Develop Bugs

How do the flashing techniques bypass bootloader security?

Since most of the retail HTC devices are bootloader locked, how do the flashing tools bypass this? In my experience if you go into bootloader flashing mode on a Himalaya or Blue Angel, if you try and use the mtty utility to flash a bin image using "l image.bin" you get an error of:
"Not allow operation" which means that the bootloader is locked to prevent flashing. Obviously the tools posted here don't hit this obstacle so I'm curious how that works. Also if you use the tools posted here to flash a different ROM, do any of these upgrades end up rewriting the bootloader as well to end up giving you an unlocked bootloader that would accept the load (l) commands to flash images?
I thought these devices required a special SDIO card only HTC has to unlock the bootloader.
Thanks for the info.

Bootloader
You can unlock some settings by using the PASSWORD BOOTLOADER command
worked for my HTC audiovox vx6600 Harrier (Verizon CDMA) but to load the .bin file with l It didn't seem to work I got not allowed, a way around that was to interrupt the process when doing a real upgrade and it should but u in a DBG> mode then u can do l file.bin (ones u connect using mtty) I've been wondering how do u send a .bin file using mtty, I didn't see any options besides downloading from it, but not uploading to it... can u help me with that step? where do I put the .bin file? or will it open a "file open" window when I type that command?

Thats interesting! What does the PASSWORD BOOTLOADER do and where do you enter that command?
Can you detail more about what upgrade you interupted and how you interrupted it? Where do you see the debug mode? I would have tjought that interrupting the ROM flash would not affect the ability to access the load (l) command.
OK, to use a bin file you need to do this. Simply put the bin file in the same PC directory as the mtty utility (ie mtty16.exe) and then once you bring up the app in USB flashing mode you press Enter to get the prompt and then just type: l flash.bin
Basically whatever the local file name is type that name. If you want to place the image somewhere else then it would be something like:
l c:\flash.bin
Just keep the filename short to make it foolproof to type.
Let me know if you get get this to work. I'm curious if once this is done and you again boot up into USB flash mode and use mtty and then use the load command, do you now get it to work or do you again see the Not allow operation error.
What I am hoping is if doing a process of getting a new image on a Blue Angel (Harrier in your case) gets the bootloader in a state where it could be backed up and then restored onto a different device allowing its bootloader to be flash unlocked.
Have you seen any tools posted here to back up and restore the
BlueAngel bootloader?
This is fun stuff!

Hey, thanks, awesome, have u tried the command "d2s" (disk to storage) and "s2d" (storage to disk) ? those commands where not enabled until i typed PASSWORD BOOTLOADER and it gave me a success notice... I'll post the info i have for them.
usage_cmd_d2s
Usage:
d2s [StartAddr [Len [Type [Append[SkipStartAddr SkipLen]]]]]
Backup memory to storage.
StartAddr : Start address for backup(0xA0040000).
Len : Length of memory will be backup. And if not given value, it will be
Total ROM size on board - ((StartAddress & 0x0FFFFFFF) - (ROM base address(0) & 0x0FFFFFFF)).
Type : Which storage(cf/sd) type will be selected(cf).
Append : Backup methods(a/).
SkipStartAddr : Start address of skip area(0x0).
SkipLen : Skip length(0x0).
Skip area must be less than or equal to one block size of flash.
Skip area must not over two blocks, must inside one block.
Nand flash: Skip area size need be page boundary.
Nor flash: Skip area size need be DWORD boundary.
usage_cmd_s2d
Usage:
s2d
Restore memory from storage.
I currently have the 1.02 bootloader so it might be different for u.. also
h = help
and supposively ones u unblocked the bootloader u can do h full which should give u even more options, but that didn't work, which is weird, I think they took the h command out, eventhough they left all the info in the loader, cause u can always do a hexdump on any bootloader and u can figure the commands and their usage..
also here's how to unlock it.. this worked after I typed the password as well.. the only thing that didn't work was l i think (or atleast that i've tried)
usage_cmd_task
Usage:
task [Type [Value [Value1]]]
Type,Value and Value1 are both DWORD(hex).
Value and Value1 are ignore in some case.
Type(hex) 0: Do hardware clear boot.
Type(hex) 7: Do flash ROM lock/unlock and [value]: 1(lock) and 0(unlock).
Oh here's a little howto:
example how to flash the extended rom and radio Simultaneously
first copy the first 3 M of the radio to sd:
d2s 60000000 00300000
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
Total card size=1D30000ze=0
****************
Store image to SD/MMC card successful.
and now append the extended rom to the sd card:
d2s 70080000 01000000 sd a
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
Total card size=1D30000ze=0
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=EA0000
All:dwSize=1F20000
****************************************************************
Store image to SD/MMC card successful.
then when you insert the sdcard, and then boot into bootloader mode, the following happens: on the display, you see a message 'sections=2', and 'press power to flash'. after pressing the power button, you see the following output on the serial port:
Flash ROM mapping total size = 2000000
Flash ID = 89,8802
Trumbull INTEL StrataFlash 128 Mbit MEMORY (K3/k18) found
dwROMTotalSize = 2000000
wTotalChip = 2
HTC Integrated Re-Flash Utility for bootloader Version:1.29 HIMALAYAS PVT version:1.02
MainBoardID = 4
Built at: Sep 24 2003 18:17:06
Copyright (c) 1998-2002 High Tech Computer Corporation
Turbo Mode Frequency = 398 MHz
Run Mode Frequency = 199 MHz
Memory Frequency = 100 MHz
SDRAM Frequency = 100 MHz
Main=0x90035EE4
LCD Power ON!
ATI Chip Id=0x56441002
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=EA0000
All:dwSize=1F20000
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
Total card size=1D30000ze=0
Radio flash Updating...
************
SD/MMC download to ROM is successful!
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=EA0000
All:dwSize=1F20000
DOC flash Updating...
****************************************************************
SD/MMC download to ROM is successful!
now both the radio and extended rom are upgraded!

That great info. You posted the syntax for the Task command but didn't say how you used it.
after the USB> prompt what did you type?
I'm assuming you use mtty and then do:
USB> PASSWORD BOOTLOADER
and then perhaps:
USB> task xx
but I dont know what values you used
and then:
USB> ds2 step #1
USB> ds2 step#2
so once you did that what ROM did you decide to load? I assume you went for some sort of CDMA flavor? What did you end up gaining from the upgrade since you were probbaly already on Windows Mobile 2003 SE
Thanks!

looks like PASSWORD BOOTLOADER does not work. I got:
USB>PASSWORD BOOTLOADER
Invalid command : PASSWORD
For a help screen, use command ? or h
is that how it works?
How did you do the method from your original post where you somehow interrupted a flash and then were able to use the l command?
Thanks.

No it should have said something similar to this:
USB>l
Not allow operation!
USB>help
Invalid command : help
For a help screen, use command ? or h
USB>password boot
HTCSInvalid password.R¿ËPHTCEUSB>
USB>password bootloader
HTCSInvalid password.R¿ËPHTCEUSB>
USB>password BOOTLOADER
HTCSPass.<YHTCEUSB>BOOTLOADER
I did a couple typos so u can see what I get when it doesn't like the password.
I havn't decided on what to load I was trying to load the latest bootloader which is for the himalaya, and I did what u said l c:\wall515.bin and it said something like :F=c:\wall515.bin and then preparing to send, and nothing happened after that, the terminal locked i did a couple ctrl + (a key) to try and get out it seems that i got out with ctrl + a (perhaps abort) ?
I did realize though that I was in the CDMA DBG> section, not just the DBG> like before this might be because I interrupted a radio upgrade, and not a regular WCE upgrade / etc so I'm going to try and do it again, this is my main phone so I have to keep it working so I immediately just undid everything.
and as for the syntax for d2s:
d2s hex_start_location amount_to_copy
so for example say my RADIO starts at address 60000000 and I want to copy 5MB then the proper command would be
ds2 60000000 00500000
you should get something like
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
Total card size=1D50000ze=0
****************
Store image to SD/MMC card successful.
but u will have to be identified in order for any of the commands to work, what version do u have (what phone, model, etc.. ) GSM or CDMA? etc
I also have a program that can be used to dump the ROM from the command prompt.. u might of heard of it already, dumprom.exe and memdump.exe and a new one called mtrw which seems promesing but it doesn't seem to allow u to enter a password I think it's programmed to do that automagically, i'm going to try and get the source code, and fix it so it does.. also get a closer look on what it's actually doing
p.s the syntax of the others are basically the same
for task u would do something like
task 7 0
Type(hex) 7: Do flash ROM lock/unlock and [value]: 1(lock) and 0(unlock).
also check out this site:
http://wiki.xda-developers.com/wiki/HimalayaBootloader
alrighty heading to bed
tty tommorow

That password technique worked but didn't really have an effect. I was already able to do the d2s command.
I sure would like to get the (l) command working and get past the Not allow operation! error.
Did you say you had been trying a Himalaya bootloader on your Harrier?
I have never seen that DBG> mode you were referring to. how do you get into that mode?
Thanks for the great info.

I did it just by chance, right as you start loading ur shipped rom using the himauptdate or what ever program u use.. it will first erase the rom/ram what I did, (risking my BA, but luckely it's still dummy proof at that point) was unplug the phone, from the cradle right as it hit the 100% (erased completed) then I plugged it right back in, and I got the BDG> instead of the usual USB> I decided to see what would be different and l was available, I didn't know how to use it at the time (now I know thanks to you). if u have a copy of the dumped bootloader u can use a hexeditor I use xvi32, which can be found in the xda-dev's FTP. if u look around, u can see some readable data, I've looked at it throughly and thus thats how I figured the password.. here's the part that shows the different modes, so u can see there is BDG> mode
Addr 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 2 4 6 8 A C E
-------- ---- ---- ---- ---- ---- ---- ---- ---- ----------------
00002a00 4873 0390 0000 0000 0000 0000 0000 0000 Hs..............
00002a10 0000 0000 0100 0000 6c77 0000 7072 6f75 ........lw..prou
00002a20 7465 7200 6368 6563 6b73 756d 0000 0000 ter.checksum....
00002a30 7764 6174 6100 0000 6572 6173 6500 0000 wdata...erase...
00002a40 7262 6d63 0000 0000 7461 736b 0000 0000 rbmc....task....
00002a50 7365 7400 7368 6d73 6700 0000 6432 7300 set.shmsg...d2s.
00002a60 6c6e 6200 6c00 0000 7061 7373 776f 7264 lnb.l...password
00002a70 0000 0000 696e 666f 0000 0000 7374 7269 ....info....stri
00002a80 6e67 0000 6d77 0000 6d68 0000 6d62 0000 ng..mw..mh..mb..
00002a90 0a0a 2a2a 2a20 5365 7269 616c 2070 6f72 ..*** Serial por
00002aa0 7420 7761 7320 7265 2d69 6e69 7469 616c t was re-initial
00002ab0 697a 6564 2064 7565 2074 6f20 756e 6578 ized due to unex
00002ac0 7065 6374 6564 2070 726f 626c 656d 202a pected problem *
00002ad0 2a2a 0a0a 0000 0000 4442 473e 0000 0000 **......DBG>....
00002ae0 5553 423e 0000 0000 5345 523e 0000 0000 USB>....SER>....
00002af0 3f00 0000 0d00 0000 0820 0800 546f 6f20 ?........ ..Too
Addr 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 2 4 6 8 A C E
-------- ---- ---- ---- ---- ---- ---- ---- ---- ----------------
00002b00 6d61 6e79 2061 7267 756d 656e 7473 0a00 many arguments..
00002b10 466f 7220 6120 6865 6c70 2073 6372 6565 For a help scree
00002b20 6e2c 2075 7365 2063 6f6d 6d61 6e64 203f n, use command ?
00002b30 206f 7220 680a 0000 4d61 7820 4379 6c69 or h...Max Cyli
00002b40 6e64 6572 203a 2025 752c 204d 6178 2048 nder : %u, Max H
00002b50 6561 6420 3a20 2575 2c20 4d61 7820 5365 ead : %u, Max Se
00002b60 6374 6f72 203a 2025 752c 2054 6f74 616c ctor : %u, Total
00002b70 2073 7061 6365 203a 2025 7520 4b42 0a0d space : %u KB..
00002b80 0000 0000 4669 7277 6172 6520 7265 7669 ....Firware revi
00002b90 7369 6f6e 203a 2025 730a 0000 4d6f 6465 sion : %s...Mode
00002ba0 6c20 6e75 6d62 6572 203a 2025 730a 0000 l number : %s...
00002bb0 2573 0a00 4346 5265 6164 5365 6374 6f72 %s..CFReadSector
00002bc0 572d 3a20 7743 796c 696e 6465 723d 2578 W-: wCylinder=%x
00002bd0 2c63 6248 6561 643d 2578 2c63 6253 6563 ,cbHead=%x,cbSec
00002be0 746f 723d 2578 2c62 5374 6174 7573 3d25 tor=%x,bStatus=%
00002bf0 780d 0a00 4346 5772 6974 6553 6563 746f x...CFWriteSecto
I'm about to try and see if I can get in the DBG> mode, hopefully it wasn't just a lucky shot and it's easy to duplicate again..
anyways i'll keep u posted

grabbing that bootloader
I saw you said that you dumped the bootloader. I have not seen a tool that does that for a BlueAngel & Harrier. Ideally if somebody came up with an unlocked bootloader then that tool could maybe be used to dujmp that unlocked bootload and then push it to another device.
It sounds like your interrupt technique might be safest to try with an upgrade that only is doing the ROM and nothing else. if there is one thing I've seen hose HTC devices up badly is a messed up radio flash.
Have you been interrupting an upgrade using BaUpgradeUt.exe or doing a boot and restoring from SD card?

Re: grabbing that bootloader
obelix said:
I saw you said that you dumped the bootloader. I have not seen a tool that does that for a BlueAngel & Harrier.
Click to expand...
Click to collapse
what? Any tool that dumps ROM can dump a bootloader. Or even more. You can extract bootloader from any ROM update.

I dont doubt it but without knowing how large and the location of a Blue Angel bootloader I wouldn't know where to begin. I wouldn't necessarily want a bootloader from a ROM update as it would be more useful to extract a bootloader from a bootloader unlocked device and then use that to unlock another. HTC has most of its retail Blue Angel & Hima devices bootloader locked so that if you prefer to go through the mtty utility and do a "l blueangel.bin" technique to flash the OS thats going to fail. So that leaves converting a .bin to a .nbf file or replacing the locked bootloader with one thats unlocked.
Are there places in the wiki that detail the positions of the bootloader within Blue Angel memory?

zxvf, did you say you were using the himaupdate program to do the flash? I thought that BaUpgradeUt.exe needed to be used. BaUpgradeUt.exe does not give any messages that say that say it is erasing ROM. Also since the BaUpgradeUt.exe depends on an ActiveSync connection, how can you start the upgrade and then disconnect at the right moment and then plug in the cable and get to mtty? I only know about getting to the command line interface via the mtty app.
Curious to hear more!

Seems that the guy above is having a leaked version of Magneto for BlueAngel and he is not willing to share it.
There is no .bin file out there from HTC. Only Microsoft released the Magneto update as a .bin file.
So before helping him he should clarify why he want all the info from here and is not sharing his Magneto image.
John

nope no Magneto stuff. I am strictly trying to work out the the innards of the mtty program and how to get past the locked bootloader. I could have been doing this on my Wallaby and Himalaya as well but am playing with the BA for now. From what I hear you'll never see Magneto on a Blue Angel, its already end of life. If it ever shows up it will simply be some mobile operator's experiment. I dont trust those folks to release any upgrades, they only want to sell new devices.

Bootloader dumping and flashing
I seriously advise you not to try that...
I tried that on 2 different Blue Angels an they go trashed.
Back to scrap.
Although you can get the exact blocks to extract and the exact memory intervals they are allocated in you have no way to determine if thay are the same on the "destination" BA, Therefore, you take an enormous risk on doing this.
I tried to do thatbecause on Portugal Operators sim-locked BA the lock information is actually on the bootloader.
Till now... No luck.
I even considered payinf the £20 IMEI-CHECK ask for but i think that it is not as thrilling as trying to do it by yourself, with your own work and burnt lashes. Apart from that, £20 are allways £20 :wink:
By the way, any development on the BA sim-unlocking ?
Cheers

sorry for not responding any sooner but I hadn't been able to get online, anyways, there are MANY tools as mamiach (pardon if I typed it incorrectly) that you can use to extract the bootloader, and I'm actually quiet confused on what program I've used I though they were just different versions, and a little bit different, never actually knew one was for upgrades and the other one was for full installs.. what I think I did was while it was trying to right to the bootloader I must have interrupted it and it might have immediately put it self in full acess / dbg mode (this is just IMHO) in order to save it self.. because I do recall it even said it on the screen I've tried and tried, and i'm kinda close to giving up thus, It's been twice that I almost didn't have a phone :/ if you need any programs u are sure to find them on the xda-dev FTP, and/or my website http://www.hexcode.net/xda-dev its a mirror or XDA-DEV that the Admin's been using to restore the site.. I'm currently in the process of installing Windows Mobile 2005, but not having much luck, I'm going to keep on trying, oh yea, when I unpluged it, I right away plugged it into the cradle again, and made activesync disabled, and start mtty and thats how I got the DBG> mode. other then that I'm not sure what to say, there are also programs that suppose to help u with installing new bootloaders like pnewbootloader.exe but they seem to be for the XDA2 so I'm not sure if they work, also if this might be of any help another password I've found that they are using is AYaLaMiH (himalaya spelled backwords) hope that helps.. ciao

HOW TO ENTER CDMA DBG> mode (BOOTLOADER Full admin mode)
EUREKA I'VE GOT IT...
I should be making a wiki page instead of posting here but these are the steps that are needed to enter CDMA DBG> mode which allows the use of extended commands like l, rbmc, s2d, d2s etc.. full access it seems..
here's the commands I used.
hope they work, I was wrong about the password being BOOTLOADER infact thats a password that most sellers have to do a few fixes, but not give them full control to screw up our devices..
I don't really know much about the commands except the info that they return, so just bear with me and follow along if u really wanan get to this, as of getting to the CDMA DBG> isn't dangerous u are not writing anything (YET) in order to get there, just modifying some switches etc.
ok so first the password: 40r0~0y~~5~0000
so type
USB>password |40r0~0y~~5~0000
u should get "HTCSPass1.CMˆËHTCEUSB>"
[DONT PRESS ENTER/RETURN JUST CONTINUE TO TYPE]
HTCSPass1.CMˆËHTCEUSB>set 1 0
This makes it so the Operation mode currently is set to "User" (maybe allows user interaction, not sure)
type set 5 7777 (not really sure if this is needed, all it does is set the background color value to 7777)
not the last command rtask a
here's what mine looks like
USB>shmsg 5 0 " Upgrade "
USB>shmsg 7 0 " Radio Stack "
USB>shmsg 9 0 "Please Wait..."
USB>rtask a
Radio image flash by external bootloader.
ÿ
HTC Integrated Re-Flash Utility for Harrier
This version is used for developig CDMA system
Copyright (c) 2003 High Tech Computer Corporatio
CDMA DBG>h
now if I type
l (DONT DO THIS UNLESS UR READY LOOK AT THE SYNTAX FIRST) I was stupid enough to just try it I got this
CDMA DBG>l
start cdma download
instead of the "not allowed or what ever that error was.."
now I hope this doesn't do something bad to my device, but I can't seem to get out.. *GULP*
Anyways thats all the info I have, hope it helps in any way Cheers.

P.S you can look at the syntax of 'l' if u search in the wiki pages.. information brought to us by itsme here is a direct link to his page. I'll also paste the 'l''s section here..
http://www.xs4all.nl/~itsme/projects/xda/bl-ii-usage.html
syntax for 'l':
usage_cmd_l = sub_9004C74C(1)
sub_9004C74C
Usage:
l [path_name [startAddr offset ["cp"]]]
Download BIN file across from serial/USB port.
Startaddr offset(MSB bit is a sign bit): Start address offset of every packet in bin file.
When 'cp' is given, it will just compare data of file with ROM image.
When path_name is not given, the file to be downloaded is determined
by ppfs on the host.
Otherwise, path_name on the host is downloaded regardless the ppfs setting.
The file must be in the format of BIN (preprocessed SRE).
The code is auto-launched once downloaded.
Auto-launched is disabled after downloading.

Nice job zxvf! Thats some good digging. I didn't follow this section before getting to the Debug mode:
USB>shmsg 5 0 " Upgrade "
USB>shmsg 7 0 " Radio Stack "
USB>shmsg 9 0 "Please Wait..."
USB>rtask a
Radio image flash by external bootloader.
What is shmsg and rtask doing? Do the shmsg commands actually do some upgrades and if so from what image? I have never seen them and wonder what those steps do.

Help me out!!!!!!

I have Htc Universal o2 exe
It was good whe i was using Windows mobile5
Before few days back i have installed new rom to it that is luca16thebig [Diamond Edition] to it but dont know that its only for G3 users mine is G4 after that it was stuck in splash screen then i went in bootloader mode nd try to reset radio by this method
STEP 1
- First disable ActiveSync (File>>> Connection Settings>>> Allow USB Connections. Untick this box)
- Put your Universal into Bootloader mode (Hold down the Power button & Backlight button while performing a soft reset).
- Connect your Universal to your PC via the USB cable.
- Open mtty (I won't bother adding it as an attachment here, it's already been posted on the first page of this thread)
- Close all unessential software including antivirus and others, to ensure you have the maximum amount of RAM available to avoid problems.
- In the "Port" drop down menu select USB (If USB is not available you haven't connected properly. I couldn't get a connection at all when using Windows 7 X64, just stick with XP when flashing your device, there's much less hassle):
STEP 2
- After opening mtty type the following command. Type it directly into the window, do not copy and paste.
Code:
task 28 55aa
Then press ENTER.
If the following text appears then you've done it right:
Code:
Wait ..
DOCInfoTableinitHW +
Binary0 Size: 0x100000
FAT0 Size: 0x4000000
FAT1 Size: 0xA00000
FAT2 Size: 0x2C70000
All Size: 0x7770000
FAT0_ADDR=0x100000,FAT1_ADDR=0x4100000,FAT2_ADDR=0x4B00000
USB>
If this is not the text you get, then start again from the beginning.
STEP 3
Providing that you've completed STEP 2 successfully, continue by typing the following commands into mtty one by one, making sure to hit enter after each one.
Code:
set 14 0
set 14 1
set 14 2
set 14 3
set 14 4
set 14 5
set 14 6
set 14 7
set 14 8
set 14 9
set 14 10
STEP 4
After you have enter all of the commands outlined in STEP 3, continue by entering the final command in mtty.
Code:
task 0
or
Code:
task 7
(I wasn't sure which one to choose, or even if a choice was implied, so I first entered task 7, then hard reset my Uni, put it into bootloader mode again, and repeated steps 1-4, this time entering task 0)
Your Uni's screen should have gone completely blank after that last command. If it has then:
- Close mtty.
- Unplug you Uni from the USB.
- Put it in bootloader mode again.
- Plug the USB cable back in.
STEP 5
Start mtty again and connect to your Uni via USB (as described in STEP 1).
Enter the command:
Code:
shmsg 11
It should report the following information:
Code:
USB> shmsg 11
String format is invalid!
Syntax error!
(The Syntax error! line didn't appear when I performed this procedure)
If you do not get this result, start again from the beginning.
STEP 6
Enter the following command:
Code:
rtask 0
mtty should report the following:
Code:
USB> rtask 0
Radio reset.
USB>
If this was the result you received then unplug your Uni from the USB cable, perform a hard reset (not in the original instructions, but that's what I did), then enter Bootloader mode again.
STEP 7
- Find and download a WM5.0 ROM, remove ms_.nbf and Radio_.nbf, so you're just left with nk.nbf (I used the KDSkamal_Ultimate_Ed ROM, which can be found through Google), and flash it to your device.
- Your Uni may get suck in Bootloader mode after flashing the WM5 ROM. Simply use the ExitBootloader tool.
- At this stage you're Universal should be functioning with a half decent WM5 ROM. Now you can proceed to flash another ROM of your choice in the usual manner. I would heartily suggest Tomal's WM6.5 ROM that can be found here on Xda-Developers, you won't be disappointed! :-D
but also i am unable to install new rom to plz help me out i am using windows 7 os ....
thanks in advance nd sorry for my bad english plz help me out....

And when i am using mitty utility for that i am getting this info for that
task 28 55aa
Wait..
DOCInfoTableinitHW+
Binary0 Size: 0x100000
FAT0 Size: 0x4000000
FAT1 Size: 0xA00000
FAT2 Size: 0x2900000
All Size: 0x7400000
FAT0_ADDR=0x100000,FAT1_ADDR=0x4100000,FAT2_ADDR=0x4B00000
USB>

Dude, i would PM luca and ask him....
As his Diamond ROM although looks good, seems to have lots of problems

What we have tried and where to go from here

Ok, so we haven't had quite as much luck yet as we would have liked, but I think as we continue to try out different approaches we will have some luck. I think it might be beneficial for us to have a an overview of what has been tried and what has been attempted thus far. So here is a list of things people have tried (please feel free to add anything that I may have left out or accidentally overlooked).
Registry Edit to access Zune storage
I believe this was the first approach that people took to gaining access to the KIN, and this link provides a great walkthrough.​
Bitpim
This is a pretty good overview of what has been attempted through Bitpim. Recently some have even tried using some other software, namely CDMA Workshop, (Look at the last post of the page.) I would suggest that we also try a couple more:
RevSkills
UniCDMA​
Nvidia Tegra Flash
I forgot this when I first posted.​
OpenZDK
This was another potential since much of the hardware, namely the processor is the same on both the kin and zune.​
Looking for clues in the log files
To put it simply in the hidden menu there is an option to have system log s emailed to you. I tried reading through some and noticed some of the events and files that the KIN uses, but have not had any luck yet.​
FTP
This link is the same as the link for the Log Files above.​
Export/Import in hidden Menu
Once again, the linked used here is the same one for Log Files and FTP.​
Please add anything that I may have left out, either different approaches or links to helpful information. I haven't had a chance to tinker with RevSkills too much yet, but it looks real promising.

Ah, we mods like these threads. Keep it up. Stickied.

The hidden import feature becomes active if you create a contact while using
qpst. It imports but I don't know where it put that info.
Interesting to note is that None of my phone entered contacts show up in qpst.
It is like that directory is mapped to some other place.
I was able to create directories and added txt files using qpst that remain even after power cycling the phone. I haven't found any of this using the phone yet.

I am getting the same results as you when I use the EFS manager and service programming. I can create files and make changes and they last after reboot.
I find it odd that when I export contacts from the hidden menu the file is visible in windows explorer if I have edited the registry as noted in the first post. I find this odd because everything else that is visible on the device using this method is related to the Zune, i.e. photos, music, and videos.

I have started looking back at some of the log files that I had the phone email me through the hidden menu and I have found some AT commands for the phone along with some other information. Here is a little bit of one file that I just started sorting through. The formatting isn't perfect because the log files have a lot of unreadable characters, but I have bolded files and commands. I also left everything in the case (upper and lower) as I found it in the file. The name of this file is:
MICROSOFT-PMX-DEBUGSTRINGPROVIDER-CHANNEL.02.clg
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_PRE_UPDATE
MPM_BB_USB_DRIVER_LOAD_UPDATE_EVENT, dwWaitTime: -1
MPM_Util:USB Client 1 has been Loaded
MPM_Util:USB Client 2 has been !UnLoaded!
CDMA Radio Updeate: Text stored version : v0.4.727
CDMA Radio Update:Registry Key version: v0.4.727
CDMA Radio Update: Current Modem version: v0.4.727
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_PRE_UPDATE
MPM_MainsSmThread
MPM_BB_UPDATE_REQ_EVENT - No modem update is needed
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_POST_UPDATE
MPM_END_RSTISR_REQ_EVENT, dwWaitTime: -1
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_POST_UPDATE
MPM_END_RSTISR_REQ_EVENT MODEM RESET ISR Init Completed.
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_POST_UPDATE
MPM_POWER_ON_REQ_EVENT, dwWaitTime: -1
RILNDIS: GetPacketInterface Initialize = c117d634
Shutdown = c117c4e4
RILDrv : i : Accumulated response (1) : <cr><lf>
IOPTMODE: 6 <cr><lf>
RILDrv : i : Sending cmd: ATV0E0X3 <cr>
RILDrv : t : LoadEriData : Opening file
\RoamingIndicator\eri.bin
RILDrv : i : Accumulated response (1) : ATV0E0X3 <cr> 0 <cr>
RILDrv : t : LoadEriData:
\RoamingIndicator\eri.bin not exist. Err 0x00000002
RILDrv : i : Sending cmd:
AT+cstt=0, 1, 75, 85, 95, 100 <cr>
RILDrv : t : LoadEriData: Opening file
\Windows\eri.bin
RILDrv : i : Accumulated response (1) : 0 <cr>
RILDrv : i : Sending cmd :
AT+CSTT=1,1,18,22,26,30 <cr>
PMIC Boot cookie: rb7262h
RILDrv : i : Accumulated response (1) : 0 <cr>
RILDrv : i : Sending cmd :
AT+CSQT=1<cr>
RILDrv : i : Accumulated response (1) : 0 <cr>
RILDrv:i: Sending cmd:
AT+GMI; +GMM; +GMR; +CKEYPAD?25<cr>
RILDrv:i: Accumulated response: +CKEYPAD:25
RILDrv:i: Accumulated response (2): equesting :
IUSBON, USBST, New PLMST, timestamp, 10, 2,2944 <cr><lf>
RILDrv:i:Accumulated response(1): +IQMIREADY <cr><lf>
+IUSBON<cr><lf>+IECHO: Requesting:IUSBON, USBST,
New PLMST, timestamp, 10, 2, 2944 <cr><lf>
RILDrv:i: ParseNotificationOEM: +IQMIREADY: SetEvent for QMI Init
RILDrv:i: Accumulated response(1): +IUSBON<cr><lf> +IECHO:
Requesting: IUSBON, USBST, New PLMST, timestamp, 10, 2, 2944<cr><lf>
RILDrv:i: Accumulated response(1): +IECHO:
Requesting: IUSBON, USBST, New PLMST, timestamp, 10, 2, 2944<cr><lf>
RilDrv:arseGetEquipmentInfo Modem Version: 727

I found out one more thing, if you use the s+l+power comination when the phone is powered off and connected to the computer another USB device is found. I just found this thanks to conflipper's early work We will have to come up with some sort of driver for this now.
Here is the name of the device and the hardware IDs
Microsoft Pink Bootstrap
USB\VID_045E&PID_2345&REV_0000
USB\VID_045E&PID_2345

I also just found this hardware id when having the computer turned off and plugged into the pc. When I hold down u+s+b+power Windows finds another device with the following name and hardware IDs (According to what I have found online this VID is Nvidia.) So this might be where we can use the tegra chipset stuff.
APX
USB\VID_0955&PID_7416&REV_0103
USB\VID_0955&PID_7416

Thought I would also add that my phone is currently unusable, but on the positive side, I wouldn't found those other two usb hardware IDs if this hadn't happened. Sidenote, I was using QPST Configuration program, and I right clicked on the my phone in the active phones tab. I then clicked on "Configure service to port mapping..." and added one property (unforturnately, I can no longer go back to the window because the program doesn't recognize my phone now). At this point, my phone rebooted and is now stuck trying to boot up.
I don't think it is completely bricked, but I fear that until we pull a rom it is probably useless because it is stuck in a constant cycle trying to reboot. The only way to stop this is to remove the battery. I have since tried using the various key combinations provided by conflipper and have found that the bootstrapper combination (s+l+power) would probably work if we had a rom. I then tried the hard reset combination (c+b+power) which initially looks like it might work but then it gets stuck in the cycle of rebooting.
I am going to continue working on it, hoping that somehow now that I might have some extra sort of access to hardware, but I am afraid my contributions may be limited until we are able to pull a rom.

Sorry to hear that. There has to be a way of getting it out of the loop.

RevSkills Hardware Log.
Diag Port Supported Command List.
7E - TRS FRM MSG supported.
5A - CHECK AKEY supported.
59 - EFS CMD supported.
58 - GET IS95B supported.
57 - SET MAX SUP CH supported.
56 - SUP WALSH CODES supported.
55 - FER INFO supported.
51 - GET FEATURES supported.
49 - READ PRL supported.
47 - UNKNOWN unknown response:
45 - GET CDMA RSSI unknown response:
44 - CHANGE SERIAL MODE unknown response:
43 - GET PARAMETER unknown response:
42 - UNKNOWN unknown response:
40 - SET PILOTS unknown response:
3F - GET STATE unknown response:
3E - UNKNOWN unknown response:
3D - CONF SLEEP unknown response:
3C - GET PACKET SEQNO unknown response:
22 - DISPLAY EMU supported.
04 - PEEK DWORD supported.
03 - PEEK WORD supported.
02 - PEEK BYTE supported.
01 - Show ESN supported.
00 - Version Info supported.
Click to expand...
Click to collapse
(the phone rebooted many times while doing this test, hence the unknown responses).
I tested more of the options provided by the free version of Revskills and it was kind of funny to see how the keyboard emulator worked, but only for numbers.
After all the reboots and so, i got some hex descriptions for errors in a new folder, called Err. Uploaded a new screenshot from that folder contents.
Easy CDMA just lets you browse the filesystem we already know.... not so much fun.
Little update.
You seem to be able to enter the recovery mode holding the U S B + power option but, as i tried right now, also using "Volume -" + power as stated for other tegra devices. Can't check if that loads ok on the computer, as i dont have the usb cable here right now.

OOPS I made a mistake. I am not seeing anything using windows 7 using u+S+B and power up. Should I disable zune, change registry for zune back to normal etc??

You shouldn't have to because the device has a different hardware id, so the drivers installed for the zune portion aren't applicable. Try turning your phone off, plugging in the usb cable and then using the key combinations. If the new hardware message box doesn't appear, you should still see an unkown device in device manager.
Also you have to hold the u+s+b+power for a few seconds before it will be recognized. When I have done this the screen stays blank on my phone and the only way I know it is working is through Windows.

Using Windows 7 OS. I had to uninstall the zune driver located in portable devices in the device manager then it found new APX device and i was able to point to the NVIDIA driver. Tried ruining the phone (Flashing android to it) as in another thread but it also got stuck on the flashing prompt. Restarted phone normally and the windows found another device and loaded the zune drivers back.
Incidently, holding the volume down and power on does the same as the U+S+B+Power and is easier on the fingers.
Thanks and keep up the great work.

I again may have spoken to soon. I cannot duplicate the above scenario anymore.
I also can no longer transfer pictures taken with my phone on to my pc. I can add pictures to the phone from pc and back but not the ones taken with the camera. Originally I could with zune software. The folders for uploaded pictures are different then the ones taken with the phone. I really think that I screwed something in the phone up by playing with qpst and others.

I'm not sure about what you did there, but in my testing & curiosity purposes trials, i wasnt able to alter the device (do a write to memory), so i doubt that qpst or the others did it for you.
Also, according to coinflipper notes, the kin has several layers, including the SBL that is the one operating with the os directly (the "Ms Pink bootstrap" device), not the recovery mode, which basically put us handling a modem....
I'm trying some things, but no results yet... gonna take some time....

I have changed the USB password and added contacts (somewhere) while writing to the device using qpst. I changed the password to 000001. Is this a different part of memory I am fooling with?
Thanks

I am not sure. I have no previous experience with any phone deving nor Qualcomm tools. Just pointed what coinflipper said.
I said "basically a modem", cause you got diag(nostics) mode within a com port, and some users (in other posts) showed logs with AT commands.
I'm working with some tools to connect to the device, but using the driver we all got (zune software). Not promising anything, just peeking around some tests.
@mcdietz
Here I pasted a public output of the linux command "lsusb -vv" (ultraverbose) where Kin (factory default settings) values are.
http://pastebin.com/rZscb9wz
Is useful for usb access to the kin. Use at will.

I have been testing usb connections to the kin devices (the ones we used in this forum) and i checked this:
Kin mode (normal Zune mode):
- Using MTP protocol:
-- You can browse files/folders/track related to Zune values using the lib-mtp tools in the system you like.
-- You can format the device (zune related folders) & delete zune files using the lib-mtp tools.
-- You can't download files from the device using the lib-mtp tools (kin doesn't allow you to)
-- You can't upload files to the device using the lib-mtp tools (kin doesn't allow you to)
- Using raw USB:
-- You can Write & Read values to the device (Kin VID 0x045e, PID 0x0641). Protocol allowed: MTP
Click to expand...
Click to collapse
Of course, Zune software does use this mode and is allowed to write to the filesystem. But that's because before doing so, it uses MTP protocol values to send and receive crypto values based on JANUS from Microsoft (Microsoft DRM for Mobile Devices) and after crypto relationships, the usb commands enable the "Connected" window at the Kin.
Capturing and replaying this values over usb does not work (ever) and does not work for the kin (had to try), so no go-go from here. Also, we cannot know if it would be able (dreaming after bypassing the DRM) to go outside the pictures/music/etc folders.
On the other hand, MTP tools reports that our little friend is able to reproduce the following files:
Firmware file
MediaCard
Abstract Playlist file
Abstract Album file
JPEG file
Microsoft Windows Media Video
MPEG-4 Part 14 Container Format (Audio+Video Emphasis)
Advanced Audio Coding (AAC)/MPEG-2 Part 7/MPEG-4 Part 3
MPEG-4 Part 14 Container Format (Audio Emphasis)
Microsoft Advanced Systems Format
Microsoft Windows Media Audio
ISO MPEG-1 Audio Layer 3
Click to expand...
Click to collapse
Where firmware is strange and good but the question is... how to upload the firmwares files (you can get zune firmwares from the net) to the zune software on the device (and run them)?.
It's more interesting when you notice that firmwares contain "Zboot.bin" which is "Tegra device bootloader" but, sadly, doesnt work with nvflash because of what I said below. Those updates are WinCE updates too...
APX mode (nvidia "flashing" mode), with or without Nvidia driver.
- Using nvflash
-- You can't start flashing due to writing to usb error
-- Following attemps block the nvflash and device access.
- Using raw USB:
-- You can't Write or Read values to the device (APX VID 0x0955, PID 0x7416). Protocol allowed: None
Click to expand...
Click to collapse
This matches the post where coinflipper told us that you cannot dump the rom image.
Microsoft Pink Bootstrap (No driver):
- Using raw USB:
-- You can Write & Read values to the device (Kin VID 0x045e, PID 0x2345). Protocol allowed: Unknown
-- Phone answers "01" to all the write requests i did (from "00" to "FF").
Click to expand...
Click to collapse

markspace. com/kin/
Here's some software that was developed for it, but I'm guessing it is only client end?
I'm not allowed to link, so assemble the spaces yourself please

The link for the download (direct) , being for Mac(only) is:
http://www.markspace.com/kin/download.php
But you must register to get an activation code from the main page (posted by shlhu). It will need internet access to activate the software during installation and reboot after it.
Requires Itunes (for audio sync), Iphoto (for image, also have started it once), and Quicktime (for video).
I tested it with a fresh installed Snow Leopard and i can say that it works. I dunno how it does (without zune installed), but it works.
Unfortunately, i wasnt able to analyze the usb transmission there, so i cant compare with the windows one. If it can skip the JANUS drm, then we may have a chance. If it is the same process as windows... we are done... lol.

[Q] MTP on Ubuntu with Galaxy Nexus?

Hi
Is anyone successfully using MTP on Ubuntu Linux 11.10 with the Galaxy Nexus? It totally sucks that Google has dumped USB Mass Storage support in Android 3.0+
Anyway… I connect beast to my PC. Next:
Code:
[FONT="Courier New"]10:33:01 [email protected]:~$ mtp-detect
libmtp version: 1.1.0
Listing raw device(s)
Device 0 (VID=04e8 and PID=6860) is a Samsung GT-P7510/Galaxy Tab 10.1.
Found 1 device(s):
Samsung: GT-P7510/Galaxy Tab 10.1 (04e8:6860) @ bus 1, dev 23
Attempting to connect device(s)
PTP_ERROR_IO: failed to open session, trying again after resetting USB interface
LIBMTP libusb: Attempt to reset device
LIBMTP PANIC: failed to open session on second attempt
Unable to open raw device 0
OK.
10:35:05 [email protected]:~$
11:58:08 [email protected]:~$ sudo mtp-detect
libmtp version: 1.1.0
Listing raw device(s)
Device 0 (VID=04e8 and PID=6860) is a Samsung GT-P7510/Galaxy Tab 10.1.
Found 1 device(s):
Samsung: GT-P7510/Galaxy Tab 10.1 (04e8:6860) @ bus 1, dev 27
Attempting to connect device(s)
PTP_ERROR_IO: failed to open session, trying again after resetting USB interface
LIBMTP libusb: Attempt to reset device
LIBMTP PANIC: failed to open session on second attempt
Unable to open raw device 0
OK.
12:00:11 [email protected]:~$ [/FONT]
Well… Not so good.
Well, what to do? I've read about having to setup udev rules, but that's a solution for a problem yet to come, isn't it?
Thanks,
Alexander

Yeah, I am using it. I am a big time Linux noob but even I have got it to work using these instructions:
http://www.reddit.com/r/Android/comments/ne6ud/mount_your_new_galaxy_nexus_from_the_unity/
You need to be in root on your Ubuntu machine when you do this.
Let us know how you get on.

No go
samizad,
thanks, but that doesn't work for me. Basically, that package simply calls "mtpfs", which makes use of libmtp. And libmtp doesn't work for me.
Here's what I did:
Code:
13:39:39 [email protected]:~/Downloads/++Unsortiert++/g/mount_gnex$ mtpfs -d ~/Desktop/GNex/
FUSE library version: 2.8.4
nullpath_ok: 0
unique: 1, opcode: INIT (26), nodeid: 0, insize: 56
INIT: 7.16
flags=0x0000007b
max_readahead=0x00020000
Device 0 (VID=04e8 and PID=6860) is a Samsung GT-P7510/Galaxy Tab 10.1.
And that's it… (Same result when I try "sudo mtpfs …", ie. when I run the command with root privs.)
In another term window, I tried listing the ~/Desktop/GNex/ directory, and it simply hangs (ie. it doesn't return to the prompt):
Code:
13:40:01 [email protected]:/data/Downloads/++Unsortiert++/g/mount_gnex$ ls -la ~/Desktop/GNex/

Like I said, I am a noob so I can't help further. Just one thing though - in the screen dump you give above, it refers to Samsung GT-P7510/Galaxy Tab 10.1. What's that about?

samizad said:
Like I said, I am a noob so I can't help further. Just one thing though - in the screen dump you give above, it refers to Samsung GT-P7510/Galaxy Tab 10.1. What's that about?
Click to expand...
Click to collapse
I also noticed that it says "Samsung GT-P7510/Galaxy Tab 10.1". No idea why it does that… I guess that there's some sort of database in the background, which "translates" something like (VID=04e8 and PID=6860) to readable names.
EDIT: To clarify: I only have 1 MTP device connected. I don't have a GTab.

I'm not currently at home so I really can not give you my system settings (ubuntu 11.10). Anyway, the mtp connection sucks big time and has lots of intreruptions. I'm using "samba filesharing" (free 9n market) on the gnx and I'm mapping the storage on my linux machine. I'm doing the same withbmy galaxy tab.

ADB mount?
ro_explorer said:
I'm not currently at home so I really can not give you my system settings (ubuntu 11.10). Anyway, the mtp connection sucks big time and has lots of intreruptions. I'm using "samba filesharing" (free 9n market) on the gnx and I'm mapping the storage on my linux machine. I'm doing the same withbmy galaxy tab.
Click to expand...
Click to collapse
Network based solutions (like samba, ftp, ssh or whatever servers) don't work for me, because where I'm at most of the time (ie. at work…), there we cannot access the mobile phones over WLAN from our PCs. Mobile devices and workstations are in different networks (which is good).
BTW: In the rare chance, that this MTP sh*t would work - would I even be able to access any random file which is stored on the "sdcard" (ie. underneath /mnt/sdcard)? If not - is it somehow possible to mount the device using ADB? With "adb push" and "adb pull" (and any other adb subcommand), there's full access to the (almost?) complete filesystem.

There is an alternative way of transferring files. You can use a flash drive and the usb host capabilities of the Galaxy Nexus. I'll give you my settings as soon as get home, this mean tomorrow afternoon.

ro_explorer said:
There is an alternative way of transferring files. You can use a flash drive and the usb host capabilities of the Galaxy Nexus. I'll give you my settings as soon as get home, this mean tomorrow afternoon.
Click to expand...
Click to collapse
Is that maybe using the "[root] StickMount" app?

Nvidia Shield TV PRO 2015 brick to update 8.0 -> 8.0.1

Hello
I have a shield tv 2015 with nvidia experience 8.1 (android 9) - last October 2, I upgraded to 8.0.1, installed and when it was to restart, turned off and did not turn on.
Turns on the 2 sec green light and turns it off and the disc works (it seems to be in standby).
I opened a ticket (on nvidia) but it is being useless because the procedures that give me do not work.
I found that underneath is a snap-in cover. so i turned off the hard drive it always turns on the green light but i can't get into fastboot / recovery mode.
At the moment when I connect the usb cable to the pc I have an APX device. does anyone know anything about APX?
Thanks help me please i´m a nood

Your only bet is to get help from nvidia costumer support since it's not a pro version.
Apx mode = your device is bricked.

Mine is the 500GB version I suppose is the PRO version.
I've been reading here in the forum ... in the PRO version the
All software is on the hard drive. So I was trying to create the hard drive with a 500GB disk but to no avail.

parfuar said:
Mine is the 500GB version I suppose is the PRO version.
I've been reading here in the forum ... in the PRO version the
All software is on the hard drive. So I was trying to create the hard drive with a 500GB disk but to no avail.
Click to expand...
Click to collapse
You can try what has been done in this thread https://forum.xda-developers.com/shield-tv/general/bricked-shield-tv-pro-2015-version-t3841024
Or something like this https://forum.xda-developers.com/shield-tv/general/guide-migrate-to-ssd-hdd-size-satv-pro-t3440195

Hi,
One question.
My original hard drive
Info:
[email protected]:/home/ubuntu# hdparm -i /dev/sda
Model=ST500LM000-1EJ162, FwRev=SM16, SerialNo=W763XDYH
Config={ HardSect NotMFM HdSw>15uSec Fixed DTR>10Mbs RotSpdTol>.5% }
RawCHS=16383/16/63, TrkSize=0, SectSize=0, ECCbytes=4
BuffType=unknown, BuffSize=unknown, MaxMultSect=16, MultSect=off
CurCHS=16383/16/63, CurSects=16514064, LBA=yes, LBAsects=976773168
IORDY=on/off, tPIO={min:120,w/IORDY:120}, tDMA={min:120,rec:120}
PIO modes: pio0 pio1 pio2 pio3 pio4
DMA modes: mdma0 mdma1 mdma2
UDMA modes: udma0 udma1 udma2 udma3 udma4 udma5 *udma6
AdvancedPM=yes: unknown setting WriteCache=enabled
Drive conforms to: Reserved: ATA/ATAPI-4,5,6,7
* signifies the current active mode
-------------------------------------------------------------------------------------------------------------------------------------
fdisk -l
Disk /dev/sda: 465.8 GiB, 500107862016 bytes, 976773168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: dos
Disk identifier: 0xb22c3a15
my new hard drive
info:
[email protected]:/home/ubuntu# hdparm -i /dev/sda
Model=HGST HTS545050A7E380, FwRev=GG2OACD0, SerialNo=TE85113R0Y5TPK
Config={ HardSect NotMFM HdSw>15uSec Fixed DTR>10Mbs }
RawCHS=16383/16/63, TrkSize=0, SectSize=0, ECCbytes=4
BuffType=DualPortCache, BuffSize=8192kB, MaxMultSect=16, MultSect=16
CurCHS=16383/16/63, CurSects=16514064, LBA=yes, LBAsects=976773168
IORDY=on/off, tPIO={min:120,w/IORDY:120}, tDMA={min:120,rec:120}
PIO modes: pio0 pio1 pio2 pio3 pio4
DMA modes: mdma0 mdma1 mdma2
UDMA modes: udma0 udma1 udma2 udma3 udma4 udma5 *udma6
AdvancedPM=yes: mode=0x01 (1) WriteCache=enabled
Drive conforms to: unknown: ATA/ATAPI-2,3,4,5,6,7
* signifies the current active mode
----------------------------------------------------------------------------------------------------------------------
--->> fdisk -l
Disk /dev/sda: 465,8 GiB, 500107862016 bytes, 976773168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: dos
Disk identifier: 0x4ca778fd
Hard drives are the same, I should with the tutorial, be able to get the shield to work without major problems.
what is wrong?
commands used:
dd if=start.bin of=/dev/sdX bs=4M
dd if=end_976574630.bin of=/dev/sdX seek=976574630
with these files:
https://forum.xda-developers.com/sho...2&postcount=23

My shield(2015 pro) was also bricked by the update reboot loop at nvidia logo and factory reset did not help and fastboot couldn't flash anything, so used this opportunity however to put a ssd in.
Used beginning disk image from here:
https://forum.xda-developers.com/showpost.php?p=67426622&postcount=23
Just booted it up and its gotten past nvidia logo atleast so far

First time it bricked was updating to 8.0, after recovery it was able to get the updates up to 8.0, when i did the 8.0.1 update i also got the same error as those above where turns on then off and does not even wake the display.

HellToupee_nz said:
My shield(2015 pro) was also bricked by the update reboot loop at nvidia logo and factory reset did not help and fastboot couldn't flash anything, so used this opportunity however to put a ssd in.
Used beginning disk image from here:
https://forum.xda-developers.com/showpost.php?p=67426622&postcount=23
Just booted it up and its gotten past nvidia logo atleast so far
Click to expand...
Click to collapse
It worked?
what version of android is it?
on mine it didn't work. only worked with the first part (firstpart.bin which is like this) and with the 5kb file that speak at the end of this thread.

parfuar said:
It worked?
what version of android is it?
on mine it didn't work. only worked with the first part (firstpart.bin which is like this) and with the 5kb file that speak at the end of this thread.
Click to expand...
Click to collapse
In my case, I have the fastboot. but this is difficult because we don't have active developer mode.

Yes, i had done a factory reset also, u can get stuck at the spinning android logo forever without that i find. For the end part of the disk i used my own from my disks image, i've just done it all again and updated back to 7.2.3 stopped there and copied my widevine key off my orginal image so got L1 support and going to make backup of its current state.

parfuar You don't use "sdX" you change the "X" to the letter your drive is from fdisk -l , looks like you need to use "sda", after after you write the two bin files reboot directly into bootloader and select boot recovery kernel which will bring up t wrp recovery and you need to perform a factory reset wipe then reboot and Android should boot up and you will have Nvidia experience 3.3 and you have to do a couple updates to get up to 8.0 just make sure you turn off automatic updates cuz mine automatically updated to 8.0.1 and crashed my hard drive a second time. I used my original hard drive

also posting here that my 2015 500gb gets bricked with 8.0.1. hdd swapped out for crucial mx500. i think the guy here said it happened on his stock 500 sshd?

OK... This is how I got it to work.
Using "DD for Windows"... since I don't have a Linux PC (tested working perfectly on Windows 10 x64)
Download link:
http://www.chrysocome.net/downloads/dd-0.6beta3.zip
Unzip the "dd.exe" file and copy it to:
%USERPROFILE%\AppData\Local\Microsoft\WindowsApps
This gives you the ability to use DD system wide.
Use the beginning disk image from here:
https://forum.xda-developers.com/showpost.php?p=67426622&postcount=23
Connect your drive. I highly suggest using a Desktop PC because it is much faster than a USB to Sata cable.
If you don't have any open Sata slots, just disconnect your CD-rom drive temporarily and use the connectors.
Now:
1) Put the "start.bin" file in the root directory of drive C (example C:\start.bin)
2) Open a command prompt as Administrator and change directory to C: (command: cd C:\ )
3) Type command dd --list to determine the correct disk you want to write to.
4) Use command dd if=start.bin of=\\?\Device\HarddiskX\Partition0 --progress
whereas X is the drive number you determined earlier with the dd --list command
(replace the X with the drive number you want to write to)
5) Watch the write progress and stop the process at about 6GB (around byte 6,500,000,000)
(you can actually see the write counter running)
There is no need to write the "end file". Shut down the PC once finished and remove the drive.
6) Install the drive back into your Shield Pro and start. The green NVIDIA logo should show up soon.
Wait for about 10 minutes and if nothing happens unplug the Shield and do a restart.
Now wait patiently.... it will eventually boot past the green logo and the Android colors.
Now let your Shield self-update to whatever version you desire. It starts with version 3.0
That's it! You just successfully de-bricked your Shield Pro
Enjoy!