file to do anything unless you buy extra hardware. Can anything be done for a vendor that hasn't released either? Even a temproot exploit like mtk-su is fine, if it works on Android 9.

those El-Cheapo phones are simply not supported well by hackerdom.

if we can port mtk-su to this processor or create a new temp root we are done

Skorpion96 said:
if we can port mtk-su to this processor or create a new temp root we are done
Click to expand...
Click to collapse
You cant port mtk-su. The sercuity exploit is a defect built into the CPU. A CPU is made up on millions of transistors , A transistor is a switch (On/Off) , Creates a workload that targets the switch would normally return no to yes is very difficult n can very easily destroy the CPU by creating a internal short. NOTE The device manufacturer can help provide a bootloader key if request

lepusang said:
You cant port mtk-su. The sercuity exploit is a defect built into the CPU. A CPU is made up on millions of transistors , A transistor is a switch (On/Off) , Creates a workload that targets the switch would normally return no to yes is very difficult n can very easily destroy the CPU by creating a internal short. NOTE The device manufacturer can help provide a bootloader key if request
Click to expand...
Click to collapse
i know that mtk-su can't be ported but maybe we can use the source of mtk easy su and the cve-2015-1474 to make a working app

Skorpion96 said:
i know that mtk-su can't be ported but maybe we can use the source of mtk easy su and the cve-2015-1474 to make a working app
Click to expand...
Click to collapse
Can it really be done? I have a ZTE blade vantage 2 and I'd love to root it if possible.

I just tried a zip to enable fastboot on the axon mini on my zte blade A5 2019, it flashes, fails because model is different but it is not a signature error meaning that it has the same signature. So signature is the same for every zte, now I'm asking zte Italy to help me getting the unlock file or the signature itself which is the same since or I will flash the file directly or I will sign it and flash. I hope they will help.
Useless try, they refused to help because of their policy

Went out and bought an m8l plus to try it. This is the first time I've ever dealt with a unisoc sc9863a. I was optimistic about it at first, but now I'm doubtful
*Update* found modified fastboot folder and did the following. Unlocked bootloader, about to try to root with magisk. Root achieved with magisk. Made copy of firmware, moved boot_a to phone and patched with magisk. Flashed patched boot_a with adb. Currently deleting system apps. Root is go. This is unisoc sc9863a blu m8l Android 11

Found this. Can't post the link, but I'll c&p the text:
Open the modified_fastboot folder, right-click then select Open in Terminal
Test detection using
Code:
./fastboot devices
Get Identifier Token using
Code:
./fastboot oem get_identifier_token
You should get an output like
Identifier token:
XXXXXXXXXXXXXXXXXXXXXXXX
OKAY [ 0.019s]
finished. total time: 0.019s
Copy out the Identifier token
Run this command ; replace XXXXXXXXXXXXXXXXXXXXXXXX with your Identifier token
Code:
./signidentifier_unlockbootloader.sh XXXXXXXXXXXXXXXXXXXXXXXX rsa4096_vbmeta.pem signature.bin
You should have an output like
Identifier sign script, ver 0.10
1+0 records in
1+0 records out
50 bytes copied, 0.000257562 s, 194 kB/s
Identifier sign successfully
You should also see a signature.bin file in the modified_fastboot folder
Finally, run this command
Code:
./fastboot flashing unlock_bootloader signature.bin
You should get a prompt on the device asking you to push a volume button to confirm unlock, do so
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
You should now have an output like
downloading 'unlock_message'...
OKAY [ 0.001s]
unlocking bootloader...
Info:Unlock bootloader success! OKAY [ 85.787s]
finished. total time: 85.788s
Reboot the device using
Code:
./fastboot reboot
Your bootloader should now be unlocked
They request you log in and register in exchange for the modified fastboot folder

you can get the modified Fastboot folder anywhere, used that trick to bl unlock all my blu and wiko phones

R41N MuTT said:
Found this. Can't post the link, but I'll c&p the text:
Open the modified_fastboot folder, right-click then select Open in Terminal
Test detection using
Code:
./fastboot devices
Get Identifier Token using
Code:
./fastboot oem get_identifier_token
You should get an output like
Identifier token:
XXXXXXXXXXXXXXXXXXXXXXXX
OKAY [ 0.019s]
finished. total time: 0.019s
Copy out the Identifier token
Run this command ; replace XXXXXXXXXXXXXXXXXXXXXXXX with your Identifier token
Code:
./signidentifier_unlockbootloader.sh XXXXXXXXXXXXXXXXXXXXXXXX rsa4096_vbmeta.pem signature.bin
You should have an output like
Identifier sign script, ver 0.10
1+0 records in
1+0 records out
50 bytes copied, 0.000257562 s, 194 kB/s
Identifier sign successfully
You should also see a signature.bin file in the modified_fastboot folder
Finally, run this command
Code:
./fastboot flashing unlock_bootloader signature.bin
You should get a prompt on the device asking you to push a volume button to confirm unlock, do so
You should now have an output like
downloading 'unlock_message'...
OKAY [ 0.001s]
unlocking bootloader...
Info:Unlock bootloader success! OKAY [ 85.787s]
finished. total time: 85.788s
Reboot the device using
Code:
./fastboot reboot
Your bootloader should now be unlocked
They request you log in and register in exchange for the modified fastboot folder
Click to expand...
Click to collapse
It succeeded ....but. when i try
fastboot flash recovery recovery.img
It says
Sending recovery... (Size shows in KB)
Then says writing recovery... Fot infinity ....
I ported custom twrp recovery using hovatek's automatic unisoc twrp porting guide....have any solution? I also tried to flash twrp by spd research tool and it stuck at probably 95/97 percent

R41N MuTT said:
Found this. Can't post the link, but I'll c&p the text: ....
Click to expand...
Click to collapse
fastboot oem get_identifier_token
Give only back the Serial Number in hexadecimal
Put your SN of your Device in a Hexeditor and change the view to Hexview
when you compare you will see its the SN
I show you the output of my Device, it's an blackview A70 Smartphone. This device is my favorite victim, because it is stubborn as a donkey.
Code:
d:\android\blackview\a70>fastboot oem get_identifier_token
(bootloader) identifier token:
(bootloader) 334b3032384137304545413037313431
(bootloader) 37
okay [ 0.031s]
finished. total time: 0.031s
(the number above in a phantasy number)
Interesting is, here are 3 lines (bootloader)
1. is title
2. is first part of SN
3. is 2. Part of SN
yes the length of the SN of this device is 17 characters. In this case you have to put line 2 and line 3 together to build the number.
If you dont do that, not success with unlock.
for example, this is my SN read with
fastboot devices
3K028A70EEA071417
fastboot oem get_identifier_token
334b3032384137304545413037313431
37
the difference is only binary and hex view