Related
Featuring the Master of WM6 ROMs, Mr. Schaps himself, I decided to publish this little recipe, how to patch the Schaps 3.5x ROMS to make them suitable for BB Connect.
WARNINGs:
You do, what you do at your own risk!
I will not maintain or Babysit this thread. It works for me, it may not for others!
I will not upload any patched ROMS or maintain these, because I have no time.
I provide this recipe to others, who need like me a BBconnect for job on a WM6 ROM and since Schaps ROMS seems to become a standard, here it is:
This is a recipe for users, who had BBconnect running before and have some experience. If you never run BBconnect on a WM device before, this is probably not for you to start here! Get it to work on a true Blackberry, then move to WM 5 device with a proven config; after that you might try this one.
BBconnect checks the OS version and the Device ID. In addition you need to have a Blackberry subscription, and your Provider must support BBc and your SIM card must be BB enabled. It works with a wide range of Radio Stacks. The radio stack is also NOT relevant for the BB OS check algorithm.
This patch is ONLY to 'correct' the OS version checking; it will not help for other incompatibilities!
My patch works for the HERMES 100.
I tested on Schaps 3.57a and 3.54b
I used BBconnect 4.0.0.67
To do the patch, you need:
Schaps ROM
an Archiver like WinRar or Powerarchive (tm)
A HexEditor
A Registry Editor
a cab file BBconnect 4.0.0.67
Active Synch BB connect Desktop SW 4.0.0.17
You don't need a Rom Kitchen environment; it's just adding a little bit of cracked Pepper to the perfect dishes the cook has cooked in the kitchen.
How to:
Open Schaps ROM with the Archiver (do not double click); Schaps ROM is a self extracting and running archive.
You will find 2 files in it:
Ruu_Signed.nbh
Ruuwrapper.exe
Extract Ruu_signed.nbh (leave the archiver open)
run HexEdit
Open Ruu_Signed in the HexEditor
Search the following Hex String:
30 40 2D E9 59 3E A0 E3 0D 30 83 E3 45 2F A0 E3 05 10 A0 E3 02
You should find it EXACTLY 2 times in the .nbh file. If you don't find it, or only once or more than 2 times, you can abort the process here, because something is wrong! On the other hand, if you find it also exactly 2 times in the 3.6 beta ROM, you can almost be sure that it will work as well there, but I have not tested it.
If you found it 2 times, search again from the top.
At the first occurence change the following bytes in BOLD:
30 40 2D E9 59 3E A0 E3 0D 30 83 E3 45 2F A0 E3 05 10 A0 E3 02
as following
45 change to C3
2F change to 30
02 change to 01
Search for the 2nd occurence and change the same bytes to the same values as above.
save (overwrite) Ruu_signed.nbh and quit Hexedit
Now replace the Ruu_signed.nbh file in the archive with the modified Ruu_signed.nbh in your directory. It may be good to check the time stamps of the files to be really sure that you will have the modified file in the archive.
Save (overwrite) Schaps ROM.exe and leave the archiver.
You can now flash your device, by double clicking on the modified Schaps Rom.exe. Follow the instructions there. I have encountered an error message at the end of the flash process, but this has no effect, the device will boot properly.
After you have configured your Hermes, check on the Start|settigns|system|about screen the version.
You should see: 5.1.195...
If you dont see that, or if you see 5.2.... you did something wrong in the patch process. In that case, flash again with a ROM of your choice and forget BBconnect.
Load and execute the Registry editor onto your device.
Modify the HKLM/system/Version key
from .0.3.2 to .2.3.0 (don't forget the leading .)
Go again to the Start|settings|system|about screen.
You should see now: CE OS 5.1.195(build 17944.2.3.0)
If you don't, abort the process and re-flash with a ROM of your choice.
If you see EXACTLY this, you have successfully patched the OS to run w/ BBconnect 4.0.0.67
Load the BBC.cab to your device and install.
You'll find 2 new icons
1) in Start|settings|system BlackBerry
2) Start|settings|personal BlackBerry-Security
Run Start|settings|system BlackBerry and follw the instructions (prepare for 1st use). When it asks you, which info to synchronise from PIM, leave all boxes UNchecked. Just let's try to get mail working first; you can later change to synch your cal, contacts etc.
After reset, you'll find the BB symbol :x in the tray. After a few seconds it will change to : and start to try to connect via the radio. Something should move in the Start screen top line above the Radio Strength icon.
After a while you should see the BB icon as :: Click on the symbol and go to the Identity tab. You should see there a PIN (starting amongst others w/ 6...) and more over a valid IP adress. This adress is given to you from the provider network. If you don't have a PIN or IP address, it won't work for you.
If you have a PIN and an IP address, there is hope, but no confirmation, yet.
Make sure, you have MS ActiveSynch 4.5 properly partnered. UNcheck under Options all synch items, like mail, calendar etc.
Disconnect the Device from the Desktop after synchronisation completed.
Install the BBconnect Desktop Software and connect the device, when told so.
Follow the procedure or configuration. Eventually you will see a pop up window saying "Sending provisioning data to Handheld". After that, "Handheld configured successfully". Give it time!
Disconnect the device and it should now connect over the air interface, as following:
The device will lock and prompt you for a new passwd. (The BB security passwd). After that
you'll find the BB symbol :x in the tray. After a few seconds it will change to : and start to try to connect via the radio. Something should move in the Start screen top line above the Radio Strength icon.
After a while you should see the BB icon as :: Click on the symbol and go to the Identity tab. You should see there a PIN (starting amongst others w/ 6...) and more over a valid IP adress.
Go to the e-mail tab and you should see your e-mail adress as provisioned by the Desktop Program.
The typical behavior, if your connection is REJECTED is as follwing:
Click on the BBc symbol in the tray; open the Status Tab.
Stop the service
start the service again.
you'll find the BB symbol :! in the tray. After a few seconds it will change to : and start to try to connect via the radio. Something should move in the Start screen top line above the Radio Strength icon. The status line says:
Network available
Datec Tunnel Available (a fraction of a second only)
and then, instead of going to 'connected' it goes to Not Connected AND THE IDENTITY TAB SHOWS NO IP ADDRESS
In that case, your connection is refused and you can forget about it.
If connected, you are done, read the BBc manual and configure your device as needed.
BBconnect is a complex program, which needs a lot of CPU power and server/network communication. BE PATIENT! In case, wait a few seconds longer, rather than confusing everything!
Good Luck
alternatively you could just try the new BBConnect release from HTC that was posted a couple of days back on this forum
Would you please be so kind and direct me to the thread?
I was searching the forums up&down and couldn't find anything.
tonyb15re said:
alternatively you could just try the new BBConnect release from HTC that was posted a couple of days back on this forum
Click to expand...
Click to collapse
Yes, please use the new cab file and save yourself some work.
BBC 4.0.0.90
http://www.sendspace.com/file/38eex2
I know that many people are having this problem and I hope we can find a solution here together.
I've already tried many things to restore my IMEI, a little background:
- Lost my IMEI when I flashed stock rom to unroot the phone.
- Tried flashing different firmwares (LATAM, RETBR, I think they are the same).
- I don't have an EFS Backup.
When I dial *#06#* my IMEI is shown as "0", when I use "mfastboot getvar all" or "mfastboot getvar imei" I can still see my correct IMEI (as shown on the phone box).
On CQATest the only error that I can see is right on the IMEI tab:
Phone ICCID Compare with SIM ICCID: ERROR
Anyone can suggest something that might correct this problem? I don't think anything could make it worse and I'm willing to try everything...
EDIT: Obviously, I can't connect to my mobile network.
This is why I didn't even unlock mine so far.seems many have had this issue
I've seen some people saying that this can occur after flashing fsg and modem plus erasing modemst1 and modemst2.
If I knew that before I could have flashed the stock rom without touching on this images, I don't think it would make any difference.
rfameli said:
I've seen some people saying that this can occur after flashing fsg and modem plus erasing modemst1 and modemst2.
If I knew that before I could have flashed the stock rom without touching on this images, I don't think it would make any difference.
Click to expand...
Click to collapse
From my past moto experience always avoid flashing bootloaders & modems, system files can be flashed without any issues in most circumstances. The only change would be if there's a major update that requires bootloaders and modem images.
As a rule, wait before flashing firmware on a moto phone, I've witnessed people hard bricking their devices flashing bootloaders, downgrading from a updated bootloader is playing with fire in my past experience.
Sent from my XT1635-02 using XDA-Developers Legacy app
flashallthetime said:
From my past moto experience always avoid flashing bootloaders & modems, system files can be flashed without any issues in most circumstances. The only change would be if there's a major update that requires bootloaders and modem images.
As a rule, wait before flashing firmware on a moto phone, I've witnessed people hard bricking their devices flashing bootloaders, downgrading from a updated bootloader is playing with fire in my past experience.
Sent from my XT1635-02 using XDA-Developers Legacy app
Click to expand...
Click to collapse
I've flashed the entire room including the bootloader and modems more than a hundred times (no joke here) trying to fix my problem, only to realize I had lost my IMEI.
What make me think that I can still recover my lost IMEI is that on the fastboot if I write "mfastboot getvar imei" it's still there with the same number that came on the box.
rfameli said:
I've flashed the entire room including the bootloader and modems more than a hundred times (no joke here) trying to fix my problem, only to realize I had lost my IMEI.
What make me think that I can still recover my lost IMEI is that on the fastboot if I write "mfastboot getvar imei" it's still there with the same number that came on the box.
Click to expand...
Click to collapse
Obviously something went wrong, my past experience with flashing the full firmware package you are playing with fire.
Sent from my XT1635-02 using XDA-Developers Legacy app
Did you fix it?
IMEI 0
My phone also stucked at imei 0, wat to do is there any solution
Solution for IMEI 0 caused by broken efs partition is easy: Restore your backup of efs partition.
For the case not the efs partition is damaged but the reading process does not get the efs contents right, do a backup of current efs before any further action if there is any small chance the contents is not damaged.
If you don't have a backup of efs and it is still empty/broken after flashing a standard stock rom, you can contact Lenovo for help. May get expensive, they usually replace the mainboard. They should have the possibility to generate a new key for the efs partition, but my guess is that they are afraid doing so may harm security of that key. It probably is cheaper to replace the mainboard than buying a new device, but not by much. You may consider using the device with IMEI 0 as mediaplayer/small tablet without mobile functionality, and buy a new one.
Are you aware of any change you did to the efs partition?
My imei is 0 but still i can connect to mobile data. Hmmm i dont know what is happening here
Same problem here!
Any solution?
I think without the EFS Backup the only way to restore is send to authorized assitance to change the mother board. Sorry for bad news
I have been doing some research lately and discovered some interesting things that may help you in a way or another, the imei value state is written at efs partition, value which can be located from RV_NV_Manager tool (this one is part from QPST suite from Qualcomm), since this tool is known for having the IMEI changing property, i can't post the link, but Google maybe is a good place to start looking for it.
Here are the steps you can do to recover your imei:
-Write down your imei.
-Start some computer with internet, using windows.
-Find, download and install QPST and Qualcomm HS-USB Drivers.
-Once installed, you must turn off your phone and restart it in the bootloader
-Select QCOM tab and select, then wait until it boots completely, then plug your phone at your computer, some drivers must be starting to install, let it finish (it isn't necessary to reboot after this).
-Open QPST Configuration and go to Ports > Add new port...
-Open Device Manager and look for Qualcomm COM ports connected, then in QPST Ports screen write the COMXX in both fields and close, you should see a connected unknown phone and some ? At some fields, that's just normal.
-Open RV_NV_Manager without closing QPST Configuration, some downloading bar should appear with a screen, just let it finish, and then head down to line number 5xx, it says some IMEI_NV or something like that, if you press 9 text fields in boxes should appear at right hand, select hex values at some checkbox there.
-Look to where you written the imei and now it's the tricky part:
Your imei looks like 874356324678338 (just an example), then you must split them by pairs in this way:
x8 | 74 | 35 | 63 | 24 | 67 | 83 | 38 (since imei has 15 numbers, the first one will go alone with an unknown value)
Then just switch numbers by pairs:
8x | 47 | 53 | 36 | 42 | 76 | 38 | 83
Then start filling the boxes in this way:
1st.- 8 (always)
Then put the numbers in pairs in order and replace the 'x' with an 'a':
2nd.- 8a
3rd.- 47
4th.- 53
And so on...
I hope this can help you, let me know if you recover your imei.
xaskasdf said:
I have been doing some research lately and discovered some interesting things that may help you in a way or another, the imei value state is written at efs partition, value which can be located from RV_NV_Manager tool (this one is part from QPST suite from Qualcomm), since this tool is known for having the IMEI changing property, i can't post the link, but Google maybe is a good place to start looking for it.
Here are the steps you can do to recover your imei:
-Write down your imei.
-Start some computer with internet, using windows.
-Find, download and install QPST and Qualcomm HS-USB Drivers.
-Once installed, you must turn off your phone and restart it in the bootloader
-Select QCOM tab and select, then wait until it boots completely, then plug your phone at your computer, some drivers must be starting to install, let it finish (it isn't necessary to reboot after this).
-Open QPST Configuration and go to Ports > Add new port...
-Open Device Manager and look for Qualcomm COM ports connected, then in QPST Ports screen write the COMXX in both fields and close, you should see a connected unknown phone and some ? At some fields, that's just normal.
-Open RV_NV_Manager without closing QPST Configuration, some downloading bar should appear with a screen, just let it finish, and then head down to line number 5xx, it says some IMEI_NV or something like that, if you press 9 text fields in boxes should appear at right hand, select hex values at some checkbox there.
-Look to where you written the imei and now it's the tricky part:
Your imei looks like 874356324678338 (just an example), then you must split them by pairs in this way:
x8 | 74 | 35 | 63 | 24 | 67 | 83 | 38 (since imei has 15 numbers, the first one will go alone with an unknown value)
Then just switch numbers by pairs:
8x | 47 | 53 | 36 | 42 | 76 | 38 | 83
Then start filling the boxes in this way:
1st.- 8 (always)
Then put the numbers in pairs in order and replace the 'x' with an 'a':
2nd.- 8a
3rd.- 47
4th.- 53
And so on...
I hope this can help you, let me know if you recover your imei.
Click to expand...
Click to collapse
I have only RF NV [Items only] and COM3 and COM 5 is connected. I select port 5 and read all items but I can't find NV_IMEI only under "read supported RF NV Items" at Number 550 is a NV_UE_IMEI_I ... but is this the right?
Have Moto Z
Yep, I know - stupidly I flashed the wrong image to the Shield TV pro (2015) and am stuck in apx mode.
I read somewhere I can flash a hard drive image and lose access to netflix etc due to keys. Can someone point me the way to the guide/image download so I can try and recover with this just now before I throw the box in the bin and get a new one.
Thanks.
das_kern said:
If any of you got any problems with WV L1 DRM the solution is here :
https://forum.xda-developers.com/showpost.php?p=82385839&postcount=554
Click to expand...
Click to collapse
Unfortunately I do not have access to my widevine keys as my hard drive is completely toast. Do you know if the widevine keys are required, or just the DTB fastboot flashing?
Cheers,
B.D.
no you cant. APX mode=ysf. send it back to nvidia
Ok, quick update.
I was able to recover by putting the drive in a USB caddy, In windows 10 I used winhex in admin mode and flashed the first GB of the drive with one of the backups that someone on here provided.
So that's me up and running now. Does anyone know the location on the drive on where the widevine keys are stored? I made a backup of the gig I overwrote before flashing, so I assume they are in that area.
Thanks.
Edit: OK I found them in broken image dump at address 0x2200000
I copied the hex from 0x2200000 (2178336 bytes) and then flashed that to the fixed drive at the same location, now Widevine is back to Level 1, so I guess that's me back up and running to the state before I bricked now.
Well done. Wish I had your tech knowledge.
Well done. Wish I had your tech knowledge.
Click to expand...
Click to collapse
It's not all that complex really to do, as I bricked the files written were to do with the boot procedure wiping out the first stage boot loader. As the Pro (500 GB) version boots from hard drive rather than a chip it was a case of restoring the boot part - which resides at the start of the drive. As I was able to download a dump from the net (and the partition table is stored at the end of the drive - so no chance this would be wiped out), I could flash that boot loader, and then get into adb/fastboot to restore an image downloaded from Nvidia.
Now as it happens, I didn't know where the widevine keys (for DRM) were stored, and I overwrote them when I flashed the backup (and someone else's keys), so Netflix and Amazon prime video didn't work - luckily I made a backup of the first gig of my drive before I started (probably to be even safer I should have just used a spare sata drive to flash to), so I assumed if my keys were lost that they would be in that image dump (which they were). Someone was kind enough to post this:
https://nv-tegra.nvidia.com/gitweb/...11dd2d9103a205c9ed66e695664;hb=rel-29-partner
Which I was able to figure out the exact location of where the EKS partition was (where the keys are stored), so I then extracted those from my dump and flashed them back to my drive. (winhex makes that easy to do).
I've now made a backup of the first part of my drive and the last part - so if ever in the future I mess up, I can restore (brick proof). Also I had a spare 120GB SSD, so I also made a spare drive with the newest shield firmware on so I can just swap drives out if the original drive breaks down.
Instructions are here on how to do that:
https://forum.xda-developers.com/shield-tv/development/nvidia-shield-tv-ssd-t3402580
https://forum.xda-developers.com/shield-tv/general/guide-migrate-to-ssd-hdd-size-satv-pro-t3440195
So really I'm not technical at all as I was just following guides (apart from the winhex stuff).
outstanding work well done my understanding was apx mode was the proprietry nvidia bootloader and this could not be messed with welldone once again
Very interesting! I'm glad I didn't trash my 2015 Shield TV those many months ago!
rockspin said:
Very interesting! I'm glad I didn't trash my 2015 Shield TV those many months ago!
Click to expand...
Click to collapse
If it's a pro (500GB internal drive), it's brick proof. Even APX mode - can't break it.
If you have a spare 500GB drive, you can use that to test - use the guides I put links to - then flash someone else dumped image using those guides (using a sata drive caddy). Then on your original drive - extract the widevine keys - and flash those to the new drive. Once you're up and running - you can clone your working drive back to your orignal drive (that way you'll always have a spare and be brickproof forever).
mrdude2478 said:
If it's a pro (500GB internal drive), it's brick proof. Even APX mode - can't break it.
If you have a spare 500GB drive, you can use that to test - use the guides I put links to - then flash someone else dumped image using those guides (using a sata drive caddy). Then on your original drive - extract the widevine keys - and flash those to the new drive. Once you're up and running - you can clone your working drive back to your orignal drive (that way you'll always have a spare and be brickproof forever).
Click to expand...
Click to collapse
I have the NON pro version, do you think this method will work?
rockspin said:
I have the NON pro version, do you think this method will work?
Click to expand...
Click to collapse
Not with the non pro - the bootloader/software is held on the nand/nor (16GB chip that holds the firmware - I can't remember off the top of my head what type of chip it is). You'd need to find the pinouts of that chip to reprogram it with a hardware programmer.
Another way would be like the way that Nintendo switch is hacked - (purposely put into apx mode), then a modded apx driver loads software from USB (or via usb dongle/computer/chip) which would then allow you to reflash via the Fusée Gelée hack. I think if you go to the switch hacking scene, and visit https://www.ktemkin.com/ - ktemkin was looking for a bricked switch so he/she could write a driver for it for unbricking purposes - he/she has a twitter feed and was asking on there. Maybe you could make
contact and get help on unbricking via software as that would be far easier than removing a chip and flashing it with a programmer.
The difference from booting via a hard drive is that - the software is stored on the drive - not on a chip - so it's easy to recover via a PC. If there's a way to add a hard drive to a 16GB model - that would probably work, but you'd need to compare motherboards to see the difference on how the chip version differs from the HD version - I would imagine both motherboards are similar - if you somehow managed to boot a HD on a 16GB chip model - you could most likely be able to access your flash memory that way to reprogram - but that might be out of your skill level, and the time it would take to do it - you'd most likely be cheaper just buying a new shield.
If I was you though - keep hold of the shield - you may get a modded apx driver at some point in the future and be able to reflash that way.
If you have the 2015 (16GB) version - it could be possible to boot from sata - but you'll need a 500GB drive and a working dump (already posted in this site), and some soldering skills - read this entire page for info on soldering info, adding capacitors - https://www.eevblog.com/forum/reviews/teardown-nvidia-shield-tv/
mrdude2478 said:
Ok, quick update.
I was able to recover by putting the drive in a USB caddy, In windows 10 I used winhex in admin mode and flashed the first GB of the drive with one of the backups that someone on here provided.
So that's me up and running now. Does anyone know the location on the drive on where the widevine keys are stored? I made a backup of the gig I overwrote before flashing, so I assume they are in that area.
Thanks.
Edit: OK I found them in broken image dump at address 0x2200000
I copied the hex from 0x2200000 (2178336 bytes) and then flashed that to the fixed drive at the same location, now Widevine is back to Level 1, so I guess that's me back up and running to the state before I bricked now.
Click to expand...
Click to collapse
First of all , thanks!! I have exact same problem
How did you copy the hex? I'm not sure how to do it . ..
mrdude2478 said:
Ok, quick update.
I was able to recover by putting the drive in a USB caddy, In windows 10 I used winhex in admin mode and flashed the first GB of the drive with one of the backups that someone on here provided.
So that's me up and running now. Does anyone know the location on the drive on where the widevine keys are stored? I made a backup of the gig I overwrote before flashing, so I assume they are in that area.
Thanks.
Edit: OK I found them in broken image dump at address 0x2200000
I copied the hex from 0x2200000 (2178336 bytes) and then flashed that to the fixed drive at the same location, now Widevine is back to Level 1, so I guess that's me back up and running to the state before I bricked now.
Click to expand...
Click to collapse
Thank you for your work.,Can you backup the 1GB data including EKS? My devices widevine keys (for DRM) is Level 3, thanks!!
oldshanshi said:
Thank you for your work.,Can you backup the 1GB data including EKS? My devices widevine keys (for DRM) is Level 3, thanks!!
Click to expand...
Click to collapse
That's not how it works, you have to back up YOUR keys that came on your device hard drive. That's the only way it will match the keys to the hardware on your shield TV.
mrdude2478 said:
...
OK I found them in broken image dump at address 0x2200000
I copied the hex from 0x2200000 (2178336 bytes) and then flashed that to the fixed drive at the same location, now Widevine is back to Level 1, so I guess that's me back up and running to the state before I bricked now.
Click to expand...
Click to collapse
Ok I'm having the same issue you did, bricking the pro with a bad flash.
I'm just editing the hex for my backup to retrieve the keys from my EKS partition. Can I ask you to confirm/clarify ..
1. The blocks you copied are at curser offset 2200000 (I've got that far, I can read the hex stating that the eks partition starts there).
2. You then copied 2178336 bytes of data from that curser offset?
The reason I'm asking is that I can't see any bytes of data around that end curser offset to start a new partition etc. so I want to make sure I get all the EKS data needed.
Thanks, the info you posted here has been really valuable in getting me to this point.
EDIT: Yeah, that all worked out in the end. The actual amount of data in that EKS partition is very minimal, it doesn't use all of those 2178336 bytes at all and I didn't even copy the hex for all of it as most of it was simply empty! Anyway, I've managed to restore my shield with Netflix etc all working so thank you again for sharing this information!
mrdude2478 said:
Ok, quick update.
I was able to recover by putting the drive in a USB caddy, In windows 10 I used winhex in admin mode and flashed the first GB of the drive with one of the backups that someone on here provided.
So that's me up and running now. Does anyone know the location on the drive on where the widevine keys are stored? I made a backup of the gig I overwrote before flashing, so I assume they are in that area.
Thanks.
Edit: OK I found them in broken image dump at address 0x2200000
I copied the hex from 0x2200000 (2178336 bytes) and then flashed that to the fixed drive at the same location, now Widevine is back to Level 1, so I guess that's me back up and running to the state before I bricked now.
Click to expand...
Click to collapse
kirillinfinite said:
First of all , thanks!! I have exact same problem
How did you copy the hex? I'm not sure how to do it . ..
Click to expand...
Click to collapse
Once you've got your backup file it will be in a .bin format, I'm presuming you've got that far. Once you've got that you need to read the hex data with a hex editor, any should do it really. Then you want to go to address 0x2200000 (that's at curser offset 2200000 in hex mode). You'll see a header in the translation window which indicates it's EKS data. You need to copy that data until it stops and there's just zeros).
You then need to open the .bin file that you downloaded which you want to restore (this won't have your eks partition data in it yet) and find the same data with the hex editor as you did before. You then want to overwrite it with the data from your back up. It needs to be copied in the exactly the same location so make sure of that.
Once you've done that you can flash the data using DD commands in Linux and follow the tutorials linked before.
@andy4shure, well done on fixing your Shield, here's some info for future reference:
Shield Pro SSHD Drive Size: 500107862016 bytes (0x7470C06000)
Shield Operating System (7.1):
Start Offset: 0x0
To Offset: 0xD2913BFF (Total Size: 3532733440 bytes)
Widevine Keys Location: (back these up before doing anything - or you'll lose access to widevine level 1)
(Search for Hex: 902100004E56454B5350)
Start Offset: 0x2200000
End Offset: 0x22021FF (Total Size: 8704 bytes)
Partition Table - (Stored at the end of the drive - required on a new drive so the drive can boot and access partitions - you'll need these for a new drive):
From Offset:0x7470C04C00 (sector 976773158)
To Offset: 0x7470C05FFF (Total Size: 5120 bytes)
If you flash someone else's dump, or reflash the firmware - wipe the user data - or you might get stuck on the nvidia logo:
Erase Userdata:
fastboot erase userdata
fastboot erase cache
or
fastboot format userdata
fastboot format cache
After having restored my Shield TV with the shared image and my DRM keys I have realised that there is another key which I needed to restore - the serial number of the device. Not everyone may be bothered about restoring this back to the original as it doesn't affect use of Netflix or any DRM restriced content but there are definitely some use cases. If your device is still under warranty then Nvidia will ask for this (although my warranty is long expired). If you're selling the device and want it to match the packaging serial number then you will have to do this as well. In my case however, I actually had app licences tied to this serial so I needed to restore the original key for that reason.
Now after looking into this serial number a little further it is a 20 character key and although my serial is all numeric I have seen evidence that it can also be alphanumeric.
Also, the key is split into 2 parts...
- The first 14 characters are declared within a partition on the drive and *I think* these are all numeric. As it is declared in a drive partition this means it is editable and can be restored back to the original.
- The last 6 characters seem to be derived from hardware and are not declared anywhere on the drive. This isn't a problem though as this means that they will remain the same no matter if you have the original first part or not!
After looking through the dump of the HDD the serial is actually mentioned in a number of places, however, most seem to be boot logs (mainly from twrp). The actual declaration of the key can be found at address 0x10502156 and the block size to replace is 14 bytes, literally just the first 14 characters of the serial.
Once that is replaced the Shield TV picks up on it straight away on next boot and I didn't need to wipe any cache or anything.
Hopefully this will help someone else that comes across this thread looking for help like I did! Thanks again to @mrdude2478 as I would probably still have a bricked shield if it weren't for him sharing info on how he restored his device.
Andy4Shurr said:
After looking through the dump of the HDD the serial is actually mentioned in a number of places, however, most seem to be boot logs (mainly from twrp). The actual declaration of the key can be found at address 0x10502156 and the block size to replace is 14 bytes, literally just the first 14 characters of the serial.
Click to expand...
Click to collapse
Can you do a screenshot - I checked my dump (or what I restored from), and it doesn't look like a serial at that address: Mine are all at different addresses (but in plain text).
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Thanks.
mrdude2478 said:
Can you do a screenshot - I checked my dump (or what I restored from), and it doesn't look like a serial at that address: Mine are all at different addresses (but in plain text).
Thanks.
Click to expand...
Click to collapse
That definitely doesn't look like mine did, I'll check my dump and take a screenshot ASAP. It could be a few days to a week though, we're doing some work to the spare bedroom where my PC is so I can't get to it at the moment.
I'll update this post when I've got it
@mrdude2478 offset which @Andy4Shurr wrote is correct but it's decimal. Correct hex offset: 0xa0400C
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
devmihkel said:
For good or for bad NOT everything appears correct, except the running 17.x version... As of now neither the "commercial jailbreak" supports new versions (well yes they were using exactly the same file to start with Also 16.51.x or newer appears to be no go: uconnect-8-4-8-4an-update
EDIT: haven't got 17.09.07 to try, but on 17.11.07 manifest.lua has changed and the last block/ search keyword is "ota_update" instead. Otherwise all the same, image valid after the edit and script.sh gets fired - at least on 16.33.29 that is @HanJ67 Did you actually try to mount installer.iso after the edit and checked /etc/manifest.lua for the end result before?
Click to expand...
Click to collapse
devmihkel said:
Yeah, 2nd attempt is much better as last lua block is correctly terminated and your script might actually run, but unfortunately no successful 17.x runs have been reported so far SWF scripts are not involved in update/jail-breaking run, these ones become relevant only once you are in (and need to enable some app or wifi or navi features etc). Afaik 17.x blocks ethernet dongle usage as well, but let's see if even the USB driver/link gets activated at all?
Click to expand...
Click to collapse
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Do You have an idea how to connect by USB2LAN adapter to uConnect ?
Do You know if there is an UART pins on the mainboard ?
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
Hello, any news about it?
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
sofro1988 said:
Hello, any news about it?
Click to expand...
Click to collapse
I have not had had much time to work on this.
I actually had an idea last week that brought me back to this. I plan to use a custom flash drive to present an unmodified ISO for verification, then swap nand to an identical image that has been he's edited to enable usb Ethernet and add a custom key for ssh access.
I thought to stack a NAND on top of the original on a is flash drive, then breakout the Chip Enable pin to a switch. I've seen this done for with guys modifying game consoles to be able to run modified firmware.
Once the 2nd NAND is in place I will restore an image of the original nand containing the unmodified update, then hex edit the required portions to allow access after updating.
If this method works, I should be able to pass the verification with the original nand chip, then switch it (hopefully there's a big enough window to do this by hand) then present the modified nand before it begins the flash procedure.
Hopefully someone more intimately familiar with the update scripts can verify I'm not missing anything in the process
Tajadela said:
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
Click to expand...
Click to collapse
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
thanks for answer.
I saw an ssh key with the hex editor, but I would like to see exactly what you have replaced.
if it's not too much trouble, it would be interesting to see with some screenshots the changes you've made.
So we could work on two fronts. The idea of the double nand is good, but not very simple to make ...
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
SquithyX said:
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
Click to expand...
Click to collapse
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
martinbogo1 said:
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
Click to expand...
Click to collapse
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
sofro1988 said:
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
Click to expand...
Click to collapse
I managed to connect with the cisco adapter (usb / ethernet), but I don't know the root password. is the problem at the moment insurmountable ..
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
martinbogo1 said:
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
Click to expand...
Click to collapse
I connected in telnet on a uconnect 6.5 with firmware 15.xx.xx. You can connect to Uconnect with static IP it brings up if no DHCP is offered is: 192.168.6.1
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
after rsa key replaced, do you have recalculate the checksum of UPD file?
have you replaced the first 64 bytes of the file?
thanks
@itsJRod, isn't it that you would like to explain the procedure to replace the RSA key in the swdl file? thank you
Hello,
have you made any progress? I am a bit lost. I put the EU uconnect MY15 to US dodge charger MY16 and Perf Pages were working fine even on 16.16.13, although after upgrade to 17.x (17.46.0.1 right now) I am meeting the problem of expired subscription (which is not possible to have on EU radio).
I am considering basically three solutions:
a) going back to US radio, but modify the language pack/nav/FM frequencies (it is doable, but I do not know how, although I can pay for it relatively less than time invested)
b) downgrade to 16.16.13 - I have no clue how to do it, I tried to put swdl.upd with swdl.iso as and installer.iso with no luck of course.
c) take xlets from KIM2/ of 16.16.13 to KIM23 of 17.46.0.1 secondary.iso - this is probably preferred way but I do not know how to make it to pass ISO validation.
Of course root on uconnect is extremely nice to have but I will be fully satisfied with Perf Pages working again.
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
djmjr77 said:
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
Click to expand...
Click to collapse
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
I created an account just to reply to this and All I have to say is you're literally an absolute life saver. I've been working on this every day for two weeks now, trying every trick people said, trying every USB, every format, every version and nothing ever worked from me. Uconnect support was absolutely no help and it was a lot of back-and-forth finger pointing and no you need to reach out to this person between them and the dealership. Dealership tried to charge me for a Proxy Alignment when I asked to just update my damn radio stuck in this loop.
I have a 2015 Jeep Cherokee 8.4AN VP4 NA Head Unit 68238619AJ. I was updating from 17.11.07 to 18.45.01 and got stuck at the step 11 1% and would get a failed sierra wireless every time and then got in that "bolo update failed" loop..Well to fix it just now all I did was download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in the previous comment and quick format to FAT32 on a 16GB Micro Center USB extracted the files from 16.33.29 to the USB with 7ZIP, plugged in like normal and BOOM it ran the first step restarted and I had a working radio again showing update 18.45.01.
(So i'm assuming you don't have to do the S Byte thing I didn't even mess with it I just used the 16.33.29 to bypass step 11 since that version only has 14 steps and 18.45.01 was already preloaded from attempting before. My navigation still is the wrong address but I don't care about all that just thankful to have my radio back before my wife killed me for trying to update it by myself. )
I hope this helps someone else one day because it took some deep research and hours on hours of forum hoping to finally find the solution. <3
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
Do you have another link to download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe files? I am trying to help a friend of mine they way this helped me. Thank you again for this!
Hi there
I bought a Mi locked Xiaomi Redmi 8 pro from a legal source (can explain and proof via pm if you want,).
I was aware that its locked but I like the challenge
Till now I was able to flash official stock Rom with Sp Flash and also to format the partition with the Mi account authentication files. After that I am able to go through the setup but the moment I connect it to the internet, it will lock again, After you skip the w-lan connection setup the setup will somewhen give out something like "you did not set up a google account, so you have to do the setup again" - so no way so far to start without connecting to internet, no chance to get root access..
Tried this without any internet connection or sim card inserted.
Next thing I thought about was to install a custom Rom with Sp Flash, but could not find a Rom with scatter file yet. No clue if that would help either to avoid the Mi Account request.
I was also thinking to install TRWP to make flashing and so on a bit easier. Can't unlock bootloader, nor root the phone and I am pretty much a noob. Is it even possible (maybe with Bluestacks and Sp Flash ? Yet I wasn't even able to read out the IMEI ...
Would be happy for any help or even solutions. I'd be fine if it would run on somewhat working Linux or custom rom. Keen to try whats possible
Thanks in advance for youre help.
Thought to myself it might be possible to flash a Chinese Rom (without Gapps) and setup without internet connection just to get root access
M1k3.7 said:
Thought to myself it might be possible to flash a Chinese Rom (without Gapps) and setup without internet connection just to get root access
Click to expand...
Click to collapse
It appears I'm talking to myself here ;D
I managed to flash the Chinese stock ROM on the phone. Was same as flashing the global one. After the flash it started up but prompted the same screen where it says the device is Mi account locked. At least i guess it said the same as it was in Chinese
I have to do what i did before - format the partition with the Mi Account on the phone with Sp Flash.
Unfortunately for some reason Sp Flash doesn't want to work anymore. It gives out an error code which apparently says that the USB output power is too low, although i haven't connected the phone nor anything else via USB on the laptop... . Downloaded Sp Flash again, tried the scatter file from the global version, different download manager files and authentication files from different sources.
Every time i get the same error message within a couple seconds after i press "start" after i copy in the start partition and length of the authentication files . Did look up if its the same partition in the Chinese ROM scatter file and it is. Did also try to connect the phone within the time but doesn't work either.
Yeah, that's it for today. Surely a problem with Sp Flash or Windows or the hardware around and not with the phone. Might try it with the other Linux laptop I have but I'm not really good with Linux.
I'm on it and I think if i could just delete the Mi Account partition once more, I could root the phone and install TWRP bootloader to make it a bit easier.
Yeah !
I did use a different windows laptop. Installed Sp Flash, downloaded the Chinese Stock Rom again, libusb devel driver, Python, ...
It worked ! I was able to format the partition wit the Mi Authentication code and setup the phone. As the Chinese Version comes without Gapps (but with english language package) I was able to finish the setup.
Opened developer options, USB debugging mode on, Bootloader unlocked (that's what it says in the settings, buy it's not) ! Way to go
In fact I could install a VPN App via USB right know and trick the Mi Account verification. Could install Gapps (no, I tried and could not) and that's it if the phone is not Google locked as well.
But I will try to install TWRP and a custom ROM first as I don't like bloatware. Still got no answer if custom Rom's do come with Mi Account request
Any help would still be well appreciated
Hi again in my "only me" thread
Had no luck so far to unlock the bootloader. Did install a VPN via usb to use the imternet. Works fine.
Tried to install Google Apps Installer from the Chinese App Store. Hangs on 3% without message.
Right now I'm downloading an older Chinese Stock Rom and will try to downgrade the phone with it. Might help or not, who knows
Would be interesting if it's Google locked as well.
Anyway, I'm not giving up yet. If I'm not able to bring it further, I will use the phone like it is with drony anyway. Won't resell it.
I'll keep trying
M1k3.7 said:
Hi again in my "only me" thread
Had no luck so far to unlock the bootloader. Did install a VPN via usb to use the imternet. Works fine.
Tried to install Google Apps Installer from the Chinese App Store. Hangs on 3% without message.
Right know I'm downloading an older Chinese Stock Rom and will try to downgrade the phone with it. Might help or not, who knows
Would be interesting if it's Google locked as well.
Anyway, I'm not giving up yet. If I'm not able to bring it further, I will use the phone like it is with drony anyway. Won't resell it.
I'll keep trying
Click to expand...
Click to collapse
Update:
After downloading the older Stock Rom (from 2019) I chose the scatter file and connected the phone via bypass tool as usual. Sp Flash won't find the phone ...
Did install the phone with USB devel driver to another USB Port, bypass works --> SP Flash still won't find it.
It seems SP Flash saves Scatter (or ROM) files somehow linked to the driver. When I loaded the old scatter file, SP Flash could find the Phone again. That was probably the problem on the other Laptop too.
I do have a third laptop (kids in school and "bring you're own device ) but that's the Linux one. I also have a Windows PC ...
That would allow me to do the same procedure with two other Rom's, I guess
Don't really wanna try that as it's most likely one or two nasty rules in the windows registry. Again, I'd really appreciate help
That means I will try to solve the problem with what I have now. The working Phone with latest Chinese Stock Rom and Drony but without Gapps.
Will try to block the connection to Mi Cloud and updates on my wifi router.
This should allow me to install a gloabl Stock Rom again which comes with Google Apps. If the device is no Google locked, I could have at least a working phone with Drony always on
Success !
I was able to block the Mi Account checkups in the router and flash my phone back to the newest global Rom !
First i added Url Filters in my Router. I checked the blocked URL's in the Drony App on my Chinese Rom phone. My Router blocks the following Url's:
find.api.micloud.xiaomi.net
data.mistat.xiaomi.com
update.miui.com
i.mi.com
After that i tried to flash the latest Global Stock Rom from the official Xiaomi page and failed first. Got the same error message as i got when i wanted to flash the older Chinese Rom. I figured out that you have to deactivate "Tracing" in the Sp Flash Settings.
It would be probably enough to delete every saved folder in the log file path which is "C:\ProgramData\SP_FT_Logs". ProgramData is hidden, so i choose to try just deactivate tracing at all and it worked for me.
After the flash I had still a couple Chinese and other (Drony, Miracle, UC Browcer, ... ) apps with setings installed. Somehow it saved the Apps and Settings. Most of the Chinese apps where gone though and i was able to go through the Setup with giving it a Gmail account and so on. Google Apps working fine.
After couple minutes I got a message that an android app doesnt work. Couldn't stop it.
At this point I did a "random" factory reset --> with no sim card (mobile data) installed.
This deleted all settings and again, the setup worked just fine.
Right after the Setup i installed the Drony App again and blocked the necessary Apps. Use YouTube or Google to find the right Drony Settings. When Drony is running you can insert you're SIM card and use mobile data
Thats it so far. I have a phone with up to date Firmware but disabled firmware updates, can install practically every App from Google App Store and connect to the Internet with Drony App in between. Activated Developer Mode and USB Debugging (nor necessary).
In fact, with mobile Data off and connected to my home Wifi i could use the phone without VPN App (Drony}.
-------------+++++++++------------
What would I try if I would buy another phone like this ?
I'm just a random guy who bought a locked phone. If you try any of the following on your phone I do not take any responsibility !
1) block the URL's which you can find above
2) https://forum.xda-developers.com/t/...d-flash-in-edl-with-no-auth-for-free.4229679/
At point 9 it says: "Connect powered off phone with volume- button to boot in EDL mode"
You are probably not even able to power off youre phone and you DO NOT need to open your phone to disconnect the battery.
When the phone is on (your'e phone is locked screen or so), press and hold the power button and volume up button, until the phone shuts off. At this very second let the power button go and just keep the volume up button pressed and connect the USB C cable to your phone . That's it.
The libusb filter driver window should find the mtk device. Klick on it quickly and install. It should prompt driver successful installed. No problem if you're not fast enough. Just try again. Even if your device disappears from the list meanwhile - it is installed after this message.
Keep the buttons and the procedure in mind as you will need it later on when you do the bootloader bypass itself with the bypass.bat. Try it again and again till it says "driver installed" when it comes to the "how to install" message at #10 --- and the "protection disabled" at "how to bypass" #3 part.
------------------------------------------------------------
Furthermore you probably don't need to flash (Sp Flash -> download) your device at all. It might be enough if you choose the scatter file of your downloaded Rom , the mtk all in one Download agent and the auth_sv5.auth authentication file.
Then go to "Format" in Sp Flash Tool. Tick "manual format flash" and give begin address
0xe188000 and format length 0x4678000 . After this your phone will boot into setup mode.
DO NOT DO THIS IF YOU ARE NOT SURE YOU HAVE THE RIGHT PHONE, SCATTER FILE, STOCK ROM AND THE RIGHT FIRMWARE ON YOUR PHONE !
The phone is working fine so far. I still want to unlock the bootloader and finally install TWRP and a custom ROM.
Can't say when this will happen, as it's my daughter's phone now
I might also try to deactivate or manipulate the apps which took up the IMEI on the MI account servers. Given that I have developer settings and USB debugging activated I can practically delete or change every single file on the phone but the bootloader.
Maybe I can get rid of the Drony App this way.
It's fun to read your journal.
But unfortunately, unlocking bootloader needs to bind your phone to a mi account. And you have an account lock problem. I guess it won't happen until you solve that.
There is mi account unblocking service out there if you will to spare bucks, but I haven't tried any of it, and as promoting such service is against xda rule, I can't tell you any name here.
Personally, I will keep my hands away from something with account problem. My best experience is buying a bricked phones (redmi note 5 pro, redmi note 8 pro).
kekesed97 said:
It's fun to read your journal.
But unfortunately, unlocking bootloader needs to bind your phone to a mi account. And you have an account lock problem. I guess it won't happen until you solve that.
There is mi account unblocking service out there if you will to spare bucks, but I haven't tried any of it, and as promoting such service is against xda rule, I can't tell you any name here.
Personally, I will keep my hands away from something with account problem. My best experience is buying a bricked phones (redmi note 5 pro, redmi note 8 pro).
Click to expand...
Click to collapse
Thank you for you're reply.
When I bought the phone I actually wasn't aware that the bootloader could be locked. As I said I've not much of an idea and thought I could at least flash a custom ROM on that phone. I know nothing and knew even less a couple weeks ago
I'm aware that there are unlocking services you can pay for. Did not really look into that yet.
I have still a couple options. The guy I bought the phone from does know the name and email of the other guy who but in the mi Account in the first place. That guy is willing to remove the Mi lock if I'd bring the phone to him. He's rather far away though and a flight-ticket is not really worth it
The other option is to pay for it - as you said - but I doubt there is a store nearby me and I don't want to pay a random online based service from I-don't-know-where as the phone works fine like it is now and my daughter is happy.
Another option would probably be to buy another phone with broken screen (but not locked) or so or maybe just the motherboard. I'm not sure though if it's enough to exchange the motherboard or not
Or I could just leave it for now and wait if someone programs a working bootloader key generator or unlocking tool for the phone. That's maybe already out somewhere or it will be next week or in 5 years - who knows
If nothing works, it's fine too as long as it runs like it does now with the VPN.
M1k3.7 said:
Thank you for you're reply.
When I bought the phone I actually wasn't aware that the bootloader could be locked. As I said I've not much of an idea and thought I could at least flash a custom ROM on that phone. I know nothing and knew even less a couple weeks ago
I'm aware that there are unlocking services you can pay for. Did not really look into that yet.
I have still a couple options. The guy I bought the phone from does know the name and email of the other guy who but in the mi Account in the first place. That guy is willing to remove the Mi lock if I'd bring the phone to him. He's rather far away though and a flight-ticket is not really worth it
The other option is to pay for it - as you said - but I doubt there is a store nearby me and I don't want to pay a random online based service from I-don't-know-where as the phone works fine like it is now and my daughter is happy.
Another option would probably be to buy another phone with broken screen (but not locked) or so or maybe just the motherboard. I'm not sure though if it's enough to exchange the motherboard or not
Or I could just leave it for now and wait if someone programs a working bootloader key generator or unlocking tool for the phone. That's maybe already out somewhere or it will be next week or in 5 years - who knows
If nothing works, it's fine too as long as it runs like it does now with the VPN.
Click to expand...
Click to collapse
You can ask him to unregister your phone from his account. It's the best bet.
Wait, I will test it to my old redmi note 5.
Just tested with my redmi note 5 pro. Apparently you can unlock it if you have access to your mi account. I'm sure you don't have google frp lock there so I logged out from my google account before testing.
How did I do that?
1. I did a backup on /data partition using OrangeFox
2. I erased my google account and leaving mi account intact
3. I did a factory reset by le old 3 wipe (data, cache, dalvik-cache), leaving emulated storage intact
4. I rebooted my phone
5. Upon welcome screen, I connected to mobile data and welcomed by "Login to your MI account" screen. I connect to a wifi network here
6. I went to i.mi.com, and login to my account.
7. I clicked on "Find device", and deactivated find device there
8. I clicked on my profile logo -> Devices and storage
9. I clicked on my test device
10. I clicked on "Erase device" and agreed to the next dialog box
11. My device was removed from my account
12. I restarted my device and that annoying lockout screen is gone
13. I skipped everything on welcome screen and checked wether my files are intact or not. It is
14. Test finished. Now restoring my old data
Hello
The seccfg partition unlocks the device.
You must initially unlock the bootloader through the MiUnlock application, then recover (save) the seccfg partition (which contains the bootloader unlock information). But, it is easier to get rid of the requirement of the MiUnlock app.
1) Recover your "seccfg" partition:
* the phone in normal mode =
- We launch the command prompt and we write
adb shell
ls -al /dev/block/by-name
or
adb shell
ls -al /dev/block/platform/bootdevice/by-name
- Output (looking for "seccfg") =
lrwxrwxrwx 1 root root 16 2021-03-06 23:25 seccfg -> /dev/block/sdc13
- We get "seccfg" on the internal memory =
dd if =/dev/block/sdc13 of =/sdcard/Partition_seccfg
(I named "Partition_seccfg", but you give the name you want)
- You save "Partition_seccfg" on your PC
* We can recover the "seccfg" partition by SPFlashTool
- Edit your "MT6785_Android_scatter.txt" from a stock ROM (with Notepad or other)
- We are looking for "seccfg" =
partition_index: SYS14
partition_name: seccfg
file_name: NONE
is_download: false
type: NORMAL_ROM
linear_start_addr: 0x13800000
physical_start_addr: 0x13800000
partition_size: 0x800000
- We turn off the phone
- we switch to EDL mode with the python script "bypass_utility-v.1.4.2" (see on the web for installation and other information, among other things to unbrick the phone)
- we do a "readback of the" seccfg "partition with SPFlashTool using linear_start_addr: 0x13800000 and partition_size: 0x800000 (check the location on the PC, where the "seccfg" partition will be saved with the name you have chosen)
2) Modify your "seccfg" partition:
* We edit the "seccfg" partition with a hexadecimal editor (Notepad or other)
- Total size 000000000 to 007ffff0 (000000040 to 007ffff0 : zero bytes = 00)
- Address 000000000 to 00000003f, we find :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 02 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 3d aa 79 3b
0000020 to 000002f
eb b0 56 bd 53 48 d3 6e 7d 54 a0 41 0c 2d 1a 90
0000030 to 000003f
58 1a 9c 5f ab 90 cc 0f 5c 11 63 a2 00 00 00 00
(The bootloader is locked!)
- We modify with our hexadecimal editor (Address 000000000 to 000000030) :
0000000 to 000000f
4d 4d 4d 4d 04 00 00 00 3c 00 00 00 03 00 00 00
0000010 to 000001f
00 00 00 00 00 00 00 00 45 45 45 45 57 b3 59 5d
0000020 to 000002f
9e bc 3d 02 33 91 84 9a 42 59 54 8e 07 aa 0f 34
0000030 to 000003f
f1 bb 1e 47 ea 8e cf 76 fb de 79 7b 00 00 00 00
(The bootloader is unlocked!)
- We save our changes
3) Write your "seccfg" partition on the phone:
* We flash the "seccfg" partition
- fastboot flash seccfg "path on your PC"\"name of your saved seccfg partition" (E:\MyFolder\Partition_seccfg for example), in fastboot mode,
- SPFlashTool using EDL mode with the python script "bypass_utility-v.1.4.2 "and by flashing your rom by not checking that the partition "seccfg",
- in adb mode, with the opposite operation, after having copied your partion "seccfg" on the internal memory of the telephone (name "Partition_seccfg" that I gave and that you choose) :
adb shell dd if=/sdcard/Partition_seccfg of=/dev/block/sdc13
- We restart the phone and the bootloader is unlocked without intervention from Xiaomi or other!
4) Warning :
Once all this information is published, subsequent MIUI updates may destroy our efforts by scheduling the bootloader release in a more complicated way!
If I manage to re-enable telephony after changing the IMEIs and serial number of the phone, I will let you know. If anyone knows how to reactivate telephony after making these changes, let us know.
Hi. See you soon.