I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
devmihkel said:
For good or for bad NOT everything appears correct, except the running 17.x version... As of now neither the "commercial jailbreak" supports new versions (well yes they were using exactly the same file to start with Also 16.51.x or newer appears to be no go: uconnect-8-4-8-4an-update
EDIT: haven't got 17.09.07 to try, but on 17.11.07 manifest.lua has changed and the last block/ search keyword is "ota_update" instead. Otherwise all the same, image valid after the edit and script.sh gets fired - at least on 16.33.29 that is @HanJ67 Did you actually try to mount installer.iso after the edit and checked /etc/manifest.lua for the end result before?
Click to expand...
Click to collapse
devmihkel said:
Yeah, 2nd attempt is much better as last lua block is correctly terminated and your script might actually run, but unfortunately no successful 17.x runs have been reported so far SWF scripts are not involved in update/jail-breaking run, these ones become relevant only once you are in (and need to enable some app or wifi or navi features etc). Afaik 17.x blocks ethernet dongle usage as well, but let's see if even the USB driver/link gets activated at all?
Click to expand...
Click to collapse
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Do You have an idea how to connect by USB2LAN adapter to uConnect ?
Do You know if there is an UART pins on the mainboard ?
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
Hello, any news about it?
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
sofro1988 said:
Hello, any news about it?
Click to expand...
Click to collapse
I have not had had much time to work on this.
I actually had an idea last week that brought me back to this. I plan to use a custom flash drive to present an unmodified ISO for verification, then swap nand to an identical image that has been he's edited to enable usb Ethernet and add a custom key for ssh access.
I thought to stack a NAND on top of the original on a is flash drive, then breakout the Chip Enable pin to a switch. I've seen this done for with guys modifying game consoles to be able to run modified firmware.
Once the 2nd NAND is in place I will restore an image of the original nand containing the unmodified update, then hex edit the required portions to allow access after updating.
If this method works, I should be able to pass the verification with the original nand chip, then switch it (hopefully there's a big enough window to do this by hand) then present the modified nand before it begins the flash procedure.
Hopefully someone more intimately familiar with the update scripts can verify I'm not missing anything in the process
Tajadela said:
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
Click to expand...
Click to collapse
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
thanks for answer.
I saw an ssh key with the hex editor, but I would like to see exactly what you have replaced.
if it's not too much trouble, it would be interesting to see with some screenshots the changes you've made.
So we could work on two fronts. The idea of the double nand is good, but not very simple to make ...
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
SquithyX said:
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
Click to expand...
Click to collapse
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
martinbogo1 said:
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
Click to expand...
Click to collapse
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
sofro1988 said:
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
Click to expand...
Click to collapse
I managed to connect with the cisco adapter (usb / ethernet), but I don't know the root password. is the problem at the moment insurmountable ..
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
martinbogo1 said:
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
Click to expand...
Click to collapse
I connected in telnet on a uconnect 6.5 with firmware 15.xx.xx. You can connect to Uconnect with static IP it brings up if no DHCP is offered is: 192.168.6.1
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
after rsa key replaced, do you have recalculate the checksum of UPD file?
have you replaced the first 64 bytes of the file?
thanks
@itsJRod, isn't it that you would like to explain the procedure to replace the RSA key in the swdl file? thank you
Hello,
have you made any progress? I am a bit lost. I put the EU uconnect MY15 to US dodge charger MY16 and Perf Pages were working fine even on 16.16.13, although after upgrade to 17.x (17.46.0.1 right now) I am meeting the problem of expired subscription (which is not possible to have on EU radio).
I am considering basically three solutions:
a) going back to US radio, but modify the language pack/nav/FM frequencies (it is doable, but I do not know how, although I can pay for it relatively less than time invested)
b) downgrade to 16.16.13 - I have no clue how to do it, I tried to put swdl.upd with swdl.iso as and installer.iso with no luck of course.
c) take xlets from KIM2/ of 16.16.13 to KIM23 of 17.46.0.1 secondary.iso - this is probably preferred way but I do not know how to make it to pass ISO validation.
Of course root on uconnect is extremely nice to have but I will be fully satisfied with Perf Pages working again.
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
djmjr77 said:
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
Click to expand...
Click to collapse
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
I created an account just to reply to this and All I have to say is you're literally an absolute life saver. I've been working on this every day for two weeks now, trying every trick people said, trying every USB, every format, every version and nothing ever worked from me. Uconnect support was absolutely no help and it was a lot of back-and-forth finger pointing and no you need to reach out to this person between them and the dealership. Dealership tried to charge me for a Proxy Alignment when I asked to just update my damn radio stuck in this loop.
I have a 2015 Jeep Cherokee 8.4AN VP4 NA Head Unit 68238619AJ. I was updating from 17.11.07 to 18.45.01 and got stuck at the step 11 1% and would get a failed sierra wireless every time and then got in that "bolo update failed" loop..Well to fix it just now all I did was download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in the previous comment and quick format to FAT32 on a 16GB Micro Center USB extracted the files from 16.33.29 to the USB with 7ZIP, plugged in like normal and BOOM it ran the first step restarted and I had a working radio again showing update 18.45.01.
(So i'm assuming you don't have to do the S Byte thing I didn't even mess with it I just used the 16.33.29 to bypass step 11 since that version only has 14 steps and 18.45.01 was already preloaded from attempting before. My navigation still is the wrong address but I don't care about all that just thankful to have my radio back before my wife killed me for trying to update it by myself. )
I hope this helps someone else one day because it took some deep research and hours on hours of forum hoping to finally find the solution. <3
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
Do you have another link to download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe files? I am trying to help a friend of mine they way this helped me. Thank you again for this!
Related
Hello!
I recently bricked my MyPal A626. In the last weeks I tried several things but until now I weren't able to figure out how to fix this thing.
I know that you can flash the ROM via the USBLoader.exe over USB. But I need a .nb0 file for this.
Perhaps there is someone in this board who can help me out with this file?
You should be able to dump the rom with the itsutils over RAPI.
http://wiki.xda-developers.com/index.php?pagename=XdaUtils
It should be something like this:
1) pdocread -t
2) pdocread -l
3) pdocread 0x0 xxxxxx nk.nb0
One of the first commands gives you the length of the ROM.
I can't test it by myself because my device is bricked.
Perhaps it would be enough if somebody with an A626 can execute the first and second commands and post the output here.
It would be very great if somebody can help me!
BTW:
I have got a Backup... But the bootloader doesn't want this. It reads everything from USB but it isn't flashed. And I have absolutely no idea why.
I can upload this file to rapidshare if somebody wants to look at it.
I really hate to ressurect an old thread, but I am having the exact same problem. ASUS tech support has been rather less than helpful. They won't provide a NB0 file to end users, nor any fix tools that would work with the encrypted image or anything like that either. They told me I have to RMA the thing after passing me back and forth and giving me the runaround for about an hour or more even. Only, I STILL haven't gotten a response from the RMA department even... The person I tried to do this update for REALLY needs her PDA back already and I find this whole situation to be quite unacceptable. I only had to attempt to use the update in the first place because they made a screweup that makes the SD card inaccessable without reinserting after pressing the power button... A pretty big screwup IMO considering that good PDA practices really requires one to run as much as possible from the SD card for the sake of wasting less resources in a device that already has all too few resources to begin with... (Then again, MS still hasn't caught on to the fact that minimizing rather than closing programs on a device that has so little memory is rather less than ideal, so I guess there's nothing new in that area.) The funniest thing of all is that I wasn't trying to modify it or anything like that, I just did the update right by the manual needing only to get the SD card fix and it STILL went wrong (especially I find it annoying that the update process did a checksum on the update.img file and reported that the file was actually correct, then it fails AFTER completely flashing and doesn't bother to make any kind of recovery.
If anyone could help me out with a NB0 for this thing, I'd REALLY appreciate it. I just want to get it up and running again so she can use her PDA for getting organized as she has been desperately needing for so long.
BTW, should the OP ever read this, I have noticed that if you send the right things, it WILL try to flash. I once sent the update.dat file in the hopes that it might include information needed to make the flash work (it was my hope that the process was a little smart and that it would, therefore, use the DAT file for information on the flash and then include the needed image.) The device actually did make a flash with this file. Of course, the flash obviously didn't work, but the point is that it can do a flash through this method if you send what it's looking for.
GOOGLE this A696_dump_wm5_eng.rar
No good. All two links Google finds are dead (I see two different posts in two different forums, but actually each link to the same links and these are both dead.) I did see a reference to a "A696_dump_wm6_2_eng.rar" but it too is dead. (One of those two forums was this one, I see, surprisingly enough considering that the first thing I did was run a search as is evidenced by finding an old thread -- but then I must admit that I was searching for A626, not A696...) The next closest I can find through this search is a Russian dump for an A636N. I don't have an A636N and I can't read a word of Russian. That link is still alive, but I'm not even going to try it since even if it were actually compatible with the A626 (and I'm betting it's not) it still would be as good as a brick to me still.
But anyway, is the A696 ROM actually directly compatible with an A626 system?
EDIT: I stand corrected! The link for the 6.2 update on the A696 isn't dead after all. When I tried last night it would just spend a REALLY long time trying to load and eventually either time out or produce a database error. When I tried today though, it did sucessfully download. Looks like it does work. Thank goodness because the PDA's owner really needs a working PDA, and ASUS seems rather less than helpful...
Nazo said:
But anyway, is the A696 ROM actually directly compatible with an A626 system?
EDIT: I stand corrected! The link for the 6.2 update on the A696 isn't dead after all. When I tried last night it would just spend a REALLY long time trying to load and eventually either time out or produce a database error. When I tried today though, it did sucessfully download. Looks like it does work. Thank goodness because the PDA's owner really needs a working PDA, and ASUS seems rather less than helpful...
Click to expand...
Click to collapse
626,686,696 are same series.. aka. asus 6x6 or the cannes. if you go to asus website. there is a single rom for these 3 models.
what's the 6.2 update you are talking about ? anyway.. let me know if you still want the 6x6 wm5 dump file. I can upload it to somewhere..
Well, I went ahead and flashed despite worrying about model compatibility. I figured they were the same basic hardware, but I figured that it was always possible that there could be important differences such as memory latencies or such that could make it incompatible perhaps even to the point of danger. But, it's just the software end of things more than anything else, so I figured that it couldn't brick the PDA any worse than it was already bricked and went ahead. As you say though, I have noticed that you are correct that they do use the same ROM for all three models on the official site anyway, so it works 100%.
As for the 6.2, it's in the link I provided to a topic here on this forum. The only other result you'll find on google is just a site in Russian or whatever where they repeat the exact same links for each of the files so you might just as well use this one. It's hosted on MediaFire which was really screwed up when I posted that it was a dead link, but it seems to have recovered and I was able to download that updated ROM from there. I think that you may have to look on the previous page from the link I gave though.
I must say though, I'm glad to have found that one. I HAD to do the update. You see, it was more than just an update to WM6.2. It also included a lot of bugfixes. The most notable being that the system would no longer recognize the SD card after a suspend for a while (or several suspends -- I never was sure just which was the culprit.) Resetting or ejecting and reinserting fixes it, but she was having troubles with this because she isn't exactly the most technosavvy person I have ever known. The SD card dissapearing bug was a fatal flaw because she must load up things such as books and such via SD card and all of it together adds up to well over what can fit safely in internal memory and the file storage combined (but which easily fit an a 2GB SD card) and I needed that update, so if I had to get the WM5 ROM again I'd have to just update again and again as many times as it took to get past the bricking. This way I needed only load up the ROM once and that was it. ASUS really needs to create a tool that can load the encrypted ROM from a PC like HP has done (I've bricked my h1945 PDA while attempting to update it once before and was able to fix it quite easily just as soon as I figured out how to get into the so called "parrot mode.") and such so we don't have to resort to such means to fix them...
Anyway, now I need to get started on loading up all of the stuff she needs.
I just bricked my A363N - WM5.0->6.0 upgrade failed (SD card read error).
Now I'm trying to make it work again.
Russian WM5.0 doesn't work - stops on the calendar screen.
I wonder if I can try to upload update.dat file from the Asus wwe.rar
with SD card inserted and containing Update.img.
Is the update.dat file in .nb0 format ?
Is the A636 actually the same series? If not that post belongs in an appropriate thread instead. If it is, why are you trying to use the Russian update? Just use the plain English one. Here, it's in this post on this site: http://forum.xda-developers.com/showpost.php?p=1495484&postcount=126 I checked and the link is still alive right now.
Yeah, very cool.
I remembered this post 10 minutes ago.
I will try the 696 firmware... Lets see if we can get this ****ing machine running the moon
Meanwhile i tried several things with the update.img file. The "Encryption" is a simple xoring with 0xd0 ^^
But even if you xor the whole file with this value you still don't have a valid nb0. I tried it many times to cut out the firmware with an hex editor on the obvious places in the file (go and see yourself if interested) but all this didn't work.
edit:
It doesn't seem to work for me... The file gets flashed and the device reboots.
After that it still gets stuck at the blue asus screen but it is recognized by the computer as a RNDIS device.
another edit:
WOAH... I tried it again and now it works.
It seems that the battery was empty because of all the previous tries.
Unsuccesfull rom flash
Hello,
I bricked my 696 asus, trying to do un update from the asus site.
Can you tell me some methods to repair it, using the sd card, because the method with usbloader.exe and nk.nb0 is not working ("USB pipe opening error", I tried on several computer and many usb ports).
Also, how can I transform the nk.nb0 flashing image into a *.dio image (I understand the last one can be used to boot and repair automatically from the SD card, it is real???).
10x a lot
Still not working
any new idea to reflash rom foa a696 ?
Hello to you
any news about how to make rom upgrade foa asus a696 ?
Hi everyone,
Many people have complained about the Wave bootloader being closed and that being major problem for the development of alternative OS.
I had a closer look at the booting process and would like to contribute my observations to the community. I shall have little time (next to none) to work on it further, so I'd like someone to take it from this point.
OK, that said I can introduce you to what I found:
The booting process starts with initialization of the hardware, interrupts, etc. and gets to the selection of the booting mode. This is the place that checks the key combination, JIG and possible problems. Basing on this the bootloader will run the phone in either normal boot mode, go to dowload or upload mode.
Normal boot shall start with checking the FOTA module. If you already tried flashing your phone you probably noticed that some versions of the FW include a file with *.fota extension. The file is unencrypted and not signed. It's about 2MB, but the bootloader reserves exactly 3MB for it. FOTA is intended to be used for firmware update over the air, but I know nothing about it being used for Wave. You may read something about the design and get a concept of that process here:
http://www.freepatentsonline.com/pdfb/documents/usapp/patent_pdf/2010/017/US20100175062/pdf/US20100175062.pdf
Basically, it is possible that boot would need to perform some actions that are a result of FOTA. Therefore, during the normal boot it reads the FOTA module from the NAND (0xC600000) and checks whether the module exists and is in the right version. That is done by checking a magic (text "FOTA_ENGINE_VER_INFO_2.0") under the 0xC600100. If it is found missing or incorrect you will end up with the message "FOTA Engine is not intalled" or "FOTA Engine version mismatch" on the screen and you will need to restart your phone in the download mode to load it.
After that, the code checks for additional magic values at 0xC880000. In case it is "BPDZ" it jumps to the code in the FOTA file. The contents of the file is loaded to RAM location 0x43800000 and executed from there.
I've made an experiment as a proof-of-concept and have a confirmed that the above is true and valid information. I crafted a FOTA file longer that the usual attached (to be bigger than 2,5 MB). In case you want to repeat that, remember that last 1024 bytes are not loaded and insert additional data before that. My file had two magic values:
"FOTA_ENGINE_VER_INFO_2.0" at 0x100 offset and "BPDZ" at 0x280000. At offset 0 I've placed my code that started with several NOPs (just in case) and code that called original bootloader functions to display text on the screen.
After loading the file with Multiloader, the message appeared on the screen as expected. Reloading of the original FOTA file made the phone boot normally.
The discovery opens wide area of possibilities starting with replacing bootloader without signing it or using JTAG, multiboot, etc.
As the original bootloader is in the memory as well, we can use it, but I would not recommend that approach as we would need additional version control and changing original routines and data addresses for each version.
OK. I hope I made it clear enough to understand, but I can clarify what I might have omitted in the description. The idea is that someone here would pick that up from where I finished and develop a decent loader leaving the original files (apart from FOTA) untouched.
Best Regards,
mijoma
-----------------------------------
Edit: Added proof-of-concept FOTA file (based on XXJL2 FOTA). Use wisely - remember you take full responsibility for what you load on your phone. Works ONLY with XXJL2 bootloader.
Very interesting ... great job
My little knowledge/experiments...
1.
Before I NEVER updated manually FOTA. I never seen any Errors like other user... with FOTA not installed or something similar.
Maybe reason is, because my testdevice has NO active SIM card, so no network...
2.
I've tested examples from mijoma. On XXJL2 Boot...
Simple only flash FOTA with Multiloader.
At your own risk. Not all sideeffects known.
I had NO problems.
3.
Results... I can't see any special after Flashing. But I can go through internal menu, see Pictures.
http://forum.xda-developers.com/showthread.php?t=906966
Normally I have more messages... but with modified FOTA Wave restarts. So the way is correct.
4.
Delta files are sometimes in Firmware also with Boot... I will add next Link to what I found about Delta files...
Delta Files are part of FOTA concept...
5.
Depend on Firmware... Software update... but sometimes is this point removed and I can't login, because no network...
In other words, I have to start FOTA over this internal menu to see that it is doing something.
Best Regards
@adfree
I think you are testing the previous version. Could you confirm you are using mod version 2?
Best Regards,
mijoma
bplib_S8500OpEuro_XXJL2_mijoma_mod2.zip
You are right, not tested yet. Only prior Version.
I will test today mod2 and report later.
I have to flash back to XXJL2... as I play actual on Orange JE7.
Thank you.
Best Regards
YT: watch?v=A35k3E1F1O4
It's working....
Best regards.
Amazing job dude. It seems like this could help us to change booting stuff
Nice work mijoma !!!
I can confirm it works.
Now I see the same like on this Video:
http://www.youtube.com/watch?v=A35k3E1F1O4
Thanx jedil1 for Link.
Sorry mijoma.
I have no idea where I made mistake...
This time my first Test was Full Flash (without Boot)...
Second only FOTA and it works too... Original, then yours...
If you flash "Full", then you interrupt the Index process at Start, where Blue Screen shows...
Best Regards
Great job!!!
And my opinion,this is a single way to starting full working android on s8500,
because we need to initialize the modem at bootloader stage for fuel gauge.
i temporary use modem from m130k without fuel gauge.
Few Firmware packages have Delta files:
Code:
delta.bin
delta_AP.bin
delta_CFS.bin
delta_CP.bin
delta_CRSRC.bin
delta_FS.bin
delta_LFS_01.bin
delta_LFS_02.bin
delta_RSRC2.bin
Around 16 MB...
If I use Google for "Delta Files FOTA"... then I can also find this:
http://www.faqs.org/patents/app/20100175062
Theory/ideas
What we also can do with this Security hole:
- maybe "move" folder System to SD or internal Memory, to have no more problems with RC1
- maybe someone is smart enough, to integrate Dump Function for Dump whole RAM or moviNAND... like JTAG
See Upload function...
Best Regards
adfree said:
- maybe someone is smart enough, to integrate Dump Function for Dump whole RAM or moviNAND... like JTAG
See Upload function...
Best Regards
Click to expand...
Click to collapse
I think that Samsung have thought of that already. I had not analysed that as so far, but there's UPLOAD option in the bootloader (handled by a bit separate code from DLOAD). I haven't got the wave, so I never tested it.
You can make a patch on my mod and place a direct jump to that code. I've made a quick patch so you can try it out. I don't know whether there's any software that can handle that mode. I've made a look and there are several funny commands that can be used:
"PrEaMbLe"
"AcKnOwLeDgMeNt"
"PoStAmBlE"
"PoWeRdOwN"
"DaTaXfEr"
Remember that this time we're dealing with some real functionality of the bootloader and that may have some consequences so use on your own risk.
Best Regards,
mijoma
----------------------
Edit: Sorry if anyone tried loading it. By mistake I've used addressing from XXJEE. I've changed the name to represent what it was and added a correct file for XXJL2 bootloader
Upload to PC is in combination with Debug Mode higher then Low...
After you see Bluescreen with very interesting infos you can press Button, then Upload to PC on Screen. But I don't know how to catch Data, as no COM Port is visible.
Btw...
Now I know where I made big mistake.
First tests I used XEKC2 Firmware with XXJL2 Bootloader, as I thought its only Bootloader related. Sorry.
My fault.
So there must be more then Bootloader from XXJL2 in handset, to run successfully FOTA Mod2.
About new Mod with Upload, I will investigate this time better, before I'll report.
Thank you.
Best Regards
We need to get this guy a wave to test stuff on! Who wants to donate theirs ha
sabianadmin said:
We need to get this guy a wave to test stuff on! Who wants to donate theirs ha
Click to expand...
Click to collapse
It may have sounded like a joke, but I second that....
He's seems trustworthy and very capable of being sucessful Just like adfree, oleg_k and other guys over there.
I have my paypal account limited but in 1 month I'll b able to donate maybe 20€
Thanks guys, but I don't think it's necessary.
I do it for fun - don't need any other gratification. Wave got me interested with the effort the manufacturer put trying to keep it closed. I don't need a handset to disassemble the bootloader.
The question is more would you like a wave for you're efforts as otherwise you really won't be able to benefit from you're own work when we have meego, android, webOS etc booting on the Wave. Theres no extra pressure, sure you have already done the trickiest part of the work.
No, I'm being completely honest here. I find this rather a weird form of relax than work.
Wave is a nice phone and I think I'm going to get myself one, but I don't expect a gift.
mijoma said:
Wave is a nice phone and I think I'm going to get myself one, but I don't expect a gift.
Click to expand...
Click to collapse
You are a champ, buddy
Good luck !
Sent from my GT-I9003 using XDA App
Anyone have the steps to take to preform a hard reset of fix a non booting device?
I am stuck on the amazon Fire TV part where the boot animation is doing nothing. Can't get past this screen and have been stuck for the last 10 minutes.
jamesrascal said:
Anyone have the steps to take to preform a hard reset of fix a non booting device?
I am stuck on the amazon Fire TV part where the boot animation is doing nothing. Can't get past this screen and have been stuck for the last 10 minutes.
Click to expand...
Click to collapse
End Result. If you brick you box Amazon has no troubleshooting steps outside of rebooting the box. Once you get past that step and your still having an issue Amazon will issue you a replacement FireTV.
You will need to call Amazon as the Live chat is useless: 866-216-1072 Press 0 and ask to be transferred to the Fire TV department.
jamesrascal said:
Anyone have the steps to take to preform a hard reset of fix a non booting device?
I am stuck on the amazon Fire TV part where the boot animation is doing nothing. Can't get past this screen and have been stuck for the last 10 minutes.
Click to expand...
Click to collapse
Oh, boy. That is unfortunate. What did you do that lead to bricking your box?
I am in the same situation with one of my FireTV box. What caused it was one of the SQLite editor I used to explore the settings database: it changed the permissions on the files. I only realized the problem once I rebooted it
On the other box, I used the SQLite3 command line client from TitaniumBackup instead, and directly did my edit as root. No problem there.
Unfortunately, I am not in US; so if there is a way to do a hard reset, I would be glad to know.
if you bought yours at a local best buy and are a select customer, you may have an extended return policy.
You must have edited something you shouldn't have with the sqlite editor. I edited mine to allow package installs and did a factory reset and its all good. Did you only disable the updates through pm disable com.amazon.dcp or did you also edit the /etc/hosts? Lets get this figured out so others don't end up the same way.
Stupid question, did you pick TWRP as a method of recovery during the rooting process? I did that on my note 10.1 and boy did it mess up that tablet when I tried to recover it. Luckily I had Odin at the time.
Sent from my SM-N900V using Tapatalk
arman68 said:
I am in the same situation with one of my FireTV box. What caused it was one of the SQLite editor I used to explore the settings database: it changed the permissions on the files. I only realized the problem once I rebooted it
On the other box, I used the SQLite3 command line client from TitaniumBackup instead, and directly did my edit as root. No problem there.
Unfortunately, I am not in US; so if there is a way to do a hard reset, I would be glad to know.
Click to expand...
Click to collapse
Do you recall which sqlite editor app you used that caused the problem?
Be interesting to know if there's a stock recovery, and if there is, if it's looking for an update.zip file on a thumb drive in the USB slot. We can tell that USB slot is getting polled at start time by the way that certain connections to it will hang the device.
If it were me, I'd try is to obtain a 1 gig or so USB drive, format it fat32 and copy the OTA update to it.
- Leave it zipped.
- Name it update.zip
- pull the plug on the FTV
- put the USB stick in
- power it on and leave it for a bit. Watch it - is the power LED going out? If so, it may doing a recovery install of the signed OTA and rebooting - many Android devices will install anything on the sdcard called Update.zip if it's there at boot time.
The idea is that if there's a stock recovery it may be able to see that USB storage and read the OTA file as a recovery source.
roustabout said:
Be interesting to know if there's a stock recovery, and if there is, if it's looking for an update.zip file on a thumb drive in the USB slot. We can tell that USB slot is getting polled at start time by the way that certain connections to it will hang the device.
If it were me, I'd try is to obtain a 1 gig or so USB drive, format it fat32 and copy the OTA update to it.
- Leave it zipped.
- Name it update.zip
- pull the plug on the FTV
- put the USB stick in
- power it on and leave it for a bit. Watch it - is the power LED going out? If so, it may doing a recovery install of the signed OTA and rebooting - many Android devices will install anything on the sdcard called Update.zip if it's there at boot time.
The idea is that if there's a stock recovery it may be able to see that USB storage and read the OTA file as a recovery source.
Click to expand...
Click to collapse
There might be something to this idea. There was a review posted on Amazon and the reviewer had a Best Buy box that wouldn't go past the Amazon screen. They said Amazon told them how to use the USB to get it to work. A couple people asked for more info but they never responded. I have tried going back through the reviews to see if they ever did, but there are almost 6000 reviews.
kairnage said:
There might be something to this idea. There was a review posted on Amazon and the reviewer had a Best Buy box that wouldn't go past the Amazon screen. They said Amazon told them how to use the USB to get it to work. A couple people asked for more info but they never responded. I have tried going back through the reviews to see if they ever did, but there are almost 6000 reviews.
Click to expand...
Click to collapse
i have only sideloaded a few apps , no root or root attempt was made before issues.
i have a similar boot issue ( stops at amazon first screen and led flashes white) . i believe my remote is fried , batteries heated up while pressing the home button to pair remote , i removed battery and found the plastic wrap on one starting to burn . i believe remote is toast .
can anyone verify that the boot will stop until remote is paired ?
ps : amazon phone help mentioned reset on remote was hold right arrow key ( ie right circle ) and home button for 10 secs , to reset just the remote ,. nothing helped mine , i say its dead. another is on the way ,. he also said the lack of pairing with remote should not have stopped the ftv boot , it should have gone past first amazon screen . other than restarting the ftv by disconnecting power he offered no other reset method .
bkdg100 said:
i have a similar boot issue ( stops at amazon first screen and led flashes white) . i believe my remote is fried , batteries heated up while pressing the home button to pair remote , i removed battery and found the plastic wrap on one starting to burn . i believe remote is toast .
can anyone verify that the boot will stop until remote is paired ?
Click to expand...
Click to collapse
Removed batteries from remote and rebooted FTV, boots like normal, could not find a way to delete a paired remote otherwise I would have tried that too,
userr12 said:
Removed batteries from remote and rebooted FTV, boots like normal, could not find a way to delete a paired remote otherwise I would have tried that too,
Click to expand...
Click to collapse
thanks ,. i called amazon they confirmed normal boot even without pairing ,. also said how to reset "just the remote" ,. right tab and home for 10secs.
kairnage said:
There might be something to this idea. There was a review posted on Amazon and the reviewer had a Best Buy box that wouldn't go past the Amazon screen. They said Amazon told them how to use the USB to get it to work. A couple people asked for more info but they never responded. I have tried going back through the reviews to see if they ever did, but there are almost 6000 reviews.
Click to expand...
Click to collapse
I'm trying to find that review now. so far nothing
fireTVnews.com said:
Do you recall which sqlite editor app you used that caused the problem?
Click to expand...
Click to collapse
I have reviewed the logs of what I did, and it was my fault:
I used a non-root SQLite editor, which means I had to give -rw-rw-rw- access to the database folder and content, which I did.
With the SQLite editor, all I did was to explore the database structure.
Once done, I restored the original permissions, fist -rw------- (chmod 660) on the database folder and database file itself.
Finally I restored read-only -r-------- (chmod 600) to the extra files (settings-*), and that was my mistake: I did not notice my chmod line had 2 entries, with the first one being the database folder (wrong)
If only I would have root write access to the file system with adb, I could easily fix it, with a simple chmod 660 on the database folder.
In hindsight, I was very careless to do that directly on the FireTV; I should have taken a copy of settings.db, and explore it on the PC.
Luxferro said:
I'm trying to find that review now. so far nothing
Click to expand...
Click to collapse
Yeah I took a look again today. Their search doesn't really drill down very well.
Luxferro said:
I'm trying to find that review now. so far nothing
Click to expand...
Click to collapse
kairnage said:
Yeah I took a look again today. Their search doesn't really drill down very well.
Click to expand...
Click to collapse
Here are all the reviews with the word "USB" in them on one page:
http://firetvnews.com/review_usb.html
I skimmed through it but couldn't find the elusive review.
@Firetv: please review post #15 in this thread, and consider adjusting the post on your website accordingly - when I saw your site, it was stating that adjusting values in the settings databases risked changing the permissions on those databases.
That does not appear to be the case, but rather reflected confusion on the part of the person who was doing the settings changes and permissions changes from the shell at the same time.
I haven't seen a db editor that changes the permissions of the dbs themselves....'
Back to softbricked devices: I see that Amazon sells a thing called a "fastboot cable" which in theory forces the Kindle Fires to reboot into fastboot mode if attached to a computer. I'd be interested in what one of these did in conjunction with an A to A converter, since I haven't seen fastboot mode available yet (that I know of)
roustabout said:
@Firetv: please review post #15 in this thread, and consider adjusting the post on your website accordingly - when I saw your site, it was stating that adjusting values in the settings databases risked changing the permissions on those databases.
That does not appear to be the case, but rather reflected confusion on the part of the person who was doing the settings changes and permissions changes from the shell at the same time.
I haven't seen a db editor that changes the permissions of the dbs themselves....'
Back to softbricked devices: I see that Amazon sells a thing called a "fastboot cable" which in theory forces the Kindle Fires to reboot into fastboot mode if attached to a computer. I'd be interested in what one of these did in conjunction with an A to A converter, since I haven't seen fastboot mode available yet (that I know of)
Click to expand...
Click to collapse
I've definitely been tempted to remove the warning about SQLite databases after reading arman68's update. I haven't, however, because I've been individually contact by someone stating they used a free SQLite app from the Google Play store which caused them to lose their ethernet connection and soft-bricked after a restart.
I have gone ahead and updated the post to reduce the concern and stated that the SQLite Editor app everyone is using here seems to be safe.
Also, a fastboot connection can be achieved with any A to A USB cable. You simply need to boot the Fire TV while it's connected to a computer and it will boot into fastboot. I've done this myself with a Mac (have not tried a PC). The Fire TV displays a white Amazon logo on the screen and stays there until you reboot it without the cable plugged in. There doesn't seem to be much that can be done with the locked bootloader, but then again, I'm not the one to know as that is all new territory for me. Got any suggestions on things to try with fastboot?
fireTVnews.com said:
I've definitely been tempted to remove the warning about SQLite databases after reading arman68's update. I haven't, however, because I've been individually contact by someone stating they used a free SQLite app from the Google Play store which caused them to lose their ethernet connection and soft-bricked after a restart.
I have gone ahead and updated the post to reduce the concern and stated that the SQLite Editor app everyone is using here seems to be safe.
Also, a fastboot connection can be achieved with any A to A USB cable. You simply need to boot the Fire TV while it's connected to a computer and it will boot into fastboot. I've done this myself with a Mac (have not tried a PC). The Fire TV displays a white Amazon logo on the screen and stays there until you reboot it without the cable plugged in. There doesn't seem to be much that can be done with the locked bootloader, but then again, I'm not the one to know as that is all new territory for me. Got any suggestions on things to try with fastboot?
Click to expand...
Click to collapse
I didn't mean to say you can't hose your device by changing settings with an editor, just that I don't think any of them change permissions. so using them to look but not change is pretty safe, IMO, and I'd hate to see folks discouraged from doing so.
I'm surprised that there's not a better onboard recovery on this device, or at least not one anyone's figured out how to get moving. I'dthink it'd be cheaper for Amazon if the devices had a viable recovery, or if there was a solid reset to factory which actually did a full reinstall of the OS.
Interesting about the fastboot mode - when i connect the FTV to my laptop using an A to A cable I don't get a device recognized in fastboot, but it may be down to not having a driver for it.
So originally I had spoofed my M8 as a 735 with Custom PFD and updated to Windows mobile 10. As I was on the first build I was messing around with tweaks/mods after Interop unlock with InteropTools and decided to modify the HOST file and then update to the latest Slow Ring build. Upon restarting from the update it seemed my WiFi/DATA had been acting really odd. I eventually used the WPRT and went back to 8.1 and tried the steps again but spoofing a 930 (My Guess was the more similar Specs of the 930 vs M8 over the 735 vs M8). Eventually back on the latest Slow Ring build (for the 930 this time) and everything seems to be working fine WITHOUT modifying the HOST file. Yet every time I've tried Modifying it manually since the adaway.xap doesn't work because of the missing silent installer on my device it breaks WIFI/DATA.
I Come from An android background and remember something in the official adaway.apk for android.. It has a warning for HTC devices about modifying the host file because of S-On/S-OFF capabilities and might not let you write to system partition. I'm not saying that it's implemented in this devices but could it be the cause of my WIFI/DATA problems after modifying HOST file? When I restore the default host file everything works fine again.... Or is this just all a DNS issue I'm not realizing?
Try this host file https://mega.nz/#!PJQXhbhI!gOW3O8b5JuXfIBPnGs56jH5kCCYYXJONIPQPZf_diDU
subaru said:
Try this host file https://mega.nz/#!PJQXhbhI!gOW3O8b5JuXfIBPnGs56jH5kCCYYXJONIPQPZf_diDU
Click to expand...
Click to collapse
It worked!! Thank you so much!! You wouldn't know what was wrong would you? All I was doing was copying the original HOST file, pasting Steven Blacks HOST file into it, and then replacing the original on the directory the HOST file is located on
Realy I don`t know I use Steven Blacks file also but connect to internet took ~5 minute.I turn off and on Wi-Fi and after connect it work realy good but if I turn off the phone or change to Data I must wait ~5 minute to connect .I start search new host file and found page http://someonewhocares.org/hosts/ and maybe it works better because
There is a version of this file that uses 0.0.0.0 instead of 127.0.0.1
# available at http://someonewhocares.org/hosts/zero/.
# On some machines this may run minutely faster, however the zero version
# may not be compatible with all systems.
Click to expand...
Click to collapse
I try it and realy work much better I`m glad it work for you too
I disable DNScache create new host and work really good (more sites)
https://mega.nz/#!TNgWzZCB!Xf8OIb-Z8CHMGQ0Tmq8TvVxKYcMu1UlA9JvFigFNP9E
You have to disable DNScache https://forum.xda-developers.com/showpost.php?p=67774714&postcount=141
and you should use a hosts file which is not so big in size
I was able to dump the RDC that is provisioned to my 640 XL prototype. I dumped it and renamed it with a .bin extension. Have a couple of questions for those that know more about as I currently know little.
1. What is the RDC file, meaning what does it consist of? Or how is it used?
2. Where is it written when writing it from thor2? Or where is it stored on the phone?
3. Can it be re-used or is it good only for the one device it is provisioned to?
So, I am not sure if "dump" is the correct term to use here, as the command from thor2 would include the option -readrdc which sends it to a file that you choose...So it is reading something from the phone and generating a file...
I opened the file in hex editor but see little about its contents. It is small in size, about 804 bytes. I tried to write it to a different device same model but it failed with a specific error "Certificate error 25 (0x19) (0)"
Thanks.
Where to get prototypes phone?
nate0 said:
I was able to dump the RDC that is provisioned to my 640 XL prototype. I dumped it and renamed it with a .bin extension. Have a couple of questions for those that know more about as I currently know little.
1. What is the RDC file, meaning what does it consist of? Or how is it used?
2. Where is it written when writing it from thor2? Or where is it stored on the phone?
3. Can it be re-used or is it good only for the one device it is provisioned to?
So, I am not sure if "dump" is the correct term to use here, as the command from thor2 would include the option -readrdc which sends it to a file that you choose...So it is reading something from the phone and generating a file...
I opened the file in hex editor but see little about its contents. It is small in size, about 804 bytes. I tried to write it to a different device same model but it failed with a specific error "Certificate error 25 (0x19) (0)"
Thanks.
Click to expand...
Click to collapse
A RDC file is a research and development certificate tied to the device hardware it came with, it will only work on the device it was shipped with, having the same IMEI, hardware serial number and everything unique, you can't use them with other devices at all.
@gus33000
I was almost certain it was unique to the device it was installed in. Does it reside on the boot partition? Thanks for sharing.
nate0 said:
@gus33000
I was almost certain it was unique to the device it was installed in. Does it reside on the boot partition? Thanks for sharing.
Click to expand...
Click to collapse
It's in DPP along with all other provisioned data specific to the phone, you won't be able to do anything with it, just abort, you'll loose time and you'll most likely brick devices.
Was only wanting to know more about it. Thanks again.
nate0 said:
Was only wanting to know more about it. Thanks again.
Click to expand...
Click to collapse
Also as a tip, never overwrite MODEM*, SSD, and DPP with the ones from another phone, it will be destructive for prototypes. I advise you make a full backup of the prototype emmc first, before doing anything, (even if it's just reflashing with a ffu, it's very important to back everything up in mass storage using something like Win32 disk imager), if you however for some reason ever end up with wrong MODEM*, DPP and/or SSD, boot to flash app, switch to download mode, send the emergency payloads for that device RM, and write the rdc, writing it without DLOAD won't work.
DPP is the one nice to work with but never copy and replace, delete and eventually copy over onto it
I need this file
Can you help
Kidsnet said:
I need this file
Click to expand...
Click to collapse
I sold this phone along with dozens of other Lumias and Windows Phones over 2 years ago. I do not own the phone anymore, and I unlikely will find that RDC file if I even backed it up. It would be almost to you unless you are the new owner of this exact device that I dumped it from. Are you planning to use the file for any other reason?
I got a refurbished mobile came locked so i have to fl it since its demanding protection key so i need help
nate0 said:
I sold this phone along with dozens of other Lumias and Windows Phones over 2 years ago. I do not own the phone anymore, and I unlikely will find that RDC file if I even backed it up. It would be almost to you unless you are the new owner of this exact device that I dumped it from. Are you planning to use the file for any other reason
Click to expand...
Click to collapse
Kidsnet said:
I got a refurbished mobile came locked so i have to fl it since its demanding protection key so i need help
Click to expand...
Click to collapse
They are coming already locked, or if there's any tool i can download so that it will vo well with m
Sounds like the lock you are seeing is like a safety net lock. Someone must have had windows on it but had logged in with their account in Windows 10 mobile and set up the Reset protection with their Microsoft account. There is a method to remove that but it is quite dangerous and could ruin the phone.
There is a way to by pass it though as a work around so that you can use the phone but every time you hard reset it it will always lock back.
nate0 said:
Sounds like the lock you are seeing is like a safety net lock. Someone must have had windows on it but had logged in with their account in Windows 10 mobile and set up the Reset protection with their Microsoft account. There is a method to remove that but it is quite dangerous and could ruin the phone.
There is a way to by pass it though as a work around so that you can use the phone but every time you hard reset it it will always lock back.
Click to expand...
Click to collapse
@Kidsnet this is especially a problem for a lumia 640/640 xl. Because what happens is that if they upgraded it to Windows 10 mobile and enabled the protection but you reflash it back to Windows phone 8 you will unlikely set yourself up to not even get a workaround to get in the phone. Since the provisioning of W10M and WP8 are completely different.