Research on tags file... and tweaks ;-) - Gen9, Gen10 General

Hi guys,
i started some research a while ago on the internal structure of flash memory on the G9 series.
Especially the parts that are involved to tell the kernel how to behave on different models.
I am talking about the FTAG section, a.k.a tags.
To get a better idea on how this file is organized, i need to compare different tags files from the rawfs section of our devices.
This is where i need your help.
Please copy the file /mnt/rawfs/tags and post it here.
It's only 512 bytes in size, so you might rename it to tags_model.bin and post it here.
I mostly would need the tags from the turbo models:
- A80G9 turbo
- A101G9 turbo
RAM size does'nt matter but would be nice to mark it, if you got a 1GByte device.
EDIT:
Here's what i tried to figure out so far (A80G9 with 8GB)...
EDIT2:
now with the turbo flag and other additional flags...
Code:
05 00 00 00
01 00 00 00
34 12 A0 FE FEATURE_LIST_MAGIC=0xFEA01234
01 00 00 00 FEATURE_LIST_REV=0x00000001
feature_tag_header
00 00 00 00 size=0x0
13 00 00 00 tag=0x00000013
02 00 00 00 41 38 30 53 FTAG_PRODUCT_NAME=A80G
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
A8 13 00 00 id=0x000013A8=5032
06 00 00 00 FTAG_PRODUCT_ZONE
03 00 00 00 FTAG_PRODUCT_SERIAL_NUMBER
67 12 00 00 00 00 00 00 serial=0x00001267=4711
00 00 00 00 00 00 00 00
04 00 00 00
04 00 00 00 FTAG_PRODUCT_MAC_ADDRESS
11 12 13 14 15 11 00 00 addr=11 12 13 14 15 11
03 00 00 00 ???
10 00 00 00 FTAG_BOARD_PCB_REVISION
05 00 00 00 revision=0x5
1A 00 00 00
12 00 00 00 FTAG_SDRAM
65 6C 70 69 vendor=elpida
64 61 00 00 00 00 00 00 00 00 00 00
45 44 42 34 product=EDB4064B2PB
30 36 34 42 32 50 42 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 type=0x0
00 00 00 00 revision=0x0
00 00 00 00 flags=0x0
90 01 00 00 clock=0x00000190=400
00 00 00 00 param_0
00 00 00 00 param_1
00 00 00 00 param_2
00 00 00 00 param_3
00 00 00 00 param_4
00 00 00 00 param_5
00 00 00 00 param_6
00 00 00 00 param_7
03 00 00 00 ???
13 00 00 00 FTAG_PMIC
01 00 00 00 FTAG_PMIC_TPS62361
04 00 00 00 flags=0x00000004
20 00 00 00 FTAG_SERIAL_PORT
01 00 00 00 uart_id=0x00000001
40 42 0F 00 speed=0x000F4240=1000000
05 00 00 00 ???
01 00 01 00 FTAG_HAS_GPIO_VOLUME_KEYS
2B 00 00 00 gpio_vol_up=0x0000002B
2C 00 00 00 gpio_vol_down=0x0000002C
00 00 00 00 flags=0x0
0F 00 00 00
18 00 01 00 FTAG_SCREEN
43 4D 49 00 00 00 00 00 00 00 00 00 vendor=CMI
00 00 00 00
00 00 00 00 type=0x0
00 00 00 00 revision=0x0
00 00 00 00 vcom=0x0
C8 00 00 00 backlight=0x000000C8=200
00 00 00 00 00 00 00 00 00 00 00 00 reserved
00 00 00 00 00 00 00 00
03 00 00 00 ???
14 00 00 00 FTAG_TURBO
01 00 00 00 flag=0x1
07 00 00 00 ???
06 00 00 00 ???
30 00 00 00 ??? ;set to 0x31 on A101S
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
As i said the file is 512 Bytes in size and i tried to group the FTAGS based on the header from the kernel (/arch/arm/include/asm/feature_list.h).
Some entries make no sense yet... but if you post some of your files.
BTW, as you might see there's no turbo flag on my device yet
Thanks a lot in advance!
Regards,
scholbert

Hi!
Here's the tag file of my archos:
Model: Archos 80G9 1.5GHz 1GByte RAM 16GByte

hmm
remote object '/mnt/rawfs/tags' does not exist

Shano56 said:
hmm
remote object '/mnt/rawfs/tags' does not exist
Click to expand...
Click to collapse
su ftw
I'll provide A101s tags file (512 MB 1 GHz) tomorrow
BTW- max cpu clock is determined by cpu microcode, kernel checks this AFAIK
Sent from my Archos Gen9 101

Psh I hate that android needs su to copy a file scholbert I might flash rooted firmware later, do you need A80G9 omap4460, 1gb ram, 8gb flash?

Shano56 said:
Psh I hate that android needs su to copy a file
Click to expand...
Click to collapse
This is not user accessible location after all
Tags file attached

...coooool !!!
Hey,
thanks a lot for the feedback and the tags files.
Of course you need root access to access /mnt/rawfs.
I forgot to mention that obviously...
gen_scheisskopf said:
BTW- max cpu clock is determined by cpu microcode, kernel checks this AFAIK
Click to expand...
Click to collapse
Yupp that's how it mainly works out... but there's also an effect of the FTAG_TURBO on stock kernel, if we speak about clocking.
That's why i started this investigations.
Those device that came equipped with OMAP4430 high perforamnce version but got standard 1GHz could be easily transformed to turbo version by exchanging the flags file, i guess. No need to use a custom kernel, here.
Root access would be required though.
I'll check that out in the next days and describe the procedure here, if there's some interest.
Quallenauge said:
Here's the tag file of my archos:
Model: Archos 80G9 1.5GHz 1GByte RAM 16GByte
Click to expand...
Click to collapse
Thanks a lot for this file.
As you see in the attached pic, your device got the turbo flag set.
On the left it's my 1GHz device, on the right it's your 1.5GHz.
BTW, which processor is inside your device?
I guess it's a 4460, isn't it?
Anyway the arrangement of the turbo flag was, what i looked for in the first place.
There are other settings which could be interesting as well...
Stay tuned!
scholbert

scholbert said:
I guess it's a 4460, isn't it?
Click to expand...
Click to collapse
It has to be- 4430 Turbo models were clocked at 1.2GHz (and had 512MB ram)

Here is my contribution to your research.
This comes from a 101G9 1.5ghz Turbo with 512mb ram. It says board version A101S-V5 (T1) and omap version 4460 ES1.1 if that helps.

gen_scheisskopf said:
It has to be- 4430 Turbo models were clocked at 1.2GHz (and had 512MB ram)
Click to expand...
Click to collapse
Yes, indeed! It is a 4460 ES1.1 CPU.

DIY turbo tablet
Hey,
good news everyone. I was able to replace my standard tags file with a turbo one
It just worked...
Now my standard device is clocked at 1.2GHz right away, even with stock kernel
It's a little bit tricky though and if you like your device tuned up most please follow surdu_petru's way and use his overclock kernel.
First i found out that the tags file varies a little bit even on devices of the same series.
Seems to be related to the avboot version used on the pad.
Anyway, tags file is located in the 771st block of mmcblk0.
All steps could be done using Android terminal program. You'll need root access.
The rawfs partition should be unmounted first, to not confuse the kernel in any way.
Afterwards there's only 512bytes to be replaced and voilà
If you like more info please tell me, but beware... if something goes wrong you might easily brick your tablet.
EDIT:
The device now shows up as A80S-V5 (T1) in Settings->About tablet->Board version.
I guess this stands for turbo version 1 ([email protected], 512MB RAM)
Could anyone confirm this on a "real" turbo device?
What other versions are known?
Cheers,
scholbert

scholbert said:
Hey,
good news everyone. I was able to replace my standard tags file with a turbo one
It just worked...
Now my standard device is clocked at 1.2GHz right away, even with stock kernel
It's a little bit tricky though and if you like your device tuned up most please follow surdu_petru's way and use his overclock kernel.
First i found out that the tags file varies a little bit even on devices of the same series.
Seems to be related to the avboot version used on the pad.
Anyway, tags file is located in the 771st block of mmcblk0.
All steps could be done using Android terminal program. You'll need root access.
The rawfs partition should be unmounted first, to not confuse the kernel in any way.
Afterwards there's only 512bytes to be replaced and voilà
If you like more info please tell me, but beware... if something goes wrong you might easily brick your tablet.
EDIT:
The device now shows up as A80S-V5 (T1) in Settings->About tablet->Board version.
I guess this stands for turbo version 1 ([email protected], 512MB RAM)
Could anyone confirm this on a "real" turbo device?
What other versions are known?
Cheers,
scholbert
Click to expand...
Click to collapse
Did you have a chance to compare A101S tags files?
Sent from my Archos Gen9 101

Hi gen_scheisskopf!
gen_scheisskopf said:
Did you have a chance to compare A101S tags files?
Click to expand...
Click to collapse
Basically no problem it's the same thing for the A101S.
As you posted a tags file from a A101S, i guess it's from your tablet.
Problem is this:
http://forum.xda-developers.com/showpost.php?p=27648801&postcount=17
Especially the second part related to the A101...
I supsect the missing core regulator being the cause for some instabilities on some A101S, while overclocking.
So if we tweak your tags file to identify the board as turbo, it will boot with 1.2GHz as well. If this fails, you're in a boot loop which would be hard to fix...
Have you tried surdu_petru's overclock kernel already?
Is your tablet stable at 1.2GHz?
If it runs stable at 1.2GHz we could try tweaking tags...
Regards,
scholbert

scholbert said:
Problem is this:
http://forum.xda-developers.com/showpost.php?p=27648801&postcount=17
Especially the second part related to the A101...
Click to expand...
Click to collapse
Yes, I've seen this.
Is there a possibility to determine onboard hardware (power regulator) using board revision (V5 in my case) or it is the same for all devices?
I didn't check if .aos updates make changes to tags file (they can change params file for sure- plugins)
scholbert said:
I supsect the missing core regulator being the cause for some instabilities on some A101S, while overclocking.
So if we tweak your tags file to identify the board as turbo, it will boot with 1.2GHz as well. If this fails, you're in a boot loop which would be hard to fix...
Click to expand...
Click to collapse
That's why I'm asking before doing anything
scholbert said:
Have you tried surdu_petru's overclock kernel already?
Is your tablet stable at 1.2GHz?
If it runs stable at 1.2GHz we could try tweaking tags...
Regards,
scholbert
Click to expand...
Click to collapse
I still use 3.2.80 firmware, my Gen9 doesn't "like" ICS/3.x kernel (runs much hotter than on 2.6.3x, random system hangs and last but not least- vibrator support not included). And TBH I don't need overclocking but if there would be an option to underclock it without SetCPU/No Frills CPU Control....

scholbert said:
The device now shows up as A80S-V5 (T1) in Settings->About tablet->Board version.
I guess this stands for turbo version 1 ([email protected], 512MB RAM)
Could anyone confirm this on a "real" turbo device?
What other versions are known?
Cheers,
scholbert
Click to expand...
Click to collapse
Yes, mine is A80S-V5 (T1) aka "80 G9 250GB hdd".

DragosP2010 said:
Yes, mine is A80S-V5 (T1) aka "80 G9 250GB hdd".
Click to expand...
Click to collapse
Nice... little strange though... HDD version should be a A80H-V5 (T1)
Is it a turbo version?
Which processor?
Would you mind posting the tags file?
See first posts.
Regards,
scholbert

gen_scheisskopf said:
Yes, I've seen this.
Is there a possibility to determine onboard hardware (power regulator) using board revision (V5 in my case) or it is the same for all devices?
Click to expand...
Click to collapse
To be honest, i'm not sure if the board revision truly indicates, which parts are soldered on the mainboard.
AFAIK V5 boards are very common... and as far as i can tell A80S and A101S mainboards are nearly the same.
The TPS62361B is controlled by I2C, so maybe you find something in kernel messages or sysfs.
You can tell for sure if you got your device dismantled
gen_scheisskopf said:
I didn't check if .aos updates make changes to tags file (they can change params file for sure- plugins)
Click to expand...
Click to collapse
AFAIK the tags file is left untouched during updates.
It is set by factory and scholbert only
gen_scheisskopf said:
I still use 3.2.80 firmware, my Gen9 doesn't "like" ICS/3.x kernel (runs much hotter than on 2.6.3x, random system hangs and last but not least- vibrator support not included). And TBH I don't need overclocking but if there would be an option to underclock it without SetCPU/No Frills CPU Control....
Click to expand...
Click to collapse
Mmmh strange stuff... maybe it's not the best hardware.
For underclocking the tags file should be left untouched...
Regards,
scholbert

scholbert said:
To be honest, i'm not sure if the board revision truly indicates, which parts are soldered on the mainboard.
AFAIK V5 boards are very common... and as far as i can tell A80S and A101S mainboards are nearly the same.
The TPS62361B is controlled by I2C, so maybe you find something in kernel messages or sysfs.
You can tell for sure if you got your device dismantled
Click to expand...
Click to collapse
I can't do it now- charger died and I don't know if RMA will require charger only or charger AND tablet...
/sysfs/devices/i2c/1-0048/name says twl6030.
scholbert said:
Mmmh strange stuff... maybe it's not the best hardware.
Click to expand...
Click to collapse
Or kernel was made primarily for omap4460 (honeycomb seems to be made for omap4430 judging by defconfigs)

A80S-V5 (T1)
Using the Archos 80G9 Turbo 1,5ghz and 1gb ram

scholbert said:
Nice... little strange though... HDD version should be a A80H-V5 (T1)
Is it a turbo version?
Which processor?
Click to expand...
Click to collapse
Sorry, sorry... Yes, it's turbo, it's hdd AND it's A80H
Would you mind posting the tags file?
See first posts.
Regards,
scholbert
Click to expand...
Click to collapse
Maybe on the evening or tomorrow.

Related

Howto edit a .nbf file?

Hi all,
can you explain me how to edit or convert an nbf file, (in the specific, a fsc n560 rom WM6.0) to view the rom content?
I found many applications for HTC models, but noone was good for my rom...
thank you.
anyone who can help me?
i imagine you would need a kitchen
yes, but which kitchen???
try this link on how to cook a rom
http://forum.xda-developers.com/showthread.php?t=313920
joel2009 said:
try this link on how to cook a rom
http://forum.xda-developers.com/showthread.php?t=313920
Click to expand...
Click to collapse
thanks.
but still no answers...
http://www.google.com/search?rlz=1C...eid=chrome&ie=UTF-8&q=how+to+edit+an+nbf+file
try that
found nb and nbh..........
NBHextract (http://forum.xda-developers.com/showthread.php?t=289830) - Extract contents from NBH files
htc rom tool (http://forum.xda-developers.com/showthread.php?t=311909) - Repack NBH files from *.nb files
sorry, i already tried these 2 links ... but doesn't help me...
Newplow suggested these 2 links instead for the beginning...but how to begin?
http://forum.xda-developers.com/showthread.php?t=298327
http://wiki.xda-developers.com/index.php?pagename=OEM Package Tutorial
According to here nbf can be extracted using winzip or winrar..... thats a start..........
joel2009 said:
According to here nbf can be extracted using winzip or winrar..... thats a start..........
Click to expand...
Click to collapse
thanks for the help, but..
nbf it's not an archive. if you try to open with winrar it will open like an unknown file...it needs to be decoded and opened with a hex editor I think...
I think you have to use HTC64_Extended_ROM_Tool.exe to decode your nk.nbf file, you will obtain nk.fat and nk.prj. Keep nk.fat, rename to os.nb and go on with imgfstools. I hope it works in this way.
davideuck said:
I think you have to use HTC64_Extended_ROM_Tool.exe to decode your nk.nbf file, you will obtain nk.fat and nk.prj. Keep nk.fat, rename to os.nb and go on with imgfstools. I hope it works in this way.
Click to expand...
Click to collapse
HAHA well i'm glad i was of some use.... i kept bumping it to the top until someone finally got to ti that knew what the hell this was i do everything but cook about i probably out to try but it sounds pretty time consuming..... owell best of luck to you
davideuck said:
I think you have to use HTC64_Extended_ROM_Tool.exe to decode your nk.nbf file, you will obtain nk.fat and nk.prj. Keep nk.fat, rename to os.nb and go on with imgfstools. I hope it works in this way.
Click to expand...
Click to collapse
I've tested this steps with a HTC Universal rom and it worked, then you can extract the os.nb file in a veru simple way with Bepe's "dumprom.exe", after this use PackageTool and you will have SYS and OEM folders.
davideuck said:
I've tested this steps with a HTC Universal rom and it worked, then you can extract the os.nb file in a veru simple way with Bepe's "dumprom.exe", after this use PackageTool and you will have SYS and OEM folders.
Click to expand...
Click to collapse
sorry but, it can't work with this file...if i do directly with dumprom with the nbf i can extract 2.02 mb of files (i think the bootloader cause the list of files names are all similar boot*...something).
If i use htc64 doesn't work at all...it makes an error extracting just 512 kb...without any sense...
please could you try with this file, if i make some errors...?
fsc.newplowe.com/cgi-bin/files/dl.pl?file=N560.WM6.0.038g.SDHC.SQL.7z
thank you for the help!
SOLUTION!
Ok,
I've downloaded your file and tested. To extract the os.nb do this steps:
1) open your os_213U.nbf with an Hex-editor, from the start you will see this:
Code:
[COLOR="red"]4E 35 36 30 00 00 00 00 00 00 00 00 00 00 00 32
2E 31 33 2E 30 30 30 31 20 45 4E 47 00 00 D7 07
58 F3 00 00 0C 02 00 00 04 80[/COLOR] E9 FD FF 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2) cut all these red bytes, then your file will start as this:
Code:
E9 FD FF 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3) save this file as "os.nb", then you will go on with dumprom or imgfstool!
That's ALL!
I think that you can edit your rom and at the end you have to reinsert those red bytes at the beginning of your new rom and rename to .nbf.
davideuck said:
Ok,
I've downloaded your file and tested. To extract the os.nb do this steps:
1) open your os_213U.nbf with an Hex-editor, from the start you will see this:
Code:
[COLOR="red"]4E 35 36 30 00 00 00 00 00 00 00 00 00 00 00 32
2E 31 33 2E 30 30 30 31 20 45 4E 47 00 00 D7 07
58 F3 00 00 0C 02 00 00 04 80[/COLOR] E9 FD FF 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2) cut all these red bytes, then your file will start as this:
Code:
E9 FD FF 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3) save this file as "os.nb", then you will go on with dumprom or imgfstool!
That's ALL!
I think that you can edit your rom and at the end you have to reinsert those red bytes at the beginning of your new rom and rename to .nbf.
Click to expand...
Click to collapse
Thanks for this help!!!
Tomorrow I will try...it could be a very significant begin, I hope...
Per caso sei italiano?
Grazie mille!!!
Certo che sono italiano!!
Se hai bisogno di altro aiuto non esitare a chiedere anche tramite PM.
davideuck said:
Certo che sono italiano!!
Se hai bisogno di altro aiuto non esitare a chiedere anche tramite PM.
Click to expand...
Click to collapse
I've tried this method, now dumprom doesn't work but...nbinfo shows the rom structure perfectl!
Now I want to extract the various parts...but don't know how to exactly proceed...
can you help me?
Can I contact via IM?
Thank you!

HTC p3300 problem

I sd installed a factory rom, and after reboot, it stops at a O2 welcome screen, so aparently it was a O2 wm6 rom. Is there any way to repair it.
I can enter bootloader and i have ipl 3.04.0001 spl 3.04.0000
I tried to install HTC_P3300_WWE_3.13.405.1_4.1.13.44_02.94.90_Ship_R but i get INVALID VENDER ID error. i tried sd flash but doesn't start
ca anyone give me a link to htc p3300 wm5 factory rom?
41 52 54 45 31 30 30 30 30 00 00 00 00 00 00 00 ARTE10000.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
48 54 43 5F 5F 48 31 30 00 00 00 00 00 00 00 00 HTC__H10........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
cid HTC__H10
which rom should I install?

Update rom problem - bootloader only

I sd installed a factory rom, and after reboot, it stops at a O2 welcome screen, so aparently it was a O2 wm6 rom. Is there any way to repair it.
I can enter bootloader and i have ipl 3.04.0001 spl 3.04.0000
my CID is ARTE1000 an I tried to install this HTC_1.12.405.01_026790_WWE_SHIP. I verified with hex edit and this rom is ARTE1000 but still i get INVALID VENDER ID
why?
Hello
Hello Hello Hello Hello
41 52 54 45 31 30 30 30 30 00 00 00 00 00 00 00 ARTE10000.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
48 54 43 5F 5F 48 31 30 00 00 00 00 00 00 00 00 HTC__H10........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
cid HTC__H10
which rom should I install?
topic closed
I used the original rom and it worked H__10 is norwegian

[GUIDE] How to get xoom cdma version running on other CDMA EvDO network

(There may be something missed in the following steps. if u got problem, feel free to feedback)
It works on Xoom CDMA 3.0/3.1 version.
after upgrade to 3.1, the pppd configuration file was reset , so we should redo step 2.13 to get 3G connection
1.Preparing
1.1 AN & AAA
AN & AAA can be understood as the user name and password of EvDO network.
AN: you can get AN from your phone through cdmaworkshop or QPST or QXDM。
AAA:you can get AAA from some phone by using cdmaworkshop,such as HTC EVO 4G。maybe you can get AAA from provider also.
in this post, i assume the AN is "[email protected]".
1.2 SID & NID
System ID & Network ID of provider, which can be found by search engine.
1.3 Tools
installing cdmaworkshop and "HW virtual serial port"(HWVSP) on Windows OS.
In HWVSP, uncheck the "nvt enabled" option to disable nvt(Network Virtual Terminal, rfc2217), or you would be unable to connect to xoom. (thanks lesjaw for pointing this out)
If you can read chinese, I would prefer VSPM instead of HWVSP to create virtual serial port, because VSPM is much faster.
It has free version, can be download at http://www.powerip.net/product_VSPM.htm.
1.4 important tips
before the change, write down or backup the original data for recovering case
2.Hacking
2.1 switching xoom to DIAG mode
hold on VOL-UP & VOL_DOWN button, then press power button for about 5 seconds, until you see the following text on the upper-left corner:
Code:
Powering on BP
Cold-booting Linux
Reading ODM fuse:1
(PS: you can do this at any time, no need to turn off xoom.)
2.2 making xoom and Windows PC connected
Method 1:through USB cable
after connecting xoom and PC by USB cable, you could get a network card named "Motorola USB Networking Driver", and the PC would get IP 192.168.16.1, xoom get IP 192.168.16.2
Method2:through WiFi
Connect xoom & PC to the same WiFi network.
2.3 creating DIAG port on Windows PC
run "HW virtual serial port" or other virtual port tool , create a virtual serial port to
IP:192.168.16.2(USB Method) or XXX.XXX.XXX.XXX(xoom WiFi address)
port: 11008
2.4 connect to diag port
run CDMAWorkshop, or other crack tool ,such as QPST, select the virtual serial port created at step 2.3 as DIAG port.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
2.5 write PRL
write the correct PRL into xoom by using CDMAWorkshop or other crack tool.
2.6 change MDN
Dir_Number(MDN):change Dir_Number to the first 10 digits of AN
you can also change MDN at step 2.12.
2.7 change AN
we can not modify AN through CDMA workshop or QPST directly.
to changing AN, we have to write some NV items, including 8040,8041,8042,8043,8091.
Backup nv items:
reading nv-items 8040,8041,8042,8043,8091 through cdmaworkshop
Modify nv items:
item 8040,8041,8042,8043,8091 are all the same.
change them to end part of AN exclude first 10 digits. in this case, it's "[email protected]".
you need to change the string into ASCII code (for example,35 36 37 38 39 40 6D 79 63 64 6D 61 2E 63 6E)
Write nv items
the following is content of sample, you can change it, then write back to xoom through CDMAWorkshop.
Code:
[NV items]
[Complete items - 5, Items size - 128]
08040 (0x1F68) - OK
35 36 37 38 39 40 6D 79 63 64 6D 61 2E 63 6E 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
08041 (0x1F69) - OK
35 36 37 38 39 40 6D 79 63 64 6D 61 2E 63 6E 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
08042 (0x1F6A) - OK
35 36 37 38 39 40 6D 79 63 64 6D 61 2E 63 6E 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
08043 (0x1F6B) - OK
35 36 37 38 39 40 6D 79 63 64 6D 61 2E 63 6E 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
08091 (0x1F9B) - OK
35 36 37 38 39 40 6D 79 63 64 6D 61 2E 63 6E 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2.8 confirm update of AN
in CDMAworkshop, check HDR Username at EVDO tab.
2.10 change IP Behaviour to "Simple IP"
you can do this by CDMAWorkshop or QPST.
2.11 change AAA
Method 1:at CDMA workshop EVDO tab, input AAA(HDR pass), then write into Xoom.
Method 2:write NV item 1192 through CDMAWorkshop, the sample AAA is 123456.
Code:
[NV items]
[Complete items - 1]
01192 (0x04A8) - OK
06 31 32 33 34 35 36 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
(06: password length, 31 32 33 34 35 36: password ASCII code)
2.12 change SID,NID
run motorola field test util in DIAG mode.
the command is:
Code:
am start -a android.intent.action.MAIN -n com.motorola.modemutil/.FieldMenu
then change to the SID,NID of Provider in "Program Menu".
you should take it carefully, just update the fields you really understand.
(if you haven't changed MDN yet, you can change it in passing).
you can run the command in terminal emulator, or by android SDK.
(Tips: to run it on adb shell, first download an app named "adbwireless".
turn on wifi, connect pc and xoom to the same wifi AP.
run adbwireless, turn on adb via wifi.
it shows IP: port, such as 192.168.X.X: 5555.
at windows command prompt, run
Code:
adb connect IP: PORT
then run
Code:
adb shell
)
2.13 modify android pppd configuration file
this step maybe isn't necessary.
you should need to do this if you still can not get 3g connection after above steps.
to do this step, you need to root xoom first.
please see other post about how to root xoom.
Code:
adb remount
adb pull /system/etc/ppp/peers/pppd-ril.options
make a backup of pppd-ril.options file.
change
Code:
user [email protected]
password NotUsed
to your ppp dial-up username and password.
in china, it's
Code:
user [email protected]
password vnet.mobi
save the change, run
Code:
adb push pppd-ril.options /system/etc/ppp/peers
after these operations, you should see 3g icon on the bottom-right corner.
Hi Hawk, do you need to root before you do this? Thanks.
Also, do we have to change ESN of the xoom in CHina in order to get evdo? Thank you!
ljwnow said:
Also, do we have to change ESN of the xoom in CHina in order to get evdo? Thank you!
Click to expand...
Click to collapse
if you just want to using EvDO, then you should ignore ESN modifing.
in fact, i'm using factory ESN of xoom now.
btw, there is no way being found to change ESN of xoom. you need to change ESN on the provider side to get 1x network working.
for ur first question, i think rooting is not necessary for EvDO hacking.
evenif without rooting, we can still run the offical programming app made by motorola which i mentioned it at the end of the post.
Sent from my Xoom using XDA App
hawk2k8 said:
if you just want to using EvDO, then you should ignore ESN modifing.
in fact, i'm using factory ESN of xoom now.
btw, there is no way being found to change ESN of xoom. you need to change ESN on the provider side to get 1x network working.
for ur first question, i think rooting is not necessary for EvDO hacking.
evenif without rooting, we can still run the offical programming app made by motorola which i mentioned it at the end of the post.
Sent from my Xoom using XDA App
Click to expand...
Click to collapse
Thanks for your reply. Would you also post a guide for enabling voice and 1x, please? Thank you.
ljwnow said:
Thanks for your reply. Would you also post a guide for enabling voice and 1x, please? Thank you.
Click to expand...
Click to collapse
I have tried the hidden emergency caller, it told me voice is disabled.
I found some SIP UI built-in, so maybe we can see a integrated VoIP caller on android tablet in the near future.
To enable 1x service, we should change ESN on the provider side to the factory ESN of xoom, then get the changed AKEY from provider, and write it into xoom. It succeeded on Motorola Droid X .
Hawk, great find..
but i step 2.7 Writing NV Item, i always got "Phone Does Not Answer"
i use Motorola USB Network to connect my PC to Xoom.
i use www.whiterabbit.org/android to convert nv asci file..
what is AAA? does it mean AKEY?
update :
Finally i succeed write 4 NV Items..
but in NAM, i still got SID/NID error, here is the log
Write MIN1... Success
Write MIN2... Success
Write Directory number... Success
Write Banner... Success
Write NAM name... Success
Write MCC... Success
Write MNC... Success
Write SID/NID pairs... Failed
Write Primary channels... Success
Write Secondary channels... Success
Write SCM... Success
Write SCI... Skipped
Write Accolc... Success
Write Current NAM... Success
Write True IMSI... Success
Write PRL status... Success
Write System selection... Success
Write Otapa status... Success
Click to expand...
Click to collapse
QPST always give unspecified error if i open Service Programing, the phone does connect (i can see it in QPST Configuration), i use QPST 2.7 323 version, any advice?
lesjaw said:
Hawk, great find..
but i step 2.7 Writing NV Item, i always got "Phone Does Not Answer"
i use Motorola USB Network to connect my PC to Xoom.
i use www.whiterabbit.org/android to convert nv asci file..
what is AAA? does it mean AKEY?
Click to expand...
Click to collapse
http://www.whiterabbit.org/android/ is great, but some of his items are not necessary for xoom. we should just need item 8040,8041,8042,8043, which is being used to generate AN by radio firmware.
i haven't met "Phone Does Not Answer" message by using CDMAWorkshop to write these nv_items, maybe you can try to write one item at one time to avoid it.
"what is AAA? does it mean AKEY?"
CDMA network has 2 services, the one is high-speed EvDO(data-only) service ,the other is low-speed data-voice sharing 1x service.
AAA is HDR(High Data Rate) password, being used in EvDO service for Authentication,Accounting and Authorization.
AKEY is being used in CDMA-1X network, for voice and 1x service.
lesjaw said:
but in NAM, i still got SID/NID error, here is the log
QPST always give unspecified error if i open Service Programing, the phone does connect (i can see it in QPST Configuration), i use QPST 2.7 323 version, any advice?
Click to expand...
Click to collapse
oh, i forgot it. I changed SID/NID successfully only in motorola programming app. (guide is updated)
and QPST 2.7.323 can not connect to xoom, you should upgrade it.QPST 2.7.355 should work.
3g iusacell/unefon CDMA or telcel GSM what work?
Hi hawk2k8:
My xoom is MZ600 Im live in Mexico
Can use your procedure for use my carrier 3g telcel GSM?
o
Maybe buy sim 3g the iusacell o Unefon CDMA?
Please helpme
Regards
m4tr1s said:
Hi hawk2k8:
My xoom is MZ600 Im live in Mexico
Can use your procedure for use my carrier 3g telcel GSM?
o
Maybe buy sim 3g the iusacell o Unefon CDMA?
Please helpme
Regards
Click to expand...
Click to collapse
No sir, this is for CDMA only.
hawk2k8 said:
oh, i forgot it. I changed SID/NID successfully only in motorola programming app. (guide is updated)
and QPST 2.7.323 can not connect to xoom, you should upgrade it.QPST 2.7.355 should work.
Click to expand...
Click to collapse
i still dont have luck with QPST 2.7.355, have tried QPST 2.7.363 too, it does connect but always time out when tried to read phone
any other sugested application?
lesjaw said:
i still dont have luck with QPST 2.7.355, have tried QPST 2.7.363 too, it does connect but always time out when tried to read phone
any other sugested application?
Click to expand...
Click to collapse
I'm having a similar issue. I am using HW Virtual Serial Port 2.5.10 and QPST 2.7 B3.55. What happens is the USB link is created but the device shows up as "No Phone" in QPST. I am about to try CDMA Ware in a sec.
deflon said:
I'm having a similar issue. I am using HW Virtual Serial Port 2.5.10 and QPST 2.7 B3.55. What happens is the USB link is created but the device shows up as "No Phone" in QPST. I am about to try CDMA Ware in a sec.
Click to expand...
Click to collapse
2.7.363 does recognize my number.. but i still got time out error after pressing "read Phone" button..
CDMA WS give me this for NV item 1192
[NV Items]
[Complete items - 0]
1192 (0x04A8) - Access denied
Click to expand...
Click to collapse
i still can't understand this
2.11 change AAA
Method 1:at CDMA workshop EVDO tab, input AAA, then write into Xoom.
Method 2:write NV item 1192 through CDMAWorkshop, the sample AAA is 123456.
Click to expand...
Click to collapse
my evdo and 1x password carier is my MEID, let said 99000074221234
what should i edit in this ?
[NV items]
[Complete items - 1]
01192 (0x04A8) - OK
06 31 32 33 34 35 36 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Click to expand...
Click to collapse
lesjaw said:
2.7.363 does recognize my number.. but i still got time out error after pressing "read Phone" button..
CDMA WS give me this for NV item 1192
i still can't understand this
my evdo and 1x password carier is my MEID, let said 99000074221234
what should i edit in this ?
Click to expand...
Click to collapse
Just realized you are using CDMA WS now and not QPST. I just bought the software but awaiting the key =(
Mode Diag
When put mode Diag my Xoom
Powering on BP
Cold-booting Linux
Reading ODM fuse:1
After 5 - 10 sec, the xoom auto boot normal
What is the problem, my xoom is rooted
m4tr1s said:
When put mode Diag my Xoom
Powering on BP
Cold-booting Linux
Reading ODM fuse:1
After 5 - 10 sec, the xoom auto boot normal
What is the problem, my xoom is rooted
Click to expand...
Click to collapse
that's normal, just continue the step of the procedure to inject ur carrier
lesjaw said:
2.7.363 does recognize my number.. but i still got time out error after pressing "read Phone" button..
CDMA WS give me this for NV item 1192
i still can't understand this
my evdo and 1x password carier is my MEID, let said 99000074221234
what should i edit in this ?
Click to expand...
Click to collapse
I tested QPST 2.7.355 on windows 7 just a moment ago.
to slow down the connection between xoom and pc, i created a virtual port via WiFi.
it worked without any error, although the reading speed was a bit slow.
NV-item 1192 is Write-only, can not be read out.
for AAA=99000074221234, item 1192 should be
Code:
[NV items]
[Complete items - 1]
01192 (0x04A8) - OK
0E 39 39 30 30 30 30 37 34 32 32 31 32 33 34 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0E : password length , 14 in decimal
39 39 30 30 30 30 37 34 32 32 31 32 33 34 : your password
BTW: i have updated the guide, it missed the last step for pppd configuration.
aarrgghh, I have tried 3 different wifi (access point) qpst service programing still didn't work, but qpst file explorer does can read the phone..the only thing left is NV item for UserName and password now..hiks..phone has signal and show 1x data but its status is connecting ..never get connected..
Update my mistake..QPST does work, i must disable NVT Enabled in HWVSP setting
Sent from my Xoom using XDA Premium App
lesjaw said:
aarrgghh, I have tried 3 different wifi (access point) qpst service programing still didn't work, but qpst file explorer does can read the phone..the only thing left is NV item for UserName and password now..hiks..phone has signal and show 1x data but its status is connecting ..never get connected..
Update my mistake..QPST does work, i must disable NVT Enabled in HWVSP setting
Sent from my Xoom using XDA Premium App
Click to expand...
Click to collapse
Thanks lesjaw I was able to connect to the xoom using QPST after disabling NVT.

Bus pass?

Hi just wondering if there is anything I could do to make this card expiry date longer?
It expired on Tuesday. Anything I could do?
** TagInfo scan (version 2.00) 2014-04-13 14:07:30 **
-- INFO ------------------------------
# IC manufacturer:
NXP Semiconductors
# IC type:
MIFARE DESFire EV1 (MF3ICD41)
# DESFire Applications:
ITSO public transport application
Provision of citizen services #0
* UK National Smartcard Project
Provision of citizen services #1
* UK National Smartcard Project
Provision of citizen services #2
* UK National Smartcard Project
Provision of citizen services #3
* UK National Smartcard Project
Provision of citizen services #4
* UK National Smartcard Project
-- NDEF ------------------------------
# NFC data set storage not present:
Maximum NDEF storage size after format: 4094 bytes
-- EXTRA ------------------------------
# Memory information:
Size: 4 kB
Available: 2.2 kB
# IC detailed information:
Capacitance: 17 pF
# Version information:
Vendor ID: NXP
Hardware info:
* Type/subtype: 0x01/0x01
* Version: 1.0
* Storage size: 4096 bytes
* Protocol: ISO/IEC 14443-2 and -3
Software info:
* Type/subtype: 0x01/0x01
* Version: 1.4
* Storage size: 4096 bytes
* Protocol: ISO/IEC 14443-3 and -4
Batch no: 0xBA44D7C6C0
Production date: week 38, 2013
# Authentication information:
Default PICC master key
-- TECH ------------------------------
# Technologies supported:
ISO/IEC 7816-4 compatible
Native DESFire APDU framing
ISO/IEC 14443-4 (Type A) compatible
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible
# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.IsoDep, android.nfc.tech.NfcA, android.nfc.tech.NdefFormatable]
android.nfc.tech.NdefFormatable
android.nfc.tech.IsoDep
* Maximum transceive length: 261 bytes
* Default maximum transceive time-out: 6000 ms
* Extended length APDUs supported
android.nfc.tech.NfcA
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 6000 ms
MIFARE Classic support present in Android
# Detailed protocol information:
ID: 04:81:68:7A:62:36:80
ATQA: 0x4403
SAK: 0x20
ATS: 0x067577810280
* Max. accepted frame size: 64 bytes (FSCI: 5)
* Supported receive rates:
- 106, 212, 424, 848 kbit/s (DR: 1, 2, 4, 8)
* Supported send rates:
- 106, 212, 424, 848 kbit/s (DS: 1, 2, 4, 8)
* Different send and receive rates supported
* SFGT: 604.1 us (SFGI: 1)
* FWT: 77.33 ms (FWI: 8)
* NAD not supported
* CID supported
* Historical bytes: 0x80 |.|
# Memory content:
PICC level (Application ID 0x000000)
* Default PICC master key
* PICC key configuration:
- PICC key changeable
- PICC key required for:
~ directory list access: no
~ create/delete applications: no
- Configuration changeable
- PICC key version: 0
Application ID 0xA00216 (ITSO public transport application)
* Default master key
* Key configuration:
- 2 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: no
- Configuration changeable
- Master key required for changing a key
* 16 files present
- File ID 0x00: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 21 7D 00 40 80 00 01 FE C3 58 A9 00 00 00 00 |.!}[email protected]|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 88 8A A2 62 42 8F 00 00 08 00 00 |........bB......|
[0030] 00 08 00 03 F8 2D 68 29 2A 9E 24 2C A3 3A BF 00 |.....-h)*.$,.:..|
- File ID 0x01: Backup data, 192 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 1C 01 00 F0 8A A2 62 00 00 00 10 00 FF 00 00 00 |......b.........|
[0010] 00 00 00 02 D1 00 00 1F FF F0 01 00 00 FF 02 72 |...............r|
[0020] BD 00 00 46 1C 2B 6D 39 E9 0E 19 4C 00 00 00 00 |...F.+m9...L....|
[0030] 1C 01 00 F0 8A 9E 7F 00 00 00 10 00 FF 00 00 00 |................|
[0040] 00 00 00 02 D1 00 00 1F FF F0 10 00 00 FF 02 71 |...............q|
[0050] 6F 00 00 5C 44 E0 F5 CF E5 28 41 4B 00 00 00 00 |o..\D....(AK....|
[0060] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0070] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0080] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0090] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[00A0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[00B0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x02: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x03: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x04: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x05: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x06: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x07: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 23 09 00 00 88 B4 2F 03 F8 29 C8 00 00 00 00 00 |#...../..)......|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 FA 00 31 A7 00 35 00 F7 87 A1 DB 89 65 EF AC |...1..5......e..|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x08: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x09: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x0A: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x0B: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x0C: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x0D: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 21 11 00 00 7F FE 40 02 62 6A CF 80 00 8A 8F 40 |[email protected]@|
[0010] 00 FF 00 00 00 00 04 1A 10 00 14 84 00 63 35 97 |.............c5.|
[0020] 00 03 F8 2D 69 00 00 07 32 E0 A5 26 84 E7 BE 4F |...-i...2..&...O|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x0E: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 18 01 FF 00 7F 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 FA 00 31 A7 00 35 01 |...........1..5.|
[0020] 34 8F B7 B5 63 93 CE 08 00 00 00 00 00 00 00 00 |4...c...........|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x0F: Standard data, 32 bytes
~ Communication: plain
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 18 11 63 35 97 01 27 02 02 56 04 07 04 01 00 00 |..c5..'..V......|
[0010] 40 10 08 07 00 00 54 FD 00 00 00 00 00 00 00 00 |@.....T.........|
Application ID 0xF40110
* Default master key
* Key configuration:
- 3 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Master key required for changing a key
* No files present
Application ID 0xF40111
* Default master key
* Key configuration:
- 3 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Master key required for changing a key
* No files present
Application ID 0xF40112
* Default master key
* Key configuration:
- 3 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Master key required for changing a key
* No files present
Application ID 0xF40113
* Default master key
* Key configuration:
- 3 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Master key required for changing a key
* No files present
Application ID 0xF40114
* Default master key
* Key configuration:
- 3 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Master key required for changing a key
* No files present
--------------------------------------
Click to expand...
Click to collapse
Thx
Sent from my C6833 using Tapatalk
This would be considered fraud which is not accepted here on XDA. You're on your own, mate, both in finding the solution to this and in the cell after you get caught.
Cheers!
Thats seriously illegal my friend.
Sent from my SAMSUNG-SGH-I337 using XDA Premium 4 mobile app
Thats seriously illegal my friend.
Click to expand...
Click to collapse
+1 to this .
Thank u
Sent from my SAMSUNG-SGH-I337 using XDA Premium 4 mobile app
How can i get this files from my bus card ? i have phone with nfc and rooted. whic program actually thx
GT-I9500 cihazımdan Tapatalk kullanılarak gönderildi
It is illegal, you know ? We can't help you, but let me give you some tips: you should find a timestamp on the ticket. Find it, find out how it's calculated, and you're on your way (as long as the part containing the timestamp isn't write-protected).
Once you find the problem, I highly suggest you to report the problem to those concerned by the vulnerability, so that they can fix the problem, and maybe reward you somehow
I have already worked in this very field, it is a rather fascinating one !
Edit:
How can i get this files from my bus card ? i have phone with nfc and rooted. whic program actually thx
Click to expand...
Click to collapse
@ahmetozgur I just published an app on here called UltraManager. If your bus card is a Mifare Ultralight tag, you can use my app for the purpose. Otherwise, there are some good apps on Google Play, just look for "NFC tag reader"
How did you get such a detailed information about that card?
Diogo Recharte said:
How did you get such a detailed information about that card?
Click to expand...
Click to collapse
omg so many people asking such simple questions
HEY OP
What card is that ??
im interested in people disposing of beatiful desfire cards xD
i wonder if i can wipe it..
Diogo Recharte said:
How did you get such a detailed information about that card?
Click to expand...
Click to collapse
The application used to capture this card information was TagInfo by NXP. It is available from the Play Store here: https://play.google.com/store/apps/details?id=com.nxp.taginfolite&hl=en
Hello . I live in Madrid (Spain), and I have a transportation voucher. I would like "hack" it, but I would like know for where I can start haha I saw _darkjoker_ said : "you should find a timestamp on the ticket" . How can I do it? I downloaded the program TagInfo by NXP but I need an app where I can change the information of the chip. Is there an app? Because when you buy another month the store clerk swipes the card through a machine NFC ...
If anyone knows anything about this, comment it
Thanks
Hello. Quick question about a ISO 14443-3A id card. Does it support GPS? In other words can it be tracked by GPS? May be a dumb question, but I am not familiar with how the technology works and I'm trying to figure out capabilities. Thanks in advance
GadgetMonger said:
Hello. Quick question about a ISO 14443-3A id card. Does it support GPS? In other words can it be tracked by GPS? May be a dumb question, but I am not familiar with how the technology works and I'm trying to figure out capabilities. Thanks in advance
Click to expand...
Click to collapse
nfc is near field communication, the way it works is there is an antenna/coil inside the tag/card that when next to a tag reader gets a charge from it, giving power to the ic on the card. so the card cannot be directly tracked by gps. BUT, it is possible to have gps enabled tag readers which could track you every time you get close enough to one.
Hello,
Most bus pass technology uses desfire cards with two logical addresses one is public for all the world to see and the other is private , the private sector is encrypted and is updated everytime you put money on it or use it. Also as a duel layer defence most implementations of this technology uses back to base system which means everytime you tap it the card is used to query a database to verify that there is money for the trip and to check if the card is currently being used for a trip.
In NSW Australia we have opal cards they work by storing the balance information and activity in public storage so you can check it through a NFC enabled device and then storing the cards sensitive information in private storage that only the readers at stations and in top up locations can use. Every time we tap on the balance on the card is checked with a database and updated locally when needed then at the end of the trip the cards balance is updated from the central database to the card.
So I don't believe you can simply add more time ( or money) to most bus pass cards.
MRCaratacus said:
Hello,
Most bus pass technology uses desfire cards with two logical addresses one is public for all the world to see and the other is private , the private sector is encrypted and is updated everytime you put money on it or use it. Also as a duel layer defence most implementations of this technology uses back to base system which means everytime you tap it the card is used to query a database to verify that there is money for the trip and to check if the card is currently being used for a trip.
In NSW Australia we have opal cards they work by storing the balance information and activity in public storage so you can check it through a NFC enabled device and then storing the cards sensitive information in private storage that only the readers at stations and in top up locations can use. Every time we tap on the balance on the card is checked with a database and updated locally when needed then at the end of the trip the cards balance is updated from the central database to the card.
So I don't believe you can simply add more time ( or money) to most bus pass cards.
Click to expand...
Click to collapse
Did you ever work out a way to add money to the card? Im in nsw too and i have a school opal card so i dont have to pay anyway but im interested.
Unfortunately no , unless you hack into the database and locate your cards identifier then add money from the central DB , there is no way you can "hack" more money on the card , and even if you could the moment you tapped on it would always take the databases values as correct and either adjust your cards balance or detect the fraud and lock the card down.
Might have a solution but...
buckofive said:
The application used to capture this card information was TagInfo by NXP. It is available from the Play Store here:]https://play.google.com/store/apps/details?id=com.nxp.taginfolite&hl=en
Click to expand...
Click to collapse
It's illegal and we cannot help you in doing what you want.
In theory if you use an app like Mifare classic tool, that has a tool to compare dumps, you can get what changed like time, money or whatever. But that must be done if its with testing nfc cards and just for getting knowledge, not money.
hello
i have nfc card which i use it in university restaurant to pay a lunch could i hack it and but more money
pls help me
can't he overwrite the hex for the date, e.g. Production date: week 38, 2013 -> Week 38, 2018 ?
abood.456 said:
hello
i have nfc card which i use it in university restaurant to pay a lunch could i hack it and but more money
pls help me
Click to expand...
Click to collapse
thats fraud.

Categories

Resources