I was able to dump the RDC that is provisioned to my 640 XL prototype. I dumped it and renamed it with a .bin extension. Have a couple of questions for those that know more about as I currently know little.
1. What is the RDC file, meaning what does it consist of? Or how is it used?
2. Where is it written when writing it from thor2? Or where is it stored on the phone?
3. Can it be re-used or is it good only for the one device it is provisioned to?
So, I am not sure if "dump" is the correct term to use here, as the command from thor2 would include the option -readrdc which sends it to a file that you choose...So it is reading something from the phone and generating a file...
I opened the file in hex editor but see little about its contents. It is small in size, about 804 bytes. I tried to write it to a different device same model but it failed with a specific error "Certificate error 25 (0x19) (0)"
Thanks.
Where to get prototypes phone?
nate0 said:
I was able to dump the RDC that is provisioned to my 640 XL prototype. I dumped it and renamed it with a .bin extension. Have a couple of questions for those that know more about as I currently know little.
1. What is the RDC file, meaning what does it consist of? Or how is it used?
2. Where is it written when writing it from thor2? Or where is it stored on the phone?
3. Can it be re-used or is it good only for the one device it is provisioned to?
So, I am not sure if "dump" is the correct term to use here, as the command from thor2 would include the option -readrdc which sends it to a file that you choose...So it is reading something from the phone and generating a file...
I opened the file in hex editor but see little about its contents. It is small in size, about 804 bytes. I tried to write it to a different device same model but it failed with a specific error "Certificate error 25 (0x19) (0)"
Thanks.
Click to expand...
Click to collapse
A RDC file is a research and development certificate tied to the device hardware it came with, it will only work on the device it was shipped with, having the same IMEI, hardware serial number and everything unique, you can't use them with other devices at all.
@gus33000
I was almost certain it was unique to the device it was installed in. Does it reside on the boot partition? Thanks for sharing.
nate0 said:
@gus33000
I was almost certain it was unique to the device it was installed in. Does it reside on the boot partition? Thanks for sharing.
Click to expand...
Click to collapse
It's in DPP along with all other provisioned data specific to the phone, you won't be able to do anything with it, just abort, you'll loose time and you'll most likely brick devices.
Was only wanting to know more about it. Thanks again.
nate0 said:
Was only wanting to know more about it. Thanks again.
Click to expand...
Click to collapse
Also as a tip, never overwrite MODEM*, SSD, and DPP with the ones from another phone, it will be destructive for prototypes. I advise you make a full backup of the prototype emmc first, before doing anything, (even if it's just reflashing with a ffu, it's very important to back everything up in mass storage using something like Win32 disk imager), if you however for some reason ever end up with wrong MODEM*, DPP and/or SSD, boot to flash app, switch to download mode, send the emergency payloads for that device RM, and write the rdc, writing it without DLOAD won't work.
DPP is the one nice to work with but never copy and replace, delete and eventually copy over onto it
I need this file
Can you help
Kidsnet said:
I need this file
Click to expand...
Click to collapse
I sold this phone along with dozens of other Lumias and Windows Phones over 2 years ago. I do not own the phone anymore, and I unlikely will find that RDC file if I even backed it up. It would be almost to you unless you are the new owner of this exact device that I dumped it from. Are you planning to use the file for any other reason?
I got a refurbished mobile came locked so i have to fl it since its demanding protection key so i need help
nate0 said:
I sold this phone along with dozens of other Lumias and Windows Phones over 2 years ago. I do not own the phone anymore, and I unlikely will find that RDC file if I even backed it up. It would be almost to you unless you are the new owner of this exact device that I dumped it from. Are you planning to use the file for any other reason
Click to expand...
Click to collapse
Kidsnet said:
I got a refurbished mobile came locked so i have to fl it since its demanding protection key so i need help
Click to expand...
Click to collapse
They are coming already locked, or if there's any tool i can download so that it will vo well with m
Sounds like the lock you are seeing is like a safety net lock. Someone must have had windows on it but had logged in with their account in Windows 10 mobile and set up the Reset protection with their Microsoft account. There is a method to remove that but it is quite dangerous and could ruin the phone.
There is a way to by pass it though as a work around so that you can use the phone but every time you hard reset it it will always lock back.
nate0 said:
Sounds like the lock you are seeing is like a safety net lock. Someone must have had windows on it but had logged in with their account in Windows 10 mobile and set up the Reset protection with their Microsoft account. There is a method to remove that but it is quite dangerous and could ruin the phone.
There is a way to by pass it though as a work around so that you can use the phone but every time you hard reset it it will always lock back.
Click to expand...
Click to collapse
@Kidsnet this is especially a problem for a lumia 640/640 xl. Because what happens is that if they upgraded it to Windows 10 mobile and enabled the protection but you reflash it back to Windows phone 8 you will unlikely set yourself up to not even get a workaround to get in the phone. Since the provisioning of W10M and WP8 are completely different.
Related
Here we go!
3 Relevant partitions on the Zune HD:
ZBoot
NK
EXT
(there's actually a 4th partition, but it's a recovery partition for NK to facilitate fail-safe updating)
Enjoy
(a note: some files appear to be damaged, its my first time dumping a CE 7/Zune HD ROM )
(another note: thanks to nd4spd for getting the rom update to me, i don't have a zune hd )
wow I'll take a look.
Anything usable?
These executables are designed for CE 7 and more than likely will not work at all on CE 5 (although things coded for .NET might)
Really, you tell me, though, I haven't actually tried
Awesome! Subscribed...
Wait...so you're telling me it might be possible to create custom roms on the zune hd?!?! i need them to come out with a 128 gb model asap then...
WOW....they were trying to dump a zune rom for years.... so this means the protection on the zune HD is not nearly as strong as the regular zune...this is good news indeed...Mine is on backorder still =x
Another quick Q, did you dump that yourself or find it somewhere?
been trying to find this for a few weeks
looking forward to see what can be done!
are the keyboard files in a format that we can use on windows mobile phones?
votum said:
Another quick Q, did you dump that yourself or find it somewhere?
Click to expand...
Click to collapse
Actually, all I did was reset my Zune HD in recovery mode and plugged it in. When the Zune Software detected it, it downloaded the ROM from MS. When I was defragging my computer a few days earlier, I happened to find the folder where it saved all of the Firmware Updates. So I just looked in that folder and found the FirmwareUpdate.cab that had the .bin files in it.
after messing around with it, looks like nothing can really be recmoded to make dll files. it may need another way to rec mod than in the vk.
So does this mean that the Zune HD will be unlocked shortly?!
Blackwheel said:
So does this mean that the Zune HD will be unlocked shortly?!
Click to expand...
Click to collapse
and does this mean that we will have Zune GUI on winmo devices ?
benko286 said:
and does this mean that we will have Zune GUI on winmo devices ?
Click to expand...
Click to collapse
That could take some time, but once we are able to read the files, i will try to work on a keyboard
setix said:
That could take some time, but once we are able to read the files, i will try to work on a keyboard
Click to expand...
Click to collapse
How about unlocking the Zune HD? Or is that a completely different animal?
Somebody please sticky this thread immediately. This can only lead to great things!
Blackwheel said:
How about unlocking the Zune HD? Or is that a completely different animal?
Somebody please sticky this thread immediately. This can only lead to great things!
Click to expand...
Click to collapse
Err.. forgive my ignorance.. but is Zune HD locked?
In what way?
I think what he means by unlocking is to unlock for ROM modification and development.
ND4SPD said:
When I was defragging my computer a few days earlier, I happened to find the folder where it saved all of the Firmware Updates. So I just looked in that folder and found the FirmwareUpdate.cab that had the .bin files in it.
Click to expand...
Click to collapse
The ROM is saved in a .cab file to %HOMEPATH%\AppData\Local\Microsoft\Zune\Firmware Updates
7-Zip or another unzipping software can extract it out into the 4 .bin files, ext.bin, nk.bin, recovery.bin, and zboot.bin.
I have not yet succeeded to breaking it down into DLLs, it seems like there are multiple DLLs compiled into one .bin file.
Interestingly enough, some of the plaintext I saw in the recovery file was associated with camera/photography code (do a ctrl-f for "autofocus" or "lens" in the recovery.bin file in wordpad). However, I'm guessing it is the remnants of WinCE code, not for the Zune HD (or a successor?). It still begs the question of why it would be included in the recovery code though...
Hope that someone can use this for something...
hairchrm said:
The ROM is saved in a .cab file to %HOMEPATH%\AppData\Local\Microsoft\Zune\Firmware Updates
7-Zip or another unzipping software can extract it out into the 4 .bin files, ext.bin, nk.bin, recovery.bin, and zboot.bin.
I have not yet succeeded to breaking it down into DLLs, it seems like there are multiple DLLs compiled into one .bin file.
Interestingly enough, some of the plaintext I saw in the recovery file was associated with camera/photography code (do a ctrl-f for "autofocus" or "lens" in the recovery.bin file in wordpad). However, I'm guessing it is the remnants of WinCE code, not for the Zune HD (or a successor?). It still begs the question of why it would be included in the recovery code though...
Hope that someone can use this for something...
Click to expand...
Click to collapse
To break it down, you need to use cvrtbin.exe to convert it to the .nb0 format. Once you have that, as Da_G pointed out to me, you can use Xipport.exe's dump xip function to dump whichever converted file. Unfortunately, xipport has an error on the last file, so I'm going to try to fix that this evening.
You can also view the files in Da_G's first post
ND4SPD said:
To break it down, you need to use cvrtbin.exe to convert it to the .nb0 format. Once you have that, as Da_G pointed out to me, you can use Xipport.exe's dump xip function to dump whichever converted file. Unfortunately, xipport has an error on the last file, so I'm going to try to fix that this evening.
You can also view the files in Da_G's first post
Click to expand...
Click to collapse
Ahh... haha, I thought he linked to the raw .bin files and I figured that it would be easier to grab them from your own computer than download them. Whoooops!
I am curious, has anyone disected the Zune HD Hardware? I wonder what extra hardware got left behind that is not currently activated (and possilby not licensed). The core chipset can handle all of the common peripherals that you might find in a WM7 class phone chasis.
At the very least you should be able to see the sort of antenna and amps in there.
the Imageupdate system clearly works, so one approach to updating it (unlocking and or removing security) is to use the imageupdate system (on device or from your desktop, or possibly OTA). Although you would need to know a good bit about the NK and zloader for wm7. WM7 is a more streamlined, efficifient design, but - unfortunatey - there is a lot more in the kernel which makes updating individual bits more difficult without a full link.
It is a little bit more like the X360 design in this sense.
I believe that imageupdate is only known the to the end users as the engine for Windows Phone Update or -previously - FOTA (firmware over the air)
As Da_g mentioned, this is the first commercial device (to my knowledge) to use WCE7/WM7 (in general, WM is just a big OAK on WCE)
What certs are in the full CAB?
Hi all - want to know what the status is on a hspl for wp7 and if can help and wondering how live pvk and id goes to phone in hd2-wp7 situation where no real device provisioning partition exists?!?!?!??! This leads me to think that maybe:
Perhaps with Cotulla's partition layout over 4 seperate nand areas it would be an option to modify this and his wp7 spl because the activation thing happened AFTER (live activation hack around etc) he had finished leo70 release and then..........
-whilst jtag/usb or eth/debug happening- (obviously Da_G etc thought of this b4- im just extrapolating further on this now live done after dft released- let me know if way off)- to take a HTC HD2 (LEO70) that HAS BEEN ACTIVATED ON LIVE and see where/how/when/with/which partitions, filesys, regkeys, etc, have pvk for live or the ffu and then insert a test cert like ur own xbmod/chevron. or whatever is in sdk for 7 or ce. and then utilize this to diff and comp. I dont see why not. Then .ffu then self signature.
If anyone is looking at doing this and needs hardware or I can help let me know thanks. Also:
Anyway to DUMP the newly-activated after-hack after-key after-ms-call hd2 wp7 contents completely? Any news on this unknown filesystem and sd jbod with nand? If a way to extract device provisioning partition etc. Not interested so much in live but more HSPL-for-WP7 creation to allow custom roms. Can not seem to find much on this. Anyone got ideas on own signature or other method using pre-existing leo70 nand parts as workaround maybe?
For the record - I have used a singled live key from Microsoft activation phone call more than 4 times on 2 devices and it works fine over and over: you have to consider fact that if vendor or product id was misflashed at factory onto DPP then every hardreset would not wipe this (unsure)? causing you to call microsoft again and ask for another key? eitherway:
does ne1 know what the key over the phone from microsoft is actual doing? is this key taken with say imei or serial of phone and maybe your @live.com unique GUID and seeded or used with hash or some algorithm to produce a pvk for device provisioning partition? or it simply override and enable live? are there only one type of activation key over phone? seems there could be ones maybe based on your live address+guid and ones that completely allow model and oem identification to be cleanly changed?
I am just theorizing here from what I have been reading. Finally: Is it true that uk/etc MS stopped giving out keys and referring ppl to HTC etc for
live? Any press release or official reaction?
Noticed leaked documents in another thread here marked Microsoft Confidential!
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
devmihkel said:
For good or for bad NOT everything appears correct, except the running 17.x version... As of now neither the "commercial jailbreak" supports new versions (well yes they were using exactly the same file to start with Also 16.51.x or newer appears to be no go: uconnect-8-4-8-4an-update
EDIT: haven't got 17.09.07 to try, but on 17.11.07 manifest.lua has changed and the last block/ search keyword is "ota_update" instead. Otherwise all the same, image valid after the edit and script.sh gets fired - at least on 16.33.29 that is @HanJ67 Did you actually try to mount installer.iso after the edit and checked /etc/manifest.lua for the end result before?
Click to expand...
Click to collapse
devmihkel said:
Yeah, 2nd attempt is much better as last lua block is correctly terminated and your script might actually run, but unfortunately no successful 17.x runs have been reported so far SWF scripts are not involved in update/jail-breaking run, these ones become relevant only once you are in (and need to enable some app or wifi or navi features etc). Afaik 17.x blocks ethernet dongle usage as well, but let's see if even the USB driver/link gets activated at all?
Click to expand...
Click to collapse
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Do You have an idea how to connect by USB2LAN adapter to uConnect ?
Do You know if there is an UART pins on the mainboard ?
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
Hello, any news about it?
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
sofro1988 said:
Hello, any news about it?
Click to expand...
Click to collapse
I have not had had much time to work on this.
I actually had an idea last week that brought me back to this. I plan to use a custom flash drive to present an unmodified ISO for verification, then swap nand to an identical image that has been he's edited to enable usb Ethernet and add a custom key for ssh access.
I thought to stack a NAND on top of the original on a is flash drive, then breakout the Chip Enable pin to a switch. I've seen this done for with guys modifying game consoles to be able to run modified firmware.
Once the 2nd NAND is in place I will restore an image of the original nand containing the unmodified update, then hex edit the required portions to allow access after updating.
If this method works, I should be able to pass the verification with the original nand chip, then switch it (hopefully there's a big enough window to do this by hand) then present the modified nand before it begins the flash procedure.
Hopefully someone more intimately familiar with the update scripts can verify I'm not missing anything in the process
Tajadela said:
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
Click to expand...
Click to collapse
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
thanks for answer.
I saw an ssh key with the hex editor, but I would like to see exactly what you have replaced.
if it's not too much trouble, it would be interesting to see with some screenshots the changes you've made.
So we could work on two fronts. The idea of the double nand is good, but not very simple to make ...
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
SquithyX said:
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
Click to expand...
Click to collapse
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
martinbogo1 said:
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
Click to expand...
Click to collapse
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
sofro1988 said:
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
Click to expand...
Click to collapse
I managed to connect with the cisco adapter (usb / ethernet), but I don't know the root password. is the problem at the moment insurmountable ..
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
martinbogo1 said:
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
Click to expand...
Click to collapse
I connected in telnet on a uconnect 6.5 with firmware 15.xx.xx. You can connect to Uconnect with static IP it brings up if no DHCP is offered is: 192.168.6.1
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
after rsa key replaced, do you have recalculate the checksum of UPD file?
have you replaced the first 64 bytes of the file?
thanks
@itsJRod, isn't it that you would like to explain the procedure to replace the RSA key in the swdl file? thank you
Hello,
have you made any progress? I am a bit lost. I put the EU uconnect MY15 to US dodge charger MY16 and Perf Pages were working fine even on 16.16.13, although after upgrade to 17.x (17.46.0.1 right now) I am meeting the problem of expired subscription (which is not possible to have on EU radio).
I am considering basically three solutions:
a) going back to US radio, but modify the language pack/nav/FM frequencies (it is doable, but I do not know how, although I can pay for it relatively less than time invested)
b) downgrade to 16.16.13 - I have no clue how to do it, I tried to put swdl.upd with swdl.iso as and installer.iso with no luck of course.
c) take xlets from KIM2/ of 16.16.13 to KIM23 of 17.46.0.1 secondary.iso - this is probably preferred way but I do not know how to make it to pass ISO validation.
Of course root on uconnect is extremely nice to have but I will be fully satisfied with Perf Pages working again.
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
djmjr77 said:
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
Click to expand...
Click to collapse
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
I created an account just to reply to this and All I have to say is you're literally an absolute life saver. I've been working on this every day for two weeks now, trying every trick people said, trying every USB, every format, every version and nothing ever worked from me. Uconnect support was absolutely no help and it was a lot of back-and-forth finger pointing and no you need to reach out to this person between them and the dealership. Dealership tried to charge me for a Proxy Alignment when I asked to just update my damn radio stuck in this loop.
I have a 2015 Jeep Cherokee 8.4AN VP4 NA Head Unit 68238619AJ. I was updating from 17.11.07 to 18.45.01 and got stuck at the step 11 1% and would get a failed sierra wireless every time and then got in that "bolo update failed" loop..Well to fix it just now all I did was download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in the previous comment and quick format to FAT32 on a 16GB Micro Center USB extracted the files from 16.33.29 to the USB with 7ZIP, plugged in like normal and BOOM it ran the first step restarted and I had a working radio again showing update 18.45.01.
(So i'm assuming you don't have to do the S Byte thing I didn't even mess with it I just used the 16.33.29 to bypass step 11 since that version only has 14 steps and 18.45.01 was already preloaded from attempting before. My navigation still is the wrong address but I don't care about all that just thankful to have my radio back before my wife killed me for trying to update it by myself. )
I hope this helps someone else one day because it took some deep research and hours on hours of forum hoping to finally find the solution. <3
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
Do you have another link to download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe files? I am trying to help a friend of mine they way this helped me. Thank you again for this!
OOPS!
You were following guides on XDA, and throwing random commands in ADB from the posts under the guides (DON'T DO THIS!) and now your slick new ROG phone 2 doesn't have mobile data, calls, wifi, or bluetooth. You quickly find out that flashing the phone with any firmware old or new, doesn't help you, as this issue is directly linked to your chip in your phone.
I quickly found that I needed a QCN file from someone with a rog 2 phone, however I could not get any help here on XDA except from the user Greatuser123, who did not want to give out his QCN file (understandably), but did send me some notes to try and help with other tools.
With nothing working, and no QCN file, I ordered another ROG 2 and waited for it in the mail. After it got here, I quickly extracted the QCN file, replaced the IMEI's in it, and used QPST to restore my phone.
I am simply writing this guide with the generic QCN file with my info masked out of it, so no one has to go through what I went through.
Common issue
This most commonly happens with ROG 2 Phones from the commands:
DO NOT RUN THESE COMMANDS UNLESS YOU KNOW WHAT YOU ARE DOING!
(spaced command to ensure no one runs this!)
fastboot erase modem st 1
fastboot erase modem st 2
Click to expand...
Click to collapse
On most phones, on a reboot, these partitions would be restored on reboot, but not on most ROG's.
Prerequisites
Rooted Phone
QPST
Qualcomm USB drivers
IMEI Converter
Platform Tools
The Fix
Follow the above root linked video, or find the root thread for your phone here on XDA, and root your phone. This will not work unless you are rooted, although I do not know how you would get into this mess without having your phone rooted already.
Install QPST tools
Install Qualcomm USB drivers
Download the attached zip "good_qcn.zip" and extract the .QCN file anywhere on your machine
Open the .QCN file with any Hex Editor (I used HxD) and search for the Hex-Values: 08 3A 85 99 99 99 99 99 99
NOTE: There will be TWO locations with this value. This is where your IMEI_1 and IMEI_2 will go. Your IMEI_2 goes into the FIRST occurrence, while your IMEI_1 goes in the second.
Download the IMEI Converter app and type in your IMEI_1 and click "Convert", place the converted hex output into a notepad or similar
Do the same for your IMEI_2 and place it in the same location
Now that you have the HEX version of both your IMEI's, paste your IMEI_2 in the FIRST occurrence of the fake IMEI in the QCN file
Paste your IMEI_1 in the last occurrence of the fake IMEI and now save your new .QCN file.
Ensure your device is in USB Debugging Mode.
Download and extract the Platform Tools if you do not have them already.
Plug your phone into your computer using either port
Navigate to your extracted Platform Tools and in a Command Line type "adb devices" to ensure your device is visible.
Run a shell with "adb shell" and elevate your permission with "su"
Now it is time to enable Diag mode by running "setprop sys.usb.config rndis,diag,adb"
At this time, if you installed the Qualcomm Drivers, your device manager should have a port similar to "Qualcomm HS-USB Diag". If not keeping trying to re-enter diag mode and ensure the drivers are correct.
Open up "QPST Configuration" which was installed earlier. You should see your phone listed under "Active Phones". Click "Start Clients" -> "Software Download"
The Port field of the QPST Software Download should list your phone, if not something is wrong.
Click "Restore", and in the xQCN field, click "Browse", change the file type from XQCN to QCN, and select your newly made QCN file
Click "Start", and once the process is done, restart your phone
Conclusion
If all went well, your phone should now have all its bells and whistles again. Sometimes it may require a Factory Reset, and this should always be the practice anyways. If you have mobile data, but only H+ or EDGE, dial *#*#4636#*#* on your phone and ensure LTE is provisioned.
Good luck guys!
Special thanks to: Greatuser123 for helping when no one else would, and HomerSp for his many useful guides that some tools and knowledge was borrowed from.
Hi bro, Nice to meet you and I did my best to help you out, as I spent some stress on this when I was one of the first people that suffered with this issue. And gladly you solved it, bro you misunderstood badly about I did not want to give you the qcn, I was going to give you my qcn file but first I was asking to you for some proof , photo of same phone as me and the package to know that you are not going to change or edit badly ( doing mischievousness) as you never sent the proof I did not send the qcn file.. you can re check again your messages. Bro
Thank you very much for this, life saver.
My wifi and bluetooth works fine but I cannot get my mobile to power back on. When I go into the menu mobile power is just not there :/
Do you have the global or the cn version?
BlazingBullets said:
Thank you very much for this, life saver.
My wifi and bluetooth works fine but I cannot get my mobile to power back on. When I go into the menu mobile power is just not there :/
Do you have the global or the cn version?
Click to expand...
Click to collapse
This QCN came from a global device, but I imagine this could be used to recover the mobile at least temporary to fully fix the device, no matter the origins.
Sorry for the delay.
Greatuser123 said:
Hi bro, Nice to meet you and I did my best to help you out, as I spent some stress on this when I was one of the first people that suffered with this issue. And gladly you solved it, bro you misunderstood badly about I did not want to give you the qcn, I was going to give you my qcn file but first I was asking to you for some proof , photo of same phone as me and the package to know that you are not going to change or edit badly ( doing mischievousness) as you never sent the proof I did not send the qcn file.. you can re check again your messages. Bro
Click to expand...
Click to collapse
No no, please do not think I meant you by that. It was other users (understandably) that questioned my motives before you. I absolutely would have taken you up on your offer if I did not already have the phone on the way Either way, I really appreciate your help during this, and I hope you continue to help other users the same way you did for me.
decrypterfixer said:
This QCN came from a global device, but I imagine this could be used to recover the mobile at least temporary to fully fix the device, no matter the origins.
Sorry for the delay.
Click to expand...
Click to collapse
After a lot of heart ache and even making an EDL cable I could not get cell network back. I"ve sent it into ASUS to get fixed. I have made a few backups and will diff them when I get my device back so hopefully I can see what they have fixed so others don't have to experience this.
BlazingBullets said:
After a lot of heart ache and even making an EDL cable I could not get cell network back. I"ve sent it into ASUS to get fixed. I have made a few backups and will diff them when I get my device back so hopefully I can see what they have fixed so others don't have to experience this.
Click to expand...
Click to collapse
I can help u
Well done mate you will be a hero someday haha good job ?
Leevii2208 said:
I can help u
Click to expand...
Click to collapse
Please provide your support ouvertly here and not via social media!
I've edited your post; please refer to https://forum.xda-developers.com/oneplus-5t/how-to/telegram-chat-channels-forward-t3765018
not work
ty but not working or i did wrong. i wrote (change my imei, two way u and other program) and post new "good.qcn" (i see finished in QPST Software). i restart phone but nothing change. i think phone in document just "read-only".
I want redmagic 3 qcn file
good job bro
Is it works for rog phone 3?
I can't find that hex
hello friends 08 3A 85 99 99 99 99 99 99 no found please help me
Hi, perfect post friend. Im try backup qcn to my Rog Phone 3, but when try said Satuts: Memory Backup Failer and Errors: Disr Error while write to file, any solution to this? I appreciate your help.
decrypterfixer said:
OOPS!
You were following guides on XDA, and throwing random commands in ADB from the posts under the guides (DON'T DO THIS!) and now your slick new ROG phone 2 doesn't have mobile data, calls, wifi, or bluetooth. You quickly find out that flashing the phone with any firmware old or new, doesn't help you, as this issue is directly linked to your chip in your phone.
I quickly found that I needed a QCN file from someone with a rog 2 phone, however I could not get any help here on XDA except from the user Greatuser123, who did not want to give out his QCN file (understandably), but did send me some notes to try and help with other tools.
With nothing working, and no QCN file, I ordered another ROG 2 and waited for it in the mail. After it got here, I quickly extracted the QCN file, replaced the IMEI's in it, and used QPST to restore my phone.
I am simply writing this guide with the generic QCN file with my info masked out of it, so no one has to go through what I went through.
Common issue
This most commonly happens with ROG 2 Phones from the commands:
DO NOT RUN THESE COMMANDS UNLESS YOU KNOW WHAT YOU ARE DOING!
(spaced command to ensure no one runs this!)
On most phones, on a reboot, these partitions would be restored on reboot, but not on most ROG's.
Prerequisites
Rooted Phone
QPST
Qualcomm USB drivers
IMEI Converter
Platform Tools
The Fix
Follow the above root linked video, or find the root thread for your phone here on XDA, and root your phone. This will not work unless you are rooted, although I do not know how you would get into this mess without having your phone rooted already.
Install QPST tools
Install Qualcomm USB drivers
Download the attached zip "good_qcn.zip" and extract the .QCN file anywhere on your machine
Open the .QCN file with any Hex Editor (I used HxD) and search for the Hex-Values: 08 3A 85 99 99 99 99 99 99
NOTE: There will be TWO locations with this value. This is where your IMEI_1 and IMEI_2 will go. Your IMEI_2 goes into the FIRST occurrence, while your IMEI_1 goes in the second.
Download the IMEI Converter app and type in your IMEI_1 and click "Convert", place the converted hex output into a notepad or similar
Do the same for your IMEI_2 and place it in the same location
Now that you have the HEX version of both your IMEI's, paste your IMEI_2 in the FIRST occurrence of the fake IMEI in the QCN file
Paste your IMEI_1 in the last occurrence of the fake IMEI and now save your new .QCN file.
Ensure your device is in USB Debugging Mode.
Download and extract the Platform Tools if you do not have them already.
Plug your phone into your computer using either port
Navigate to your extracted Platform Tools and in a Command Line type "adb devices" to ensure your device is visible.
Run a shell with "adb shell" and elevate your permission with "su"
Now it is time to enable Diag mode by running "setprop sys.usb.config rndis,diag,adb"
At this time, if you installed the Qualcomm Drivers, your device manager should have a port similar to "Qualcomm HS-USB Diag". If not keeping trying to re-enter diag mode and ensure the drivers are correct.
Open up "QPST Configuration" which was installed earlier. You should see your phone listed under "Active Phones". Click "Start Clients" -> "Software Download"
The Port field of the QPST Software Download should list your phone, if not something is wrong.
Click "Restore", and in the xQCN field, click "Browse", change the file type from XQCN to QCN, and select your newly made QCN file
Click "Start", and once the process is done, restart your phone
Conclusion
If all went well, your phone should now have all its bells and whistles again. Sometimes it may require a Factory Reset, and this should always be the practice anyways. If you have mobile data, but only H+ or EDGE, dial *#*#4636#*#* on your phone and ensure LTE is provisioned.
Good luck guys!
Special thanks to: Greatuser123 for helping when no one else would, and HomerSp for his many useful guides that some tools and knowledge was borrowed from.
Click to expand...
Click to collapse
I tried it till finish, but when I check, I lost my wifi mac address (status unavailable) and my imei still unknown. And now I wanna retry, I stuck at QPST Configuration application at step 17, it sometimes detected the phone, sometimes don't, it make me can't continue to click "star clients", (check in device manager, nothing wrong). can you help me?
sure which device rog 2 or 3?
gjkhan said:
sure which device rog 2 or 3?
Click to expand...
Click to collapse
uhhg that's a issue just download visual c++ redistributable 2010 sp1 x86 and it should be fine
gjkhan said:
sure which device rog 2 or 3?
Click to expand...
Click to collapse
Rog2. The port keep blinking when in QPST Tools, sometimes it detected, sometimes don't, so I can't copy the qcn to the phone. And also I don't know what's wrong with the qcn, I had follow the instruction, but it not works
hmmm use another pc or cable.
gjkhan said:
hmmm use another pc or cable.
Click to expand...
Click to collapse
Try itt but problem still persist
Hi,
I ran into some malware on my PC and my phone somehow wound up with it too. So what's happening is when my device is hooked up to any device it automatically pairs 2 separate devices. One is the phone and one is called a Bluetooth LE(Low energy) 1927237798 etc. I have the snapdragon qualcomm phone and the canadian variant with Fido. I was looking around in developer settings and I do not see any OEM unlock.. Is there any way to flash the phone without it?
I need to flash the phone because the malware persists through factory data reset. I can't access any files that are relating to this bluetooth device and I have a feeling there's an embedded profile behind the screen that I see. I also noticed the script that ran put in a virtual SIM and draws mobile data when I am not hooked up to wifi. This bluetooth LE device automatically connects to surrounding bluetooth devices and infects them with whatever payload and it's like a super virus/worm from Russia/China I believe since the researcher told me some of the payloads on the PC were in russian language. Anyways, some help would be wonderful because my phone is infecting everything...
Also notably there are a string of nested file folders with no files in them. I am unable to delete them, all I have been able to do is move them up folders to the parents and try deleting but they always come back and there are a lot with really weird names and ^43%HlLuy etc.
I just hope to be able to flash stock firmware without the OEM unlock in order to wipe the old data that was changed by the malware in the providers area/root area.(No the phone was not previously rooted - I think it's not possible, but they got into protected folders and edited files somehow. I'd love to know how)
Thanks for your assistance. I have rooted a phone or two in my day but I can't remember if I can just flash stock firmware or even the best place to source it.
Doing a clean flash using ODIN should hopefully resolve. But you must do a clean flash using CSC file not HOME_CSC. OEM unlock is not needed.
Thank you so much. I will hunt down the right files and get this sorted.