Develop Bugs

[UTIL] QC Mobile Analysis Tool - Universal tool for QC mobile analysis (and HTC too)

QMAT - QC Mobile Analysis Tool
What is it ?
It is a development and debugging tool for Qualcomm mobiles - the only tool you'll ever need for research and development.
Who may need it ?
Mobile engineers / reverse engineers / cryptoanalysts / forensics
Crypto Functions :
- Calculate CRC-30, CRC-32, SHA1, SHA2 (SHA224 + SHA256), MD4 and MD5 of any file
- Bruteforce bytes to fit CRC-30 needed when qcsblhd_cfgdata.mbn was edited
- Decrypt and Encrypt any RSA-Message, including ASN-1 / SHA Signatures. (you can add publickeys to publickeys.xml)
- Calculate TEA/XTEA/DES/RSA in various modes (ECD,CBC,OFC, etc..)
- Generate RSA Private Key and create .pvk files
- Check firmware signature given Modulus and Exponent (for HTC and BQS mobiles)
- Extract information from .pvk files
- Search for algorithms in binary files (find cryptomethods + signatures) CRC8, CRC16, CRC32, MD4, MD5, SHARK, HAVAL, GZIP, ZIP, SHA1, ... and much more (you can add cryptosignatures to crypto.xml)
- Search for qc standard functions in binary files
JTAG Interface :
(soon via Segger J-Link)
Functions for QC mobiles :
1. Load binary files for :
Extraction of certificates
Extraction of BMPs,GIFs,PNGs, JPGs
2. Load Partition File to get overview about NAND/NOR structure
3. Send any String to a COM/USB Port and backup all your SMS !
4. Make usage of QCs Diag USB/COM Port Interface
(Useful for any QC mobile in the world)
5. Find SP and SPC and several other codes
6. CDMA Parameter Editor
Standard Features :
- Send standard diag commands or any hexadecimal command you want (database included)
- Read out all NVItems (range given)
(all that exist, more than QPST normally extracts)
- Backup and Restore all NVItems
- Read out and Dump Firmware in Memory (SRam)
- Read out complete EFS
- Switch to FTM Mode (or anything else you want)
- Get infos about phone, codes ..... etc ..... a lot more functions
- Generate SimSecure Command to write to SimSecure using given file (may brick your phone when used without knowledge)
- Full Feature EFS Browser
Bootloader / DownloadMode Features :
- Load any file to mobile at any address and execute (bootloader f.e.)
- Read out complete NAND Memory using bootloader (range given) with included MSM6250/A bootloader or any given bootloader
Usage : Take out battery, put in battery, press ON # to enter emergency mode, Execute Loader
or (with SL91,SF71 f.e.) enable FTM mode, Execute Loader
- Use any Download Mode or Bootloader Command to experiment
- Read application memory of newer Diag Ver 6 in Download Mode
- Show complete infos about used NAND after loading of Bootloader
Flasher Features :
Flash any QC mobile (OBL Multiboot) with given bootloader
- Flash PBL (dangerous), QCSBL, QCSBL Header and Config Bits, Partition, OEMSBL, OEMSBL Header, AMSS, AMSS Header and EFS
Functions for BQS only :
1. Load AMSS to extract files or useful infos
(EF81, E81C, EF91, SXG75, EF82, SF71, SL91 or similiar ones)
Features :
Extract Infos from AMSS : USBID, Product.Nr., SVN, SwBuild, Mobiletype
Extract internal filesystem (mif,bar,sig etc. files)
Extract AMSS signature bytes (if production key)
Show all file references used by mobile
2. Check Firmware validity (signature)
3. Sim_Secure extraction/decryption (non-public)
4. Master-/Usercode/Unlock extraction and direct unlock (non-public)
Functions for HTC only :
1. Check validity of HTC firmware (signature check)
2. Cut out signatures from .nbh file
3. Split radio.nb into qualcomm files for analysis
4. Find HTC Public keys using Cryptosearch
5. Generate Security passwords (SPL + radio) for newer HTC
6. Generate NBH Files (you can add any device into devlist.xml)
7. Dump Files from NBH (you can add any type into nbhtype.xml)
8. Fix radio.nb checksum
9. Generic Bootloader / AT Command interface with logging functions
10. Generate goldcard for older and newer htc devices (newer one non-public)
Functions for Network Engineers - registered version
Network Calculators :
TDMA (GSM/UMTS) :
--------------------
IMEI
GSM A5-1
GSM A5-2
GSM A5-3
3G ECSD
GEA3 - GPRS
3G SNOW
3G UEA2
3G UIA2
GSM A3/A8 COMP128 V1
GSM A3/A8 COMP128 V2
GSM A3/A8 COMP128 V3
3G Milenage
3G Milenage Resync
CDMA :
-------
CAVE
CAVE Authentication
CAVE CMEA
CAVE EMEA
CAVE EMEA_NF
CAVE Wireless Residential Extension
CAVE Datakey / Look Up Table / Mask
CAVE DTC / DCCH
CAVE KSG
CAVE Long Block
CAVE Short Block
CAVE Enhanced Message
CAVE Enhanced Voice Privacy
CAVE Enhanced Data Mask
and much more ....
Planned in future :
1. Bugfixes
2. EFS Restore to Zip File
3. QC Jtag interface using Segger J-Link ARM
4. LNBS HTC support to replace MTTY 5. Tooltips showing real addresses in graphical window
5. CDMA Write functions
6. Read out / Write back Addressbook
7. Restore backupped SMS to phone
8. much much more
NO UNLOCKING ! PLEASE DO NOT REQUEST. THIS PROJECT IS FOR EDUCATIONAL PURPOSES ONLY, NOT TO HARM COMPANIES FOR THEIR EFFORTS.
What we need :
- Any contribution to the project is welcome.
- Donations for new hardware and software for further development of this tool.
Link to the project files :
------------------------
Version 4.21 (Major Release) Stable
QMAT Homepage
Cya and keep on reversing,
Viper BJK
==> Donate via PayPal <==
See older threads here :
http://forum.xda-developers.com/showthread.php?p=2519683

Small update :
--------------
New version 4.22 will feature :
- DECT DSAA algorithm
- OTA SMS Tools
Cya,
Viper BJK

New version 4.22 out
--------------------
What's new :
-------------
- Added DECT DSAA Algorithm to Network Calculators
- Fixed Bug in Security Password Retrival
Cya,
Viper BJK

I am going to implement Jtag to QMAT, so we need Beta Testers.
Are you :
1. Using Segger J-Link ARM or any clone (H-Link, JT-Link, etc..) ?
2. Experienced in Jtagging ?
3. Have a phone ready to jtag using a MSM Chipset (jtag pinouts etc. available) ?
Then join the QMAT Jtag beta team, mail your JTAG Serialnumber to [email protected].
Cya,
Viper BJK

Small update :
--------------
Right now we're doing a lot of bugfixes regarding spc / sp and usercode search, but also a lot of bugfixes for efs read. EFS read will now be done fully automatically. Of course, we take bugs serious and due to official support of lg ks20 in the next qmat release, we are also fixing all those nasty timeouts that messed up some extracted data.
So right now, it's bugfixing weeks. After that we will continue on jtag interface and all other feature requests you brave people sent us.
Cya,
Viper BJK

what about KU990 (which have MSM6280)?

I guess KU990 will also be fine
But I can only give official support for ks20, as it's the only lg mobile I got here to work with.
Cya,
Viper BJK

Right now we're doing some beta testing qmat 4.23.
After all issues are fixed, there will be another great release including a lot of improvements and features.
Cya,
Viper BJK

New version 4.23 out
--------------------
What's new :
-------------
- Complete Com Rewrite, fixing timeout issues
- Read Memory in Download Mode / Display Memory Partitions in Download Mode (even ones other tools cannot download )
- Find SP password in non standard QC AMSS Firmware
- CRC30 bugfixes
- Added SP function detection
- Automatic EFS read size detection
- Usercode search / Advanced SPC search
- Official LG KS20 support
- Load QC Bootloader in HEX and get address automatically
- EFS Backup to ZIP bugfixes
- EFS Read Factory Fixes
- Bootloader NAND read bugfixes
- a lot more ...
Cya,
Viper BJK

Small update on progress :
--------------------------
"Uhoh ... bad things happen and sometimes the world isn't perfect."
This message is intended for those who work with QC EFS and QMAT.
Several ways to read out EFS exist. And the one from QMAT wasn't perfect at all. Sometimes, sniffing usb data gets you nowhere ... we had to act professional. In fact, after some heavy researches and reversing of firmware, I can now confirm that there is not only "ONE" EFS read at all.
So next version to be released will hopefully introduce two-way-efs for efs explorer to be used with all known qc types. And of course I had to write a lot of fixes for efs RAW/Factory read that I didn't knew before ....
Expect the next version 4.24 to be not only a lot more stable than all versions before ... but will also feature REAL efs dump
Cya,
Viper BJK

Small update :
--------------
Boys and girls,
version 4.24 will be really new. I rewrote complete com/usb port stack and added a lot of new features, like a new command database, gui improvements, efs generic and subsystem browsing, safe factory efs, new bootloader interface, etc....
Trust me, this version will fix a lot of crashes and hangs
To prevent any bugs still being in it, we're doing severe bugtesting right now.
Cya,
Viper BJK

As we wish to make a good working and much better QMAT,
we start a Beta Tester Program.
What advantages do you get :
- Be the first to get unofficial versions
- Be productive and make QMAT more user-friendly
- Get a discount on special modules
- Get your phone working with QMAT
- Increase your knowledge regarding qc technology
Why it is important for us :
- Make more phones work with QMAT
- Fix any existing bug and make QMAT more stable
If you're interested, please write a PM to me, with subject "QMAT Beta Tester" and a short introduction of yourself
(where you are from, if you are a user / programmer / reverse engineer, why you want to be a beta tester, what phones with qc chipsets you have to test)
Thanks,
Viper BJK

QMAT Beta Tester
viperbjk said:
As we wish to make a good working and much better QMAT,
we start a Beta Tester Program.
What advantages do you get :
- Be the first to get unofficial versions
- Be productive and make QMAT more user-friendly
- Get a discount on special modules
- Get your phone working with QMAT
- Increase your knowledge regarding qc technology
Why it is important for us :
- Make more phones work with QMAT
- Fix any existing bug and make QMAT more stable
If you're interested, please write a PM to me, with subject "QMAT Beta Tester" and a short introduction of yourself
(where you are from, if you are a user / programmer / reverse engineer, why you want to be a beta tester, what phones with qc chipsets you have to test)
Thanks,
Viper BJK
Click to expand...
Click to collapse
I saw it in the original forum and to start i'm from Bulgaria (South-Eastern Europe), interested mostly in replacing/messing around with LG's AMSS system, the bootloaders will be great, but i'm realist so the illusions are out, i have KU990 not a real reverse-engineer, but i know basic stuff (i was developing in PHP about an year) for how system works.

ceckin said:
I saw it in the original forum and to start i'm from Bulgaria (South-Eastern Europe), interested mostly in replacing/messing around with LG's AMSS system, the bootloaders will be great, but i'm realist so the illusions are out, i have KU990 not a real reverse-engineer, but i know basic stuff (i was developing in PHP about an year) for how system works.
Click to expand...
Click to collapse
Well the more beta testers we have, the better

Small update :
--------------
Version 4.24 is almost done and about to be released at the end of the week approximately. It seems it is a lot more stable and works way better than any qmat version ever before.
Finally, we were able to reverse whole EFS read, add a new alternate EFS factory read for newer MSM >8xxx, add EFS Browsing not only for generic devices but also for devices with only subsys ... and of course added features like rename directory / change modes.
Also we did some gui changes for easy recognition of diag commands.
You can now even cancel running diag processes ! *thanks to adfree for the hint*
So expect Version 4.24 to bring you great new features and more stability
Cya,
Viper BJK

New version 4.24 out !
---------------------
What's new :
-------------
-Severe Com Port fixes
-EFS alterate read for newer MSM to be released
-GUI changes - EFS Browsing
-Severe bugfixes thanks to beta testing team
-Factory EFS read
-Improved speed of Usercode/SPC search (by 0x1000)
-Button to stop current com port function
Cya,
Viper BJK

New version 4.25 out !
----------------------
What's new ?
-------------
-EFS Browse Bugfixes
-PRL Read/Write
-GUI Improvements
-Bootloader Bugfixes
-SimSecure Bugfixes
-Byte Cutter Bugfixes
-Cmd Byte for different NVItem Read
-Signature Search / SP / SPC Search improved
-EFS Raw Read Fixes
-Added option to add vendor specific commands
-Added support for newer Samsung CDMA
-Added ECC Calculation (Hamming, Toshiba, Reed Solomon)
Cya,
Viper BJK

New version 4.26 out !
----------------------
What's new ?
-------------
- Added new goldcard generation to registered users
- Implemented new registration scheme
- Added rudimentary IDC Script generation for IDA with Function/Algorithm Search (put in output directory as results.idc)
- Function/Algorithm Search is now able to use "??" instead of "FF" as wildcards in .xml files function.xml and crypto.xml
- Added new ECC algorithms
- Several bugfixes
Cya,
Viper BJK

New version 4.27 out
............................
What's new ?
-------------
- Fixed QMAT not to start on several pcs.
Cya,
Viper BJK

New version 4.28 out
.............................
What's new ?
-------------
- JTAG fixes
- Fixed encap files speed
- CID is now called Country ID (GUI improvement)
- New functions added to function-database
Cya,
Viper BJK

[Q] Root help needed

Hi
I'm in dire need of assistance with rooting my desire HD. The phone recently has a OTA update to gingerbread from T-Mobile in the UK. I have done a lot of reading regarding downgrading and rooting and came to the conclusion that the correct giude to use was this : http://forum.xda-developers.com/showthread.php?t=905003 - How to downgrade 1.7x/1.8x/2.x to 1.32.405.6 following the gingerbread section using gingerbreak. Since my phone was branded to T-Mobile, I also made sure I made a gold card. So with my goldcard in place and the gingerbreak instruction I set off but I get to the same point everytime.
$ ./data/local/tmp/GingerBreak
./data/local/tmp/GingerBreak
[**] Gingerbreak/Honeybomb -- android 2.[2,3], 3.0 softbreak
[**] (C) 2010-2011 The Android Exploid Crew. All rights reserved.
[**] Kudos to jenzi, the #brownpants-party, the Open Source folks,
[**] Zynamics for ARM skills and Onkel Budi
[**] donate to [email protected] if you like
[**] Exploit may take a while!
[+] Plain Gingerbread mode!
[+] Found PT_DYNAMIC of size 232 (29 entries)
[+] Found GOT: 0x00014360
[+] Using device /devices/platform/goldfish_mmc.0
[*] vold: 0000 GOT start: 0x00014360 GOT end: 0x000143a0
It just sits here and does nothing. I've formatted the card, rebooted the device, left it running over night - still sits here.
Please please can someone point me in the right direction
Thanks in advance

I'm no expert but I reckon its something to do with your goldcard? Maybe you didn't create it properly or when using the hex editor you done something wrong, I would start from the beginning again and go step by step when doing the goldcard part.

I'm also no expert, but I know it has nothing to do with your goldcard.
What is your HTC firmware build version? 2.3x? 2.36+ cannot be rooted using GingerBreak, and there is no known exploit yet.
If your on 2.36 then perform a factory reset & try again.

Andy thanks, that answers my question perfectly. I'm on 2.37 so it just a matter if waiting...
Thanks again, I thought I was going mad
Nick

Since XXKK5 Update over the Air aka FOTA for S8500/S8530 AND S8600

S8500XXKK5 is able to update Firmware over the Air... See here:
http://forum.xda-developers.com/showpost.php?p=19663390&postcount=17
This is DELTA files stuff... Header:
BPDZ
Seen in several Firmware packages...
Main file is in:
User\Mass\SyncML\Fota\*.cfg
5 MB
Additional files are in
User\SyncML\*.cfg
You can choose later with Reminder to Backup files.
Handset creates now NEW files like apps_compressed.bin.
Around 5 Minutes... See Video:
http://www.youtube.com/watch?v=jhKquCccyD8&feature=player_embedded
Now I have dump via JTAG KKV...
I will upload soon apps_compressed.bin for study...
Best Regards
Edit 1.
CONFIRMED devices:
Code:
S8500 DBT
S8530 XEF
S8600 XEF

KKV is FOTA Demo... internal test maybe...
In apps_compressed only 1 Byte change...
http://www.megaupload.com/?d=6UKRP1YY
Attention! This is not for Multiloader, as it is decrypted allready...
Taken from JTAG dump...
Decompress possible with TriX for instance.
RC1 seems also changed...
Will check also QMD part of CSC...
Visible is Samsung Logo from RC2... it is reverse during Boot.
Best Regards

In CSC QMD part...
14 times Flight Mode into FLIGHT MODE...
RC1... not exactly sure about changes...
Both files included... maybe RC1 dump not exact cutted at end...
http://www.megaupload.com/?d=Q1L5P3BV
If Bootloader is also affected, I'll test sooooon.
Again, NOT for Multiloader, only for Research.
Best Regards
P.S.:
Yes, it is possible to make valid file for Multiloader... but...

Major changes in Boot... dbl not checked... toooo lazy now...
I have removed the 128 KB from JTAG dump for better comparing.
NOT use in Multiloader!!!
You can brick your handset.
So I think this is evidence once more, that FOTA is very powerfull...
Best Regards

Thank you Adfree for your hardwork
I think it is time for someone to continue this from that point
Of course if you can do more you are more than welcome
So compression Algorithm is in the phone FW now somewhere .....
Apps_compressed.bin or FOTA ?!!!!
this Algorithm is wanted dead or alive
Best Regards

adfree said:
Major changes in Boot... dbl not checked... toooo lazy now...
I have removed the 128 KB from JTAG dump for better comparing.
NOT use in Multiloader!!!
You can brick your handset.
So I think this is evidence once more, that FOTA is very powerfull...
Best Regards
Click to expand...
Click to collapse
Nice news there's differente boot and ive found source il be post later
They use Nucleus for crypto source, embeddedXen 3.1.3 its an virtual machine
https://rapidshare.com/files/239917171/crypto.7z
All file on your boot file adfree is in. There's complete kernel source i can upload of course now i upload just partial source. The's is 2002 revision 1.3 but i see 3.1.3 exist and some compile it need search more
Last version its 4 you can find source her :
http://embeddedxen.git.sourceforge....9c15b5bd0ccc08732577063836662835c3dc5;hb=HEAD
but our version of boot its compiled with 3.1.3 version

Tigrouzen said:
Nice news there's differente boot and ive found source il be post later
They use Nucleus for crypto source, embeddedXen 3.1.3 its an virtual machine
https://rapidshare.com/files/239917171/crypto.7z
All file on your boot file adfree is in. There's complete kernel source i can upload of course now i upload just partial source. The's is 2002 revision 1.3 but i see 3.1.3 exist and some compile it need search more
Last version its 4 you can find source her :
http://embeddedxen.git.sourceforge....9c15b5bd0ccc08732577063836662835c3dc5;hb=HEAD
but our version of boot its compiled with 3.1.3 version
Click to expand...
Click to collapse
so are u saying source code or something like on android

prok**** said:
so are u saying source code or something like on android
Click to expand...
Click to collapse
non this some source code about crypto on boot in virtual machine

Tigrouzen said:
non this some source code about crypto on boot in virtual machine
Click to expand...
Click to collapse
... tell me what all we can do by this new discovery ..

prok**** said:
... tell me what all we can do by this new discovery ..
Click to expand...
Click to collapse
Ho1od or Rebellios can take a look at and maybe find some trick its not for us but for training also for decrypting some boot system, all its important

On KK5 S8530 I was not able to download something...
DMSetup.ini
Code:
#Settings
FirmwareMaxSize=98304
I think this means maximum 98 MB for Delta... in KK5.
From bada 1.0 JE7...
Code:
FirmwareMaxSize=10485760
Btw...
In Internal Menu you can access few Settings...
http://forum.xda-developers.com/showthread.php?t=906966
Best Regards

Code:
HttpReqInternal: Proxy address is 0, so conver to NULL
HttpReqInternal : HTTP[ 0 ] - https://www.ospserver.net/device/fumo/agreement/IMEI:[B][COLOR="Red"]YOURS ! Caution[/COLOR][/B] (smlCommonHttp.c : 373)
With WinComm you can log few things...
http://forum.xda-developers.com/showthread.php?t=928170
For connection to Server your IMEI is sent...
Best Regards

those who pass me the update that does not come out more 'on Fota?
thanks

It seems nearly all files affected by this "update" to KKV...
amss.bin also few Bytes in Name changed...
Code:
Q6270B-KPUBL-9.9.99999
dbl.mbn seems only untouched file.
Except that FFS, CSC, APP is nearly impossible to compare...
Maybe in 1 of cfg are details about changes... and files involved....
@ DevilM
Not exact understand... sorry. BUT...
"We" not sure how and who is able to Download KKV...
Maybe you need luck, or maybe access limitation by:
- time... maybe only from 5 - 7 morning
- maybe only 100 "user" can access at same time Server...
I don't know. Sorry.
Best Regards

FirmwareMaxSize=98304
It's probably max 96KB for delta file.
FirmwareMaxSize=10485760
is 10MB
I found Quram compression routine in XPKJ1 FOTA module. But it's partial and very, very huge. Probably does support only one type of compression, likely for Rsrc or some libraries. Do you think it's possible for you to dump S8500XXKKV delta and send to me?
Probably FOTA updates does support following commands:
ROM:473277CC DCD aDelta_op_image_updat ; "DELTA_OP_IMAGE_UPDATE"
ROM:473277D0 DCD aDelta_op_image_upd_0 ; "DELTA_OP_IMAGE_UPDATE_COMP"
ROM:473277D4 DCD aDelta_op_image_upd_1 ; "DELTA_OP_IMAGE_UPDATE_ENGINE"
ROM:473277D8 DCD aDelta_op_file_create ; "DELTA_OP_FILE_CREATE"
ROM:473277DC DCD aDelta_op_file_overwr ; "DELTA_OP_FILE_OVERWRITE"
ROM:473277E0 DCD aDelta_op_file_modify ; "DELTA_OP_FILE_MODIFY"
ROM:473277E4 DCD aDelta_op_file_remove ; "DELTA_OP_FILE_REMOVE"
ROM:473277E8 DCD aDelta_op_symlink_cre ; "DELTA_OP_SYMLINK_CREATE"
ROM:473277EC DCD aDelta_op_symlink_ove ; "DELTA_OP_SYMLINK_OVERWRITE"
ROM:473277F0 DCD aDelta_op_symlink_mod ; "DELTA_OP_SYMLINK_MODIFY"
ROM:473277F4 DCD aDelta_op_symlink_rem ; "DELTA_OP_SYMLINK_REMOVE"
ROM:473277F8 DCD aDelta_op_dir_create ; "DELTA_OP_DIR_CREATE"
ROM:473277FC DCD aDelta_op_dir_remove ; "DELTA_OP_DIR_REMOVE"
Click to expand...
Click to collapse
guess it's enumerated from OP_IMAGE_UPDATE = 0
IMAGE_UPDATE_COMP = 1
and so on.
Also a question, have you ever met "GCE" or "GLS" magic string in some files related to compression? Looks like compression method or what.
//edit:
Some about FOTA origin probably:
http://www.ospserver.net/terms/terms.html
That server is probably defined somewhere in SystemFS.

Oh, found this in Debug folder... Logfile
Code:
FOTAMGR > QuramMduceBEraseBlock: startBlk(1), blk_num(1), idx(0), physical addr(0x01140000), size(0x00040000)
FOTAMGR > QuramMduceBWriteData: addr(0x00040000), size(0x00004000), idx(0), physical addr(0x01140000)
FOTAMGR > QuramMduceBWriteData: addr(0x00044000), size(0x0003c000), idx(0), physical addr(0x01144000)
Do you think it's possible for you to dump S8500XXKKV delta and send to me?
Click to expand...
Click to collapse
I'll sleep about.... tooo paranoid...
Only 3 user have KKV update... 2 in Germany...
IP + IMEI + I don't know what else is stored in these files...
Ah, forgotten my phonenumber...
Best Regards

From KK5 its possible to update to KK6...
And KK7 also updateable... to KKV...
XXKK5
Code:
Type : Unofficial Version
Number : 1127
Builder : superuser
Host : S1-AGENT08
Date : 2011/11/[B]22[/B]
Time : 21:04:33
Size : 42730876 bytes
CheckSum : 0xf4ff0762
XXKK6
Code:
Type : Unofficial Version
Number : 1155
Builder : superuser
Host : S1-AGENT08
Date : 2011/11/[B]25[/B]
Time : 22:35:35
Size : 42730876 bytes
CheckSum : 0xf4f72020
It seems you need exact procedure and/or its only 1 time possible after complete Flash with Multiloader... then you can download FOTA...
My steps:
1.
Firmwareupdate via Multiloader!
2.
During first initial Steps... Choose ENGLISH as language
3.
Timezone seems irrelevant... I choose Bermuda...
4.
Ok... Ok...
Now you are able to navigate in menu...
5.
WLAN/Wi-Fi ... no need of active SIM... enter your Password to establish connection to Wi-Fi
6.
Go to Settings->Accounts
Config your Samsung Account
Now you could test if ... but I think no connection... only
You need to RESTART your handset... OFF... ON
After finish of Boot, maybe wait short... then:
Settings->General->Software update
Don't forget to choose Wi-Fi
Please. I need someone to compare files.
Please after Download choose LATER... to backup folder:
Code:
User\Mass\SyncML\Fota\*.cfg
5 MB +
Additional files are in
User\SyncML\*.cfg
NOT upload public, please contact me in private via PM.
Thanx in advance.
Best Regards

After my KK5 Multiloader update... now received 3 packages...
KK5->KK6->KK7->KKV
Last one not installed yet... maybe I'll wait little bit to get KK8 or something like this.
Hmmm. Not sure how final FOTA will work... but it seems you can only jump in minor steps...
As fantasy example:
If your device has "KK1" and latest Firmware is KK9... then maybe you have to download and install first:
KK2
KK3
.
.KK8
Each package a 5 MB...
Best Regards

OTA updates are available for Germany,Italy,UK and another 2 countries i forgot only.....also OTA install of the apps
so i got 0 chance to get such updates
Best Regards

so i got 0 chance to get such updates
Click to expand...
Click to collapse
Not tested yet... if SIM card is mandatory in device... (maybe I'll remove it for test)
BUT my SIM card is not more active... all actions over Wi-Fi...
Also not many users from Europe (or Germany) reports success...
I can only count 3 user from Germany... 1 from Romania...
We will see...
I hope more user can confirm working FOTA.
Thanx.
Best Regards

[XAP + SDK] WP7 Root Tools 0.9

Download: www.wp7roottools.com
Today I am proud to announce the immediate availability of WP7 Root Tools 0.9 alpha and WP7 Root Tools SDK 0.1!
WP7 Root Tools 0.9 brings true Root Access to devices with stock ROM's, but it also works on devices with custom ROM's and Full Unlock. Your device needs to be Interop Unlocked to use WP7 Root Tools!
This is still an alpha-release, because there are a lot of new hacks and the tools are still not feature complete! I have rewritten about 75% of all code from the previous release. So before you install WP7 Root Tools you should make a backup of your device. WP7 Root Tools will make changes to system settings and, although this has been tested, it is still possible that a problem occurs. In that case you want to have a recent backup of your device. Installing WP7 Root Tools will be your own responsibility. The author of WP7 Root Tools and the SDK cannot be held responsible for any damages caused directly or indirectly by installing and using WP7 Root Tools or the SDK!
Windows Phone is a closed system to protect the user and his/her personal data from malware and to protect the intellectual property of the developers. The downside of this closed system is that homebrew developers are very limited in their ability to control and tweak a Windows Phone device. With WP7 Root Tools I attempt to open up the system in a gentle way, so that users stay in control of their device, while homebrew apps can get more control to get the maximum power out of your Windows Phone device!
WP7 Root Tools 0.9 now has a File Explorer, Registry Editor, Certificate Installer and a Policy Editor! Thanks to true Root Access on Windows Phone, this new version of WP7 Root Tools will work a lot faster than previous releases and it supports a lot more devices!
WP7 Root Tools should work on these devices:
- Samsung first and second generation devices
- LG devices
- HTC first generation devices with Mango v1 drivers (SPL 4.x or lower)
- Samsung first generation devices with custom ROM and Full Unlock
- HTC first generation devices with custom ROM and Full Unlock
On devices with stock ROM's WP7 Root Tools need to install Root Access. The first time it runs, a 2-phase-installation will start. The app will inform you to start the first install-phase. Then the device will reboot after a few seconds. After the reboot you need to start WP7 Root Tools again immediately! Then the second phase of the installation will start and your device will be rebooted again. After the second reboot you are ready to use WP7 Root Tools. You can use the Policy Editor to give other homebrew app a "trusted" status. With this you will give the app Root Access privileges. So be very careful to which app you give Root Access!! You are responsible for giving access to an app! If you are not sure, read the forums to decide if an app is trust-worthy.
I also created an SDK, which developers can use to profit from Root Access. It provides a way to gain access to the filesystem and the registry (and more) from their managed Silverlight application. No need to worry about COM interop and C++ anymore! The package contains a read-me with short instructions. More details and examples will follow soon! Over the last days Rafael Rivera from the Chevron WP7 team has tested the SDK and he is finishing up the first homebrew app that will use my SDK. He is planning to release his Backup-app soon.
I also need to thank some people for making this possible:
- My wife! (for having to put up with me while doing all this hacking!)
- YukiXDA (for helping me with research on policies)
- Justin Angel (for sending me a NOKIA)
- Cees Heim (for supplying an HTC device for testing)
- Rafael Rivera and Chevron WP7 team (for pioneering WP7 Unlocking)
- HD2Owner (for helping me make custom ROM's for testing)
- fiinix (for helping me with research on policies)
- Ultrashot
- xb0xm0d
- AndrewSh
- Ondraster
- Barin
- Football
- Cmonex
- GoodDayToDie
- Jaxbot
- Dennis Wilson
I will update the guides and manuals on www.wp7roottools.com and here on XDA in the next coming days. I need some time to update all of it.
Have fun with Homebrew now!
Heathcliff74

reserved*****

reserved***** (2)

reserved***** (3)

reserved***** (4)

thank you for your hard work

SO AWESOME!!! Thank You SOOOO Much!!!

big thx 4 all your work man!thxthxthx...
Sent from my OMNIA7 using Board Express

Previous Versions
Thanks for your great work. Do we need to uninstall previous versions before installing the latest version? I have .8, how do I install .9?

Great news, thanks a lot! Successfully installed on Focus and Surround, no problems at all.
But I've tried "BT file transfer" and "Opera mini" (after install I've enabled "trusted" status for the apps): both apps not working properly. Should we expect updated versions of these apps (built with your SDK) or it's some another issue?

Fantastic work, Heathcliff74. Oh man, this is going to be awesome.
Suggestion: use one of your reserved posts to compile a list of trusted apps that benefit from policy elevation.
Two that I've found so far (one of mine):
Root Webserver (in my sig) - runs better with Root Tools than ever before.
TouchXperience - gives way more access through WPDM.
Two others that are in development:
LockWidgets - the preview build has some bugs, but it can be run with Root Tools.
XapHandler - the test build has some known issues (can't install or update if the app is already installed) but fresh install works at least some of the time.

Awesome work! I can confirm that the install works perfectly on an LG Quantum.

Big day!
I need some free space in C:/ to make backup.

sensboston said:
Great news, thanks a lot! Successfully installed on Focus and Surround, no problems at all.
But I've tried "BT file transfer" and "Opera mini" (after install I've enabled "trusted" status for the apps): both apps not working properly. Should we expect updated versions of these apps (built with your SDK) or it's some another issue?
Click to expand...
Click to collapse
WP7 Root Tools will give Root Access to Silverlight apps. DFT BT and Opera Mini both use native executables. You can't give the executables root access with WP7 Root Tools (in fact, you only give the launchers Root Access). These apps could possibly be recompiled to run under TaskHost.exe (as all Silverlight apps do), but I'm not sure about the inner workings of the apps. You'd have to ask the developers.
I will investigate this matter. With all the hacks I have now, I should be able to give Root Access to executables too, but that needs more research.
Ciao,
Heathcliff74

@sensboston: Those tools both require additional native binaries. WP7 Root Tools elevates apps, including all the DLLs they load (which is how the SDK works - it's a homebrew DLL, similar to the old Native.dll and company). However, it doesn't work with out-of-process binaries. Opera requires an EXE (which is obviously its own process) and BT File Transfer requires a driver.
In theory, supporting these would be possible. They'd need to be signed, and the certificates added to the Code Integrity store, but that's already possible. However, they'd also need new policies added. The current version of Root Tool only supports modifying the policies for installed TaskHost (Silverlight/XNA, possibly including some native code) apps, not adding policies for other apps.
BTW, although it's very limited, it turns out that Application.GetResourceStream can be used on files outside the app (with sufficient permissions). That means, if you want to write an app that only needs to access existing files at known locations, you don't even need to mess with native code... although the Root Tools SDK will make it quite easy to do such apps anyhow.

Thanks HeatCliff
Thanks man for this wonderfull pice off work

Heathcliff74 Installed on My Omnia 7 Thanks a lot for your Hard Work

JamesAllen said:
Thanks for your great work. Do we need to uninstall previous versions before installing the latest version? I have .8, how do I install .9?
Click to expand...
Click to collapse
You can just reinstall. No need to uninstall. From this new version on (version after 0.9) you better do an "UPDATE". Not all xap-installers support updating. A lot of them will do a full-install-cycle. If you do a full-install-cycle, you'll loose the permissions and you will have to do the 2-phase-install sequence again. If you do an in-place-update, you will keep the permissions and everything keeps working as expected.
Heathcliff74

Damn, doesn't work for me.
Verizon HTC Trophy
OS 7.10.8107.89
Firmware: 2305.13.20110.605
Hardware: 003
Thanks for the work! Hopefully I'll see support later. I probably updated to the HTC v2 drivers at some point.

dreamcaster012 said:
Damn, doesn't work for me.
Verizon HTC Trophy
OS 7.10.8107.89
Firmware: 2305.13.20110.605
Hardware: 003
Thanks for the work! Hopefully I'll see support later. I probably updated to the HTC v2 drivers at some point.
Click to expand...
Click to collapse
Hmm. are you interop unlocked? I'm no expert with HTC's but that versionnumber looks like your drivers are not that new and could possibly be supported. If you are not Interop Unlocked, then read the opening post of my Interop Unlock thread. At the end of that post is a section specifically for Verizon Trophy's
Heathcliff74

[TOOL] adbDumper (utility for backup firmware of Android devices)

adbDumper
Utility for backup firmware of Android devices
Version 0.93.0.1 Windows
The utility is designed to get dumps from devices based on Android OS.
Notes:
!!! ROOT rights are required !!!
Known bugs:
Old versions:
View attachment adbDumper_0.92.0.1.zip (135)

adbDumper
Utility for backup firmware of Android devices
New version (0.93.0.1 Windows) ready
+ an alternative method to get a list of block devices has been added;
+ an alternative method for obtaining the size of block devices has been added;

hello i dumped with adbdumper
edit fixed