So I tried to flash android on to the phone using the tegra 250 images when I realized I need the apx series images for android. The thing about that is I can't find them anywhere. Anyone have any idea where a development site for the tegra apx series is? It seems Nvidia has no support for the old series anymore.
how do you upload android to the phone? what program or steps do you do? is there a debug mode or recovery mode? I believe we have to make are own images.
I was using a program provided by nvidia for programming a tegra based development kit. It is capable of flashing android and windows ce 6. If anybody with more experience would like to take a look at the drivers images and program here are the files.
http://tegradeveloper.nvidia.com/tegra/downloads
Don't the images you are looking for have to have drivers for the hardware interfaces specific to this phone?
stetkas said:
Don't the images you are looking for have to have drivers for the hardware interfaces specific to this phone?
Click to expand...
Click to collapse
I wasn't exactly worried about the hardware working as much as getting android onto the tegra and viewing the os. Creating drivers is the easy part.
dezgrz said:
I wasn't exactly worried about the hardware working as much as getting android onto the tegra and viewing the os. Creating drivers is the easy part.
Click to expand...
Click to collapse
Do you think you could write a driver for this.
APX
USB\VID_0955&PID_7416&REV_0103
USB\VID_0955&PID_7416
This VID supposedly belongs to Nvidia. This is the device that is found by Windows if you plug your phone into the usb when it is turned off and then press the u+s+b+power buttons.
I tried the Recovery Mode, like the person described above me, and it came up with the APX device.. So, if someone makes a driver for that, then we might be able to jailbreak it? (iPod Touches and iPhones jailbreak though Recovery Mode). This doesn't seem much diffirent from an iPhone or an iPod Touch.
I found out a driver that we might be able to modify to give us access. I downloaded both the froyo and c36 downloads available from the tegra site that was mentioned earlier. http://tegradeveloper.nvidia.com/tegra/downloads
These file paths could be different if your hard drive has a different drive letter and perhaps also if you have a 64-bit processer, but I found the drivers in the following directories.
C:\Program Files\NVIDIA Corporation\tegra_froyo_20101105\usbpcdriver\NvidiaUsb.inf
C:\Program Files\NVIDIA Corporation\ce6_tegra_250_5265393\os\usbpcdriver\NvidiaUsb.inf
These drivers have the hardware ID in the inf file and so Windows recognizes it and starts to install the driver and finishes, but says there is an error. I'll keep working on it though.
So, the drivers do actually work; it was my computer that was causing the problems, not the drivers. Now that the drivers are installed I think we can use the SDKs provided by Nvidia on the Tegra download page.
If this works, we now have a serious decision to make. Do we try to get android on the phone or do we stick with the Windows CE based os?
mcdietz said:
So, the drivers do actually work; it was my computer that was causing the problems, not the drivers. Now that the drivers are installed I think we can use the SDKs provided by Nvidia on the Tegra download page.
If this works, we now have a serious decision to make. Do we try to get android on the phone or do we stick with the Windows CE based os?
Click to expand...
Click to collapse
Personally, I would rather stick with current OS. Just because I don't want to brick my phone. Maybe have some additions to the current OS? Enable hidden features or something? Customizations? etc?
First off, I wanted to thank everyone who is working on trying to develop an update to improve on the Kin Two. I currently am interested in getting the TWOm when my contract expires but there is a dealbreaker for me, which is that the phone does not alert you when you have a missed call. I know there are other annoying flaws (pointed out in details at the verizon forums by fisharefriends), but this is the only flaw I cannot deal with.
I do not know what is possible of being changed/edited, but I think mcdietz should focus on implementing basic functions that are currently not on the Kin Two phone, but are on other simple lower spec feature phones.
zero2duo said:
First off, I wanted to thank everyone who is working on trying to develop an update to improve on the Kin Two. I currently am interested in getting the TWOm when my contract expires but there is a dealbreaker for me, which is that the phone does not alert you when you have a missed call. I know there are other annoying flaws (pointed out in details at the verizon forums by fisharefriends), but this is the only flaw I cannot deal with.
I do not know what is possible of being changed/edited, but I think mcdietz should focus on implementing basic functions that are currently not on the Kin Two phone, but are on other simple lower spec feature phones.
Click to expand...
Click to collapse
Implementing missing features.. That's a good start. Also, would It be possible to make it be USB device (so you can go into the phone and let's say.. change the default themes).
@mcdietz
Humm, i installed all those downloads long time ago (i guess when posted or before), but didnt tested the drivers with the APX connection.
It worked with errors in linux connection to the usb (got device errors while reading from the USB device) and didnt worked with virtual machine (though vmware detected it).
On the other hand, it worked ok in a win7 real machine and got the driver installed.
I tried to flash android on the device, using the provided images (heh, tests...) and nvflash. But you always get an error on the first try and then, in further attempts you get a "Starting flash" message loop which does nothing.
Same results if you try to do "nvflash --get-partitions" (stuck at 2nd attempt).
You may thing that it's a non working thing, but if you dont connect the device, nvflash.exe it outputs that there is no USB device connected.
A little weird...
I would want to have android at the kin (as i think that has more future than our wince version, looking @ tegra forums) and anyway, if we can somehow read/write the phone roms, we can made a backup from the current OS.
Installed the same tools on linux (native, no emulation) and the flash option didnt worked here either (normal / root user).
Code:
./nvflash --getpartitiontable test.log
outputs (if no phone connected)
Nvflash started
no usb phone found
Click to expand...
Click to collapse
outputs (if Kin on APX connected)
Nvflash started
rcm version 0X4
Command send failed (usb write failed)
Click to expand...
Click to collapse
in the first attempt. Then if called again, seems to get frozen on "Nvflash started" message.
Maybe the recovery has no way to get that data....
Windows Phone Connector?
has anyone tried using the program WP7 connector for the KIN? it works with the zune hd so why not the KIN?
Mmm just to inform....
This is what (physically) happens when the Kin is on the nvflash attempts. Phone must be just booted (not previous nvflash attempt in this boot).
Code:
PC <- Kin: 80 30 18 16 B9 E8 00 00
PC -> Kin: [1028 bytes of data]
Pc <- Kin: 04 00 00 00
PC -> Kin: [39252 bytes of data]
Seems like the response we get (rcm 0x04000000), and the next writing is done with the device autolocked, so last PC -> Kin fails.
Further attempts do not try the same procedure but directly send the last 39252 packet again, failing and getting stuck.
Using some selfmade software (cause no other works so far), i repeated the same procedure, changing the first "byte pack" to send a lame pack, and this is the output:
Code:
# ./kingateway
Opening the controller
Checking for kernel attaching
Claiming the interface
Reading from the Kin.
Received data. 8 bytes. Content:
80 30 18 16 B9 E8 00 00
Writing [02 01 00 00] to the Kin.
Reading Kin response.
Received data. 4 bytes. Content:
08 00 00 00
Writing again to the Kin
KinGATEWAY:: Error while writing to the KIN. Error Code is -9 EXITING.
So in short, fails again (haha, expected...really), but the second response from the kin is not "0400...00" but "08 00 ... 00" meaning a rcm 0x0800..000 or whatever that means.
The above error ("autolock"), tagged as Error code "9" on the program, is a integrity-defense method from the kin, not for the flashing issue but from the "command sent" over usb, which is wrong or unknown on how to operate, and is called "Endpoint Stall". Is a way to express "You'r doing it wrong and i wont hear you again".
One of my ideas is that this version of nvflash is not what was used to operate with the kin and all we get are not errors or devil's corporation actions but uncompatibility protections.
What we need, from my point of view is the Tegra SDK and/or a document where the responses from an APX device are listed (like 0x04000 is "wrong certificate" and 0x08000 is "certificate too short", etc), so we know what it's telling to us. Maybe it's easier to contact nVidia for "old" SDKs than roms...
i hate to be a party crasher but i think this thread needs to be a bumped? why did this thread randomly die? maybe i'm missing something.
I believe it died because johnkussack doesn't have a working kin right now and I don't believe anyone else here wants to try things that may "brick" their phone (I'm one of them). I'm currently trying to buy another kin two (or, uh two), then I'll definitely be digging deeper into those. I may try a hardware route on one and a software route on the other.
This is definitely the most exciting thread the kin two section of xda!
It's been a while but I now have a working KIN device and can continue my efforts. Using the resume mode command to try and force nvflash to write to the kin it displayed a message that said "writing" and then displayed "Failed to perform the following commands: create". It's been a PITA but I feel I will get something written to the device soon.
dezgrz said:
It's been a while but I now have a working KIN device and can continue my efforts. Using the resume mode command to try and force nvflash to write to the kin it displayed a message that said "writing" and then displayed "Failed to perform the following commands: create". It's been a PITA but I feel I will get something written to the device soon.
Click to expand...
Click to collapse
before doing what i lastly underlined, considering what i underlined first... i suggest that you do the reading part, relating to the partition listing.
Just a safe way to find out if the experiments work. Then you can write... with a bit of safety on your side. I mean... you know that testing things writing could not be the best idea on the brikings
Related
Ok, so we haven't had quite as much luck yet as we would have liked, but I think as we continue to try out different approaches we will have some luck. I think it might be beneficial for us to have a an overview of what has been tried and what has been attempted thus far. So here is a list of things people have tried (please feel free to add anything that I may have left out or accidentally overlooked).
Registry Edit to access Zune storage
I believe this was the first approach that people took to gaining access to the KIN, and this link provides a great walkthrough.
Bitpim
This is a pretty good overview of what has been attempted through Bitpim. Recently some have even tried using some other software, namely CDMA Workshop, (Look at the last post of the page.) I would suggest that we also try a couple more:
RevSkills
UniCDMA
Nvidia Tegra Flash
I forgot this when I first posted.
OpenZDK
This was another potential since much of the hardware, namely the processor is the same on both the kin and zune.
Looking for clues in the log files
To put it simply in the hidden menu there is an option to have system log s emailed to you. I tried reading through some and noticed some of the events and files that the KIN uses, but have not had any luck yet.
FTP
This link is the same as the link for the Log Files above.
Export/Import in hidden Menu
Once again, the linked used here is the same one for Log Files and FTP.
Please add anything that I may have left out, either different approaches or links to helpful information. I haven't had a chance to tinker with RevSkills too much yet, but it looks real promising.
Ah, we mods like these threads. Keep it up. Stickied.
The hidden import feature becomes active if you create a contact while using
qpst. It imports but I don't know where it put that info.
Interesting to note is that None of my phone entered contacts show up in qpst.
It is like that directory is mapped to some other place.
I was able to create directories and added txt files using qpst that remain even after power cycling the phone. I haven't found any of this using the phone yet.
I am getting the same results as you when I use the EFS manager and service programming. I can create files and make changes and they last after reboot.
I find it odd that when I export contacts from the hidden menu the file is visible in windows explorer if I have edited the registry as noted in the first post. I find this odd because everything else that is visible on the device using this method is related to the Zune, i.e. photos, music, and videos.
I have started looking back at some of the log files that I had the phone email me through the hidden menu and I have found some AT commands for the phone along with some other information. Here is a little bit of one file that I just started sorting through. The formatting isn't perfect because the log files have a lot of unreadable characters, but I have bolded files and commands. I also left everything in the case (upper and lower) as I found it in the file. The name of this file is:
MICROSOFT-PMX-DEBUGSTRINGPROVIDER-CHANNEL.02.clg
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_PRE_UPDATE
MPM_BB_USB_DRIVER_LOAD_UPDATE_EVENT, dwWaitTime: -1
MPM_Util:USB Client 1 has been Loaded
MPM_Util:USB Client 2 has been !UnLoaded!
CDMA Radio Updeate: Text stored version : v0.4.727
CDMA Radio Update:Registry Key version: v0.4.727
CDMA Radio Update: Current Modem version: v0.4.727
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_PRE_UPDATE
MPM_MainsSmThread
MPM_BB_UPDATE_REQ_EVENT - No modem update is needed
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_POST_UPDATE
MPM_END_RSTISR_REQ_EVENT, dwWaitTime: -1
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_POST_UPDATE
MPM_END_RSTISR_REQ_EVENT MODEM RESET ISR Init Completed.
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_POST_UPDATE
MPM_POWER_ON_REQ_EVENT, dwWaitTime: -1
RILNDIS: GetPacketInterface Initialize = c117d634
Shutdown = c117c4e4
RILDrv : i : Accumulated response (1) : <cr><lf>
IOPTMODE: 6 <cr><lf>
RILDrv : i : Sending cmd: ATV0E0X3 <cr>
RILDrv : t : LoadEriData : Opening file
\RoamingIndicator\eri.bin
RILDrv : i : Accumulated response (1) : ATV0E0X3 <cr> 0 <cr>
RILDrv : t : LoadEriData:
\RoamingIndicator\eri.bin not exist. Err 0x00000002
RILDrv : i : Sending cmd:
AT+cstt=0, 1, 75, 85, 95, 100 <cr>
RILDrv : t : LoadEriData: Opening file
\Windows\eri.bin
RILDrv : i : Accumulated response (1) : 0 <cr>
RILDrv : i : Sending cmd :
AT+CSTT=1,1,18,22,26,30 <cr>
PMIC Boot cookie: rb7262h
RILDrv : i : Accumulated response (1) : 0 <cr>
RILDrv : i : Sending cmd :
AT+CSQT=1<cr>
RILDrv : i : Accumulated response (1) : 0 <cr>
RILDrv:i: Sending cmd:
AT+GMI; +GMM; +GMR; +CKEYPAD?25<cr>
RILDrv:i: Accumulated response: +CKEYPAD:25
RILDrv:i: Accumulated response (2): equesting :
IUSBON, USBST, New PLMST, timestamp, 10, 2,2944 <cr><lf>
RILDrv:i:Accumulated response(1): +IQMIREADY <cr><lf>
+IUSBON<cr><lf>+IECHO: Requesting:IUSBON, USBST,
New PLMST, timestamp, 10, 2, 2944 <cr><lf>
RILDrv:i: ParseNotificationOEM: +IQMIREADY: SetEvent for QMI Init
RILDrv:i: Accumulated response(1): +IUSBON<cr><lf> +IECHO:
Requesting: IUSBON, USBST, New PLMST, timestamp, 10, 2, 2944<cr><lf>
RILDrv:i: Accumulated response(1): +IECHO:
Requesting: IUSBON, USBST, New PLMST, timestamp, 10, 2, 2944<cr><lf>
RilDrv:arseGetEquipmentInfo Modem Version: 727
I found out one more thing, if you use the s+l+power comination when the phone is powered off and connected to the computer another USB device is found. I just found this thanks to conflipper's early work We will have to come up with some sort of driver for this now.
Here is the name of the device and the hardware IDs
Microsoft Pink Bootstrap
USB\VID_045E&PID_2345&REV_0000
USB\VID_045E&PID_2345
I also just found this hardware id when having the computer turned off and plugged into the pc. When I hold down u+s+b+power Windows finds another device with the following name and hardware IDs (According to what I have found online this VID is Nvidia.) So this might be where we can use the tegra chipset stuff.
APX
USB\VID_0955&PID_7416&REV_0103
USB\VID_0955&PID_7416
Thought I would also add that my phone is currently unusable, but on the positive side, I wouldn't found those other two usb hardware IDs if this hadn't happened. Sidenote, I was using QPST Configuration program, and I right clicked on the my phone in the active phones tab. I then clicked on "Configure service to port mapping..." and added one property (unforturnately, I can no longer go back to the window because the program doesn't recognize my phone now). At this point, my phone rebooted and is now stuck trying to boot up.
I don't think it is completely bricked, but I fear that until we pull a rom it is probably useless because it is stuck in a constant cycle trying to reboot. The only way to stop this is to remove the battery. I have since tried using the various key combinations provided by conflipper and have found that the bootstrapper combination (s+l+power) would probably work if we had a rom. I then tried the hard reset combination (c+b+power) which initially looks like it might work but then it gets stuck in the cycle of rebooting.
I am going to continue working on it, hoping that somehow now that I might have some extra sort of access to hardware, but I am afraid my contributions may be limited until we are able to pull a rom.
Sorry to hear that. There has to be a way of getting it out of the loop.
RevSkills Hardware Log.
Diag Port Supported Command List.
7E - TRS FRM MSG supported.
5A - CHECK AKEY supported.
59 - EFS CMD supported.
58 - GET IS95B supported.
57 - SET MAX SUP CH supported.
56 - SUP WALSH CODES supported.
55 - FER INFO supported.
51 - GET FEATURES supported.
49 - READ PRL supported.
47 - UNKNOWN unknown response:
45 - GET CDMA RSSI unknown response:
44 - CHANGE SERIAL MODE unknown response:
43 - GET PARAMETER unknown response:
42 - UNKNOWN unknown response:
40 - SET PILOTS unknown response:
3F - GET STATE unknown response:
3E - UNKNOWN unknown response:
3D - CONF SLEEP unknown response:
3C - GET PACKET SEQNO unknown response:
22 - DISPLAY EMU supported.
04 - PEEK DWORD supported.
03 - PEEK WORD supported.
02 - PEEK BYTE supported.
01 - Show ESN supported.
00 - Version Info supported.
Click to expand...
Click to collapse
(the phone rebooted many times while doing this test, hence the unknown responses).
I tested more of the options provided by the free version of Revskills and it was kind of funny to see how the keyboard emulator worked, but only for numbers.
After all the reboots and so, i got some hex descriptions for errors in a new folder, called Err. Uploaded a new screenshot from that folder contents.
Easy CDMA just lets you browse the filesystem we already know.... not so much fun.
Little update.
You seem to be able to enter the recovery mode holding the U S B + power option but, as i tried right now, also using "Volume -" + power as stated for other tegra devices. Can't check if that loads ok on the computer, as i dont have the usb cable here right now.
OOPS I made a mistake. I am not seeing anything using windows 7 using u+S+B and power up. Should I disable zune, change registry for zune back to normal etc??
You shouldn't have to because the device has a different hardware id, so the drivers installed for the zune portion aren't applicable. Try turning your phone off, plugging in the usb cable and then using the key combinations. If the new hardware message box doesn't appear, you should still see an unkown device in device manager.
Also you have to hold the u+s+b+power for a few seconds before it will be recognized. When I have done this the screen stays blank on my phone and the only way I know it is working is through Windows.
Using Windows 7 OS. I had to uninstall the zune driver located in portable devices in the device manager then it found new APX device and i was able to point to the NVIDIA driver. Tried ruining the phone (Flashing android to it) as in another thread but it also got stuck on the flashing prompt. Restarted phone normally and the windows found another device and loaded the zune drivers back.
Incidently, holding the volume down and power on does the same as the U+S+B+Power and is easier on the fingers.
Thanks and keep up the great work.
I again may have spoken to soon. I cannot duplicate the above scenario anymore.
I also can no longer transfer pictures taken with my phone on to my pc. I can add pictures to the phone from pc and back but not the ones taken with the camera. Originally I could with zune software. The folders for uploaded pictures are different then the ones taken with the phone. I really think that I screwed something in the phone up by playing with qpst and others.
I'm not sure about what you did there, but in my testing & curiosity purposes trials, i wasnt able to alter the device (do a write to memory), so i doubt that qpst or the others did it for you.
Also, according to coinflipper notes, the kin has several layers, including the SBL that is the one operating with the os directly (the "Ms Pink bootstrap" device), not the recovery mode, which basically put us handling a modem....
I'm trying some things, but no results yet... gonna take some time....
I have changed the USB password and added contacts (somewhere) while writing to the device using qpst. I changed the password to 000001. Is this a different part of memory I am fooling with?
Thanks
I am not sure. I have no previous experience with any phone deving nor Qualcomm tools. Just pointed what coinflipper said.
I said "basically a modem", cause you got diag(nostics) mode within a com port, and some users (in other posts) showed logs with AT commands.
I'm working with some tools to connect to the device, but using the driver we all got (zune software). Not promising anything, just peeking around some tests.
@mcdietz
Here I pasted a public output of the linux command "lsusb -vv" (ultraverbose) where Kin (factory default settings) values are.
http://pastebin.com/rZscb9wz
Is useful for usb access to the kin. Use at will.
I have been testing usb connections to the kin devices (the ones we used in this forum) and i checked this:
Kin mode (normal Zune mode):
- Using MTP protocol:
-- You can browse files/folders/track related to Zune values using the lib-mtp tools in the system you like.
-- You can format the device (zune related folders) & delete zune files using the lib-mtp tools.
-- You can't download files from the device using the lib-mtp tools (kin doesn't allow you to)
-- You can't upload files to the device using the lib-mtp tools (kin doesn't allow you to)
- Using raw USB:
-- You can Write & Read values to the device (Kin VID 0x045e, PID 0x0641). Protocol allowed: MTP
Click to expand...
Click to collapse
Of course, Zune software does use this mode and is allowed to write to the filesystem. But that's because before doing so, it uses MTP protocol values to send and receive crypto values based on JANUS from Microsoft (Microsoft DRM for Mobile Devices) and after crypto relationships, the usb commands enable the "Connected" window at the Kin.
Capturing and replaying this values over usb does not work (ever) and does not work for the kin (had to try), so no go-go from here. Also, we cannot know if it would be able (dreaming after bypassing the DRM) to go outside the pictures/music/etc folders.
On the other hand, MTP tools reports that our little friend is able to reproduce the following files:
Firmware file
MediaCard
Abstract Playlist file
Abstract Album file
JPEG file
Microsoft Windows Media Video
MPEG-4 Part 14 Container Format (Audio+Video Emphasis)
Advanced Audio Coding (AAC)/MPEG-2 Part 7/MPEG-4 Part 3
MPEG-4 Part 14 Container Format (Audio Emphasis)
Microsoft Advanced Systems Format
Microsoft Windows Media Audio
ISO MPEG-1 Audio Layer 3
Click to expand...
Click to collapse
Where firmware is strange and good but the question is... how to upload the firmwares files (you can get zune firmwares from the net) to the zune software on the device (and run them)?.
It's more interesting when you notice that firmwares contain "Zboot.bin" which is "Tegra device bootloader" but, sadly, doesnt work with nvflash because of what I said below. Those updates are WinCE updates too...
APX mode (nvidia "flashing" mode), with or without Nvidia driver.
- Using nvflash
-- You can't start flashing due to writing to usb error
-- Following attemps block the nvflash and device access.
- Using raw USB:
-- You can't Write or Read values to the device (APX VID 0x0955, PID 0x7416). Protocol allowed: None
Click to expand...
Click to collapse
This matches the post where coinflipper told us that you cannot dump the rom image.
Microsoft Pink Bootstrap (No driver):
- Using raw USB:
-- You can Write & Read values to the device (Kin VID 0x045e, PID 0x2345). Protocol allowed: Unknown
-- Phone answers "01" to all the write requests i did (from "00" to "FF").
Click to expand...
Click to collapse
markspace. com/kin/
Here's some software that was developed for it, but I'm guessing it is only client end?
I'm not allowed to link, so assemble the spaces yourself please
The link for the download (direct) , being for Mac(only) is:
http://www.markspace.com/kin/download.php
But you must register to get an activation code from the main page (posted by shlhu). It will need internet access to activate the software during installation and reboot after it.
Requires Itunes (for audio sync), Iphoto (for image, also have started it once), and Quicktime (for video).
I tested it with a fresh installed Snow Leopard and i can say that it works. I dunno how it does (without zune installed), but it works.
Unfortunately, i wasnt able to analyze the usb transmission there, so i cant compare with the windows one. If it can skip the JANUS drm, then we may have a chance. If it is the same process as windows... we are done... lol.
I have experience as a .net developer, a SQL developer, and a network administrator, but I've never done anything with mobile development. I'll be able to do some damage, but I need someone to point me in the right direction here.
I am not interested in messing with the existing windows CE os AT ALL, only Android. I motivated by this phone because it's the only modern phone who's ESN can be activated on verizion without a data plan.
SO, can an experienced person within the community give me a lay of the land of where I can contribute and get working?
my 2c: Most of the hacking i've done was on PSP, and they always loaded custom firmware by getting into the core / bios area, just like all of the other jailbreak methods. Can we do that?
Gaujo said:
I have experience as a .net developer, a SQL developer, and a network administrator, but I've never done anything with mobile development. I'll be able to do some damage, but I need someone to point me in the right direction here.
I am not interested in messing with the existing windows CE os AT ALL, only Android. I motivated by this phone because it's the only modern phone who's ESN can be activated on verizion without a data plan.
SO, can an experienced person within the community give me a lay of the land of where I can contribute and get working?
my 2c: Most of the hacking i've done was on PSP, and they always loaded custom firmware by getting into the core / bios area, just like all of the other jailbreak methods. Can we do that?
Click to expand...
Click to collapse
well, one major thing that you can help with, is getting drivers for the kin two, because the ones we have are only diag drivers, and do not let us see the phone in windows explorer...the diag drivers only let us see the filesystem in Bitpim.
welcome to the "i know kung-fu but this seems to need jiu-jitsu" group of developpers.
As noted above... drivers.. drivers drivers....
In the other threads you can see my hardware attempts resume about the usb access to the devices and explanation about why we didnt flashed anything yet (tldr; is shop-protected).
The only driver available for flashing (in windows) or linux direct access turned us into a nvflash executable being frozen, doing anything. For the other modes we have not data on how to operate with them.
On your request: yes, you could run android here, as tegra 2500 was made for wince and android (currently they work with froyo), so i guess we could do the move (i would want to backup Win CE anyway... just in case ... for messing around with flashing...).
johnkussack said:
welcome to the "i know kung-fu but this seems to need jiu-jitsu" group of developpers.
As noted above... drivers.. drivers drivers....
In the other threads you can see my hardware attempts resume about the usb access to the devices and explanation about why we didnt flashed anything yet (tldr; is shop-protected).
The only driver available for flashing (in windows) or linux direct access turned us into a nvflash executable being frozen, doing anything. For the other modes we have not data on how to operate with them.
On your request: yes, you could run android here, as tegra 2500 was made for wince and android (currently they work with froyo), so i guess we could do the move (i would want to backup Win CE anyway... just in case ... for messing around with flashing...).
Click to expand...
Click to collapse
I've never edited or created a driver, but if someone will point me in a specific driver, I will hammer away as best I can.
I don't understand what you mean here:
" The only driver available for flashing (in windows) or linux direct access turned us into a nvflash executable being frozen, doing anything. For the other modes we have not data on how to operate with them."
Point 1) The APX mode (booting with USB keys + power) is what we called as flashing "part", which uses nvflash (.exe) as tool to do flashing to the devices.
The driver you can get from nvidia (that one exists) lets nvflash find the device but the kin seems to be writeprotected, so the tool outputs an error while connecting to the KIN. Also, further attemps make nvflash get stuck in the connection process forever (and ever).
Point 2) The other modes (normal or special keys hold) have no known drivers nor known-yet ways to get them. Of course, if i knew how to make one, i would have tried to make it myself, as i tried with the MPMz protocol on the kin, so can't point you in any direction there.
That's what i meant.
This is my first modern Windows Mobile (I used Windows Mobile 11 years a go) and it seems Microsoft was crippled the operating system.
Model: Bush Eluma, Windows 10 native (rebranded Archos 50 Cesium)
Specification:
Snapdragon 210
Adreno 304
1 GB RAM
16GB ROM
MicroSD support up to 128GB
5" 720x1280 IPS screen
4G LTE
WIFI/Bluetooth/GPS
8MP rear/2MP front with flash
2100mAh battery
Spec. Sheet: archos [dot] com/corporate/press/press_releases/EN_ARCHOS_50Cesium_50eHelium.pdf
What I'm trying to do: Interop-unlock
What I've managed to do: Deploy apps, such as Root Tool and vcREG
Where I'm stuck: Setting the value for my model of phone - I have no idea where to look
I hope I've provided information in a clear format. I'd very much appreciate some help or feedback in order to interop-unlock this model
System\Platform\DeviceTargetingInfo
PhoneManufacturer
Value = "True" (I think this used to just say "ARCHOS")
Thank you for reading.
Was there any progress made with this? Looking to interop unlock phone too so any help would be great
you tried this?
https://forum.xda-developers.com/windows-10-mobile/acer-liquid-jade-primo-upgrade-to-au-cu-t3589156
Worked a treat! Thanks a lot.
user154 said:
Sorry to kinda hijack this thread, but I have this device and struggling to find any other owners. My understanding is that the archos 50 cesium is the windows version of the 50e helium. I have an emmc dump of the 50e helium, if you cant already tell where im going with this, I want to flash this dump to my eluma b2 but cant get qfil or thor2 to do this. Can anyone help? or even know if this is possible?
Click to expand...
Click to collapse
I say just enjoy the W10 phone while you can, or if you really want Android, go buy that model online some where.
It is not as simple as it sounds. You would need at least a flash programmer for the SoC in that phone which usually the manufacturers never release. Depending on the format of the dump you might need other flashers or files to understand how the Archos 50 eMMC is structured or to utilize them in the flashing process. You would also want to be able to put the phone into EDL mode. If you can manage to even boot the flash programmer and initialize a flash of the phone there is also high risk of bricking it. Because you would be flashing partitions that were not signed for that phone/SoC. So I am not sure if you would also need to unlock the boot loader on it or not...sounds like you would. IMO it would be best to unlock the bootloader so you can backup the current layout of the phone. This as far as I know is not possible, so I would just stop there.
I know there are some threads in other forums where they are trying to do this with the IDOL 4s, and maybe a couple devices in the past have worked out to be able to do this. However it pretty much hinges on unlocking the boot loader. Also from what I know once you flash it like that and even if device survives (it boots, the IMEI is in tact, etc.) you cannot revert it back or it is pretty much impossible to go back without bricking it.
user154 said:
It doesnt really matter if the device is rendered unusable, it is quite a long way down the list of backup devices I have, it was more for the fun of trying to do it. The device is the exact same as its android counterpart (hardware wise) this is what made me think it should theoretically be possible. The dump I have was made with infinitybox, I have managed to create the required rawprogram.xml and patch.xml from the gpt binary contained within the dump. I have also found a couple of flash programmers for the soc (prog_emmc_firehose_8909.mbn, and a couple of manufacturer specific ones, pretty sure iv got the filename slightly wrong there). I have been able to boot the device to EDL mode using a cable, however sahara fails to load the flash programmer to the device. I didnt think the bootloader would need to be unlocked to flash the device seeing as the device is in EDL mode and what Im trying to flash is signed as is just the dump from the android counterpart. Maybe this is where im going wrong. Also Im working on the assumption the IMEI will be wiped as I plan to flash persist.img from dump too, I thought trying to keep the partition where it is stored in windows 10 and repartition the rest of the emmc to the same as the android counterpart might make things more complicated than they already are. Also IMEI can sometimes be quite simple to repair on certain devices (A lot more simple than what Im trying to acheieve here anyway). Can you point me in the right direction as to where I can find instructions to unlock the bootloader of this device? for some reason it doesnt get recognised by wpinternals (In any mode, EDL, standard flash mode, no idea what thats called on windows haha, or booted normally)
Click to expand...
Click to collapse
Sounds like you're on the right path. I'm not 100% sure you need to unlock the boot loader, however it would definitely make things easier as you could dump partitions from the phone as it is and even possibly enable mass storage mode. I am unsure where you would look to unlock that phones boot loader other than here. The flash programmers you have may not be built for the Windows Phone eMMC and why they are not booting.
Hi, this is quite interesting for me as I am struggling with 2 Cesium 40 devices stuck in Qualcomm download mode. I thought I managed to extract msimage.mbn and hex binary file from ffu, converted the hex file to hex.hex and added first and last-but-one lines. Although there was no way to escape from Qualcomm mode. Thor recognizes the Qualcomm deveices, but tells me to stop QFIL operations, even if there is no QFIL. Any ideas?
JoachimP said:
Hi, this is quite interesting for me as I am struggling with 2 Cesium 40 devices stuck in Qualcomm download mode. I thought I managed to extract msimage.mbn and hex binary file from ffu, converted the hex file to hex.hex and added first and last-but-one lines. Although there was no way to escape from Qualcomm mode. Thor recognizes the Qualcomm deveices, but tells me to stop QFIL operations, even if there is no QFIL. Any ideas?
Click to expand...
Click to collapse
If you have qpst/qfil installed on your PC, and have used them recently. The services might still be running. Just hunt for them in task manager and kill them and run thor2 again. See if that helps.
Worked a treat! Much obliged.
@nate0
Hi, thanks for your reply. I am nearly sure, I uninstalled QFIL and shutdown my pc after use, but I will check on it.
So I uninstalled QFIL and rebooted. This is the result:
C:\Program Files\Microsoft Care Suite\Windows Device Recovery Tool>thor2 -mode list_connections
THOR2 1.8.2.18
Built for Windows @ 13:36:46 Jun 16 2015
Thor2 is running on Windows of version 6.2
thor2 -mode list_connections
Process started Wed Nov 14 08:48:16 2018
Logging to file C:\Users\me\AppData\Local\Temp\thor2_win_20181114084816_ThreadId-4796.log
Debugging enabled for listconnections
WinUSB in use.
Connection list START
0.1A07:0004:0004 {71de994d-8b7c-43db-a27e-2ae7cd579a0c} Emergency mode connected
Connection list END
Exited with success
C:\Program Files\Microsoft Care Suite\Windows Device Recovery Tool>thor2 -mode emergency -hexfile cesium\hex.hex -mbnfile cesium\prog_emmc_firehose_8x10.mbn -ffufile cesium\flash_retail.ffu
THOR2 1.8.2.18
Built for Windows @ 13:36:46 Jun 16 2015
Thor2 is running on Windows of version 6.2
thor2 -mode emergency -hexfile cesium\hex.hex -mbnfile cesium\prog_emmc_firehose_8x10.mbn -ffufile cesium\flash_retail.ffu
Process started Wed Nov 14 08:48:52 2018
Logging to file C:\Users\me\AppData\Local\Temp\thor2_win_20181114084852_ThreadId-7500.log
Debugging enabled for emergency
Initiating emergency download
Using default emergency protocol
ALPHA EMERGENCY FLASH START
Emergency Programmer V1 version 2014.10.31.001
Hex download selected
Check if device in Dload
Message send failed with error code -1
Waiting connection to DLOAD: 2 of 2
Check if device in Dload
Message send failed with error code -1
Failed to connect to DLOAD mode
Make sure that the COM port is free. Close QPST.
ALPHA EMERGENCY FLASH END
Emergency messaging closed successfully
Operation took about 8.00 seconds.
THOR2_EMERGENCYFLASHV1_ERROR_PROGRAMMER_SEND_FAILED
THOR2 1.8.2.18 exited with error code 85030 (0x14C26)
Any suggestions?
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
devmihkel said:
For good or for bad NOT everything appears correct, except the running 17.x version... As of now neither the "commercial jailbreak" supports new versions (well yes they were using exactly the same file to start with Also 16.51.x or newer appears to be no go: uconnect-8-4-8-4an-update
EDIT: haven't got 17.09.07 to try, but on 17.11.07 manifest.lua has changed and the last block/ search keyword is "ota_update" instead. Otherwise all the same, image valid after the edit and script.sh gets fired - at least on 16.33.29 that is @HanJ67 Did you actually try to mount installer.iso after the edit and checked /etc/manifest.lua for the end result before?
Click to expand...
Click to collapse
devmihkel said:
Yeah, 2nd attempt is much better as last lua block is correctly terminated and your script might actually run, but unfortunately no successful 17.x runs have been reported so far SWF scripts are not involved in update/jail-breaking run, these ones become relevant only once you are in (and need to enable some app or wifi or navi features etc). Afaik 17.x blocks ethernet dongle usage as well, but let's see if even the USB driver/link gets activated at all?
Click to expand...
Click to collapse
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Do You have an idea how to connect by USB2LAN adapter to uConnect ?
Do You know if there is an UART pins on the mainboard ?
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
Hello, any news about it?
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
sofro1988 said:
Hello, any news about it?
Click to expand...
Click to collapse
I have not had had much time to work on this.
I actually had an idea last week that brought me back to this. I plan to use a custom flash drive to present an unmodified ISO for verification, then swap nand to an identical image that has been he's edited to enable usb Ethernet and add a custom key for ssh access.
I thought to stack a NAND on top of the original on a is flash drive, then breakout the Chip Enable pin to a switch. I've seen this done for with guys modifying game consoles to be able to run modified firmware.
Once the 2nd NAND is in place I will restore an image of the original nand containing the unmodified update, then hex edit the required portions to allow access after updating.
If this method works, I should be able to pass the verification with the original nand chip, then switch it (hopefully there's a big enough window to do this by hand) then present the modified nand before it begins the flash procedure.
Hopefully someone more intimately familiar with the update scripts can verify I'm not missing anything in the process
Tajadela said:
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
Click to expand...
Click to collapse
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
thanks for answer.
I saw an ssh key with the hex editor, but I would like to see exactly what you have replaced.
if it's not too much trouble, it would be interesting to see with some screenshots the changes you've made.
So we could work on two fronts. The idea of the double nand is good, but not very simple to make ...
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
SquithyX said:
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
Click to expand...
Click to collapse
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
martinbogo1 said:
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
Click to expand...
Click to collapse
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
sofro1988 said:
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
Click to expand...
Click to collapse
I managed to connect with the cisco adapter (usb / ethernet), but I don't know the root password. is the problem at the moment insurmountable ..
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
martinbogo1 said:
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
Click to expand...
Click to collapse
I connected in telnet on a uconnect 6.5 with firmware 15.xx.xx. You can connect to Uconnect with static IP it brings up if no DHCP is offered is: 192.168.6.1
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
after rsa key replaced, do you have recalculate the checksum of UPD file?
have you replaced the first 64 bytes of the file?
thanks
@itsJRod, isn't it that you would like to explain the procedure to replace the RSA key in the swdl file? thank you
Hello,
have you made any progress? I am a bit lost. I put the EU uconnect MY15 to US dodge charger MY16 and Perf Pages were working fine even on 16.16.13, although after upgrade to 17.x (17.46.0.1 right now) I am meeting the problem of expired subscription (which is not possible to have on EU radio).
I am considering basically three solutions:
a) going back to US radio, but modify the language pack/nav/FM frequencies (it is doable, but I do not know how, although I can pay for it relatively less than time invested)
b) downgrade to 16.16.13 - I have no clue how to do it, I tried to put swdl.upd with swdl.iso as and installer.iso with no luck of course.
c) take xlets from KIM2/ of 16.16.13 to KIM23 of 17.46.0.1 secondary.iso - this is probably preferred way but I do not know how to make it to pass ISO validation.
Of course root on uconnect is extremely nice to have but I will be fully satisfied with Perf Pages working again.
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
djmjr77 said:
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
Click to expand...
Click to collapse
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
I created an account just to reply to this and All I have to say is you're literally an absolute life saver. I've been working on this every day for two weeks now, trying every trick people said, trying every USB, every format, every version and nothing ever worked from me. Uconnect support was absolutely no help and it was a lot of back-and-forth finger pointing and no you need to reach out to this person between them and the dealership. Dealership tried to charge me for a Proxy Alignment when I asked to just update my damn radio stuck in this loop.
I have a 2015 Jeep Cherokee 8.4AN VP4 NA Head Unit 68238619AJ. I was updating from 17.11.07 to 18.45.01 and got stuck at the step 11 1% and would get a failed sierra wireless every time and then got in that "bolo update failed" loop..Well to fix it just now all I did was download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in the previous comment and quick format to FAT32 on a 16GB Micro Center USB extracted the files from 16.33.29 to the USB with 7ZIP, plugged in like normal and BOOM it ran the first step restarted and I had a working radio again showing update 18.45.01.
(So i'm assuming you don't have to do the S Byte thing I didn't even mess with it I just used the 16.33.29 to bypass step 11 since that version only has 14 steps and 18.45.01 was already preloaded from attempting before. My navigation still is the wrong address but I don't care about all that just thankful to have my radio back before my wife killed me for trying to update it by myself. )
I hope this helps someone else one day because it took some deep research and hours on hours of forum hoping to finally find the solution. <3
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
Do you have another link to download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe files? I am trying to help a friend of mine they way this helped me. Thank you again for this!
Short version of question: How can I unbrick my ONEPLUS 3 (A3000) if I cannot boot to Android and OEM Unlock AND USB Debugging both have not been enabled?
Long version: Phone was recently purchased second hand from a third-party market (Kijiji, kind of like craigslist for Canadians). Person I bought it from claimed in the ad that the device was in a bootloop and couldn't access the OS. I had in the past successfully saved a ONEPLUS 1 from bricked status, so I didn't feel a simple bootloop would pose much of an issue. That, and at the price he was selling I really couldn't turn it down.
I tried various different methods of restoring the phone's partitions, OS, and firmware to stock/custom, but had no real luck with any (I will list below what I have attempted). If there was a root cause of this, I believe it's due to the fact that some part of the phone's storage partition (boot or system if I had to guess) had become corrupted at some point. Given the volume of threads I've seen here and elsewhere online, I wouldn't rule out a bad OTA flash, but doesn't really matter. What does matter, however, is that the Android OS is inaccessible despite my best efforts, and the bootloader is set to locked and ADB Debugging remains off.
Generally speaking, is there a way to access Developer Options to correct both these issues through terminal or a tool? I'm confident that I can get my device working again if I could access this menu, but as of yet I have had no luck.
Methods used to restore/info worth mentioning
While I don't doubt their effectiveness at large, for whatever reason I have yet to find a tool/guide that yields the anticipated results upon completion. MSM Download Tool (V3 and V4) have both been downloaded, executed, and completed numerous times, but will still not boot past the loading screen upon completion.
According to Unified Android Toolkit, my device build is being detected as "OnePlus3 7.0 NRD90M" and All-in-One Toolkit is showing that Android 6.0.1 is installed.
Drivers are all installed correctly, as proven both via tools downloaded and through Windows CMD terminal (adb devices, fastboot devices, adb get-state, etc)
Stock recovery and bootloader modes can both be reached through both hardware keys and software commands. I will note that it seems to take longer than I'd expect to boot to either of these modes using hardware keys.
I have utilized multiple USB ports, Type-C cables, different OS' on two laptops (MS Windows 10 and 7, FWUL Linux). I usually have no problem with the device being detected by the system. When I have, it usually involved one pesky USB cord.
common commands used and their effects:
fastboot OEM unlock: fails, cannot be done remotely
fastboot flash x: fails, remote: flashing partitions not allowed
ADB push: fails. cannot access partition
ADB devices: device is seen by system with serial and state
fastboot devices: device is seen by system with serial
ADB sideload: varying results. Some will fail at 0% citing "total xfer: 0.00x", some will reach 47% and fail (always exactly 47% oddly). Generally if the sideload operation passes 47% it will complete.
fastboot format/erase x: fails, partition formatting/erasing not allowed
fastboot continue: executes, but does not help with android bootloop issue as I had hoped
While I searched for an answer online, I did come across an infosec whitepaper regarding ONEPLUS 3 vulnerabilities, though it was over a year old. To my surprise, the command they had been entering works on my device, but I'm not sure how to properly use it effectively. The command used was fastboot OEM boot_mode [rf/wlan/ftm/normal]. Now, I was unable to determine what each of the triggers does, but what I did discover is that with boot_mode set to rf, my device would display chinese/korean lettering in lieu of the usual ONEPLUS logo with "powered by Android" below. This is also how I managed to have my device show up in CMD terminal for ADB commands to be issued. To the best of my knowledge though, there doesn't seem to be much point to it as I couldn't push/pull any files. Does anybody know where I could find more info on this command, as I'd like to know what the other triggers accomplish.
I've just about exhausted every available resource looking for an answer, but im still coming up short. I've gone as far as contacting ONEPLUS directly, but without proof of purchase they can't (more accurately won't) help me. And while it's not a business practice I would personally support, I can understand why they have it implemented. I've contacted a few phone shops in the area, but none have been able to assist me further than I've already gotten in this process.
I apologize again for creating a new thread about this, but I felt my circumstances warranted a new thread due to the bulk of the others having either an unlocked bootloader or TWRP installed, neither of which I do.
So, can anybody offer their help or suggest something I haven't already tried? Or should I be on EBAY looking for motherboards? Thanks in advance.
Calgary84 said:
Short version of question: How can I unbrick my ONEPLUS 3 (A3000) if I cannot boot to Android and OEM Unlock AND USB Debugging both have not been enabled?
Long version: Phone was recently purchased second hand from a third-party market (Kijiji, kind of like craigslist for Canadians). Person I bought it from claimed in the ad that the device was in a bootloop and couldn't access the OS. I had in the past successfully saved a ONEPLUS 1 from bricked status, so I didn't feel a simple bootloop would pose much of an issue. That, and at the price he was selling I really couldn't turn it down.
I tried various different methods of restoring the phone's partitions, OS, and firmware to stock/custom, but had no real luck with any (I will list below what I have attempted). If there was a root cause of this, I believe it's due to the fact that some part of the phone's storage partition (boot or system if I had to guess) had become corrupted at some point. Given the volume of threads I've seen here and elsewhere online, I wouldn't rule out a bad OTA flash, but doesn't really matter. What does matter, however, is that the Android OS is inaccessible despite my best efforts, and the bootloader is set to locked and ADB Debugging remains off.
Generally speaking, is there a way to access Developer Options to correct both these issues through terminal or a tool? I'm confident that I can get my device working again if I could access this menu, but as of yet I have had no luck.
Methods used to restore/info worth mentioning
While I don't doubt their effectiveness at large, for whatever reason I have yet to find a tool/guide that yields the anticipated results upon completion. MSM Download Tool (V3 and V4) have both been downloaded, executed, and completed numerous times, but will still not boot past the loading screen upon completion.
According to Unified Android Toolkit, my device build is being detected as "OnePlus3 7.0 NRD90M" and All-in-One Toolkit is showing that Android 6.0.1 is installed.
Drivers are all installed correctly, as proven both via tools downloaded and through Windows CMD terminal (adb devices, fastboot devices, adb get-state, etc)
Stock recovery and bootloader modes can both be reached through both hardware keys and software commands. I will note that it seems to take longer than I'd expect to boot to either of these modes using hardware keys.
I have utilized multiple USB ports, Type-C cables, different OS' on two laptops (MS Windows 10 and 7, FWUL Linux). I usually have no problem with the device being detected by the system. When I have, it usually involved one pesky USB cord.
common commands used and their effects:
fastboot OEM unlock: fails, cannot be done remotely
fastboot flash x: fails, remote: flashing partitions not allowed
ADB push: fails. cannot access partition
ADB devices: device is seen by system with serial and state
fastboot devices: device is seen by system with serial
ADB sideload: varying results. Some will fail at 0% citing "total xfer: 0.00x", some will reach 47% and fail (always exactly 47% oddly). Generally if the sideload operation passes 47% it will complete.
fastboot format/erase x: fails, partition formatting/erasing not allowed
fastboot continue: executes, but does not help with android bootloop issue as I had hoped
While I searched for an answer online, I did come across an infosec whitepaper regarding ONEPLUS 3 vulnerabilities, though it was over a year old. To my surprise, the command they had been entering works on my device, but I'm not sure how to properly use it effectively. The command used was fastboot OEM boot_mode [rf/wlan/ftm/normal]. Now, I was unable to determine what each of the triggers does, but what I did discover is that with boot_mode set to rf, my device would display chinese/korean lettering in lieu of the usual ONEPLUS logo with "powered by Android" below. This is also how I managed to have my device show up in CMD terminal for ADB commands to be issued. To the best of my knowledge though, there doesn't seem to be much point to it as I couldn't push/pull any files. Does anybody know where I could find more info on this command, as I'd like to know what the other triggers accomplish.
I've just about exhausted every available resource looking for an answer, but im still coming up short. I've gone as far as contacting ONEPLUS directly, but without proof of purchase they can't (more accurately won't) help me. And while it's not a business practice I would personally support, I can understand why they have it implemented. I've contacted a few phone shops in the area, but none have been able to assist me further than I've already gotten in this process.
I apologize again for creating a new thread about this, but I felt my circumstances warranted a new thread due to the bulk of the others having either an unlocked bootloader or TWRP installed, neither of which I do.
So, can anybody offer their help or suggest something I haven't already tried? Or should I be on EBAY looking for motherboards? Thanks in advance.
Click to expand...
Click to collapse
Thanks for the exhaustive description. You seem to have covered every known method. If the MSM Tool also fails, I think that it is a hardware issue and you are better off searching for a new motherboard instead of wasting further time on trouble-shooting.
Best of luck!
tnsmani said:
Thanks for the exhaustive description. You seem to have covered every known method. If the MSM Tool also fails, I think that it is a hardware issue and you are better off searching for a new motherboard instead of wasting further time on trouble-shooting.
Best of luck!
Click to expand...
Click to collapse
I was afraid of that..... is there a way to test a given hardware component?
Have you tried the unbrick tool FULL updated: https://mega.nz/#!NmhhgZyB!CM7Fw8VjECiMIhh4gRXUx24QVCiE599_ZFAPDf08AiM
acetone802000 said:
Have you tried the unbrick tool FULL updated: https://mega.nz/#!NmhhgZyB!CM7Fw8VjECiMIhh4gRXUx24QVCiE599_ZFAPDf08AiM
Click to expand...
Click to collapse
Indeed I have, dozens of times between the full and mini versions. I've even gone as far as running the toolkits featuring MSMDownloadTool v4.0 to see if it achieved different results (it did not). The mini tool would finish doing its thing (turned the text green upon completion),but I would face varying partitions not being flashed correctly. The full version completes and does not have these varying partitions missing, but the device would then be either stuck in a bootloop where it will eventually reboot itself, or would hang indefinitely on the "swirling dots" loading screen. I tried the remedy of deleting cache in recovery, but this did not help.
deleted
***UPDATE*** - As I mentioned in this thread earlier, I noticed a discrepancy between the variant type listed on my actual device and the variant type returned when queried via fastboot. This got me thinking, and to make a long story somewhat shorter, I found that while most stock Oxygen images I attempt to sideload onto the device fail (at precisely 47%, oddly), I was able to sideload two different Hydrogen images without any resistance at all. I'm guessing something to do with the eMMC vs UFS file storage systems and how each OS uses them.
So I got Hydrogen flashed onto my my device. Smooth sailing, right? Afraid not. Despite fastboot's output clearly stating it was a successful transfer, and the stock recovery on the device echoing this, I still cannot get the OS to load. Now i' stuck with the loading screen hanging indefinitely prior to animation occurring, so basically the static ONEPLUS logo. Factory resets and cache wipes have done nothing to help the situation along. Conventional wisdom from the threads here seem to say using the MSMTool is the right answer..... and thus the circle of frustration is complete with me arriving back where I started. Does anybody have another suggestion I can try out? Still can't flash/boot to TWRP, unlock bootloader, or access Android to activate USB Debug/OEM Unlock either btw.
Have you tried flashing just the firmware, i havent flashed in years but i would assume you could sideload the firmware as well?
voodooline said:
Have you tried flashing just the firmware, i havent flashed in years but i would assume you could sideload the firmware as well?
Click to expand...
Click to collapse
Guess who didn't read? And after a year without flashing + a lack of reading skills, you still think you could solve this case? That's a spirit.
===
You better do pm some devs in dev section and point them to this thread and see if they can help, if you are still curious.
My guess is dead emmc, it can be replaced without buying the whole board.
150208 said:
Guess who didn't read? And after a year without flashing + a lack of reading skills, you still think you could solve this case? That's a spirit.
===
You better do pm some devs in dev section and point them to this thread and see if they can help, if you are still curious.
My guess is dead emmc, it can be replaced without buying the whole board.
Click to expand...
Click to collapse
I did read it, its funny always someone who has to be a **** about things. I should have been more specific. He was able to flash h2os. So he could try to flash the firmware for h2os to see if that gets it to boot.
voodooline said:
I did read it, its funny always someone who has to be a **** about things. I should have been more specific. He was able to flash h2os. So he could try to flash the firmware for h2os to see if that gets it to boot.
Click to expand...
Click to collapse
Magnificent, bro.
You're a truly genius.