Recently I decided to upgrade to ICS. True ICS, new bootloader and stuff from my quazi-ICS install (HC bootloader, ICS rom)
This sounds easy, however, my recovery was too old!
Being used to using my forgiving Samsung SGS2X, I just flashed a NEW recovery while IN recovery - thus REMOVING recovery. (rather than using the problem-free Acer Recovery Installer via google play like smart people do)
Heres where it begins.
symtoms:
-Boots to ACER logo and stops
-Refuses to read update.zip package from microSD/USB (likely, as the recovery was corrupted!)
-I can enter APX mode however.
I have no recovery, no boot, no ADB mode, no way to read internal flash.
I did do a NANDROID backup, which is immensely important and EVERYONE should have at least ONE of these, due to your UID being recorded. This is where my problem came in. The NANDROID backup was on the internal storage!
So, I have a tablet that has no recovery, won't update.zip install, but WILL get to APX mode. I have NO UID, no SKB, no NANDROID backup. Solution is to send to acer? I think not!
Theres some brilliant people on this forum. One post in particular was golden. http://forum.xda-developers.com/showpost.php?p=23783875&postcount=9 by eppeP
"If you can get the device into APX mode it will answer the first read request with the UID."
This is 100% true, and he provided a simple source example but little instructions. I hope I can elaborate and make someone elses life easier.
Requirements:
-Ubuntu (I used 12.04 LTS)
-microUSB cable
-powered tablet (can't be dead)
-paper clip, tac, needle - something to hit reset with
-patience
Boot Ubuntu, can be from CD/DVD/USB/network or installed copy
Install GCC, lsusb, libusb-1.0.x, libusb-1.0-dev - you NEED these! (hoping these are the only ones required for fresh installs)
Grab the code eppeP posted and save to a text file as apx.c
fire up terminal, browse to where the apx.c file is ('cd /home/<user>/Desktop/APX' for me)
run the following commands
sudo su
gcc apx.c -o apx -lusb-1.0
You should now have a file called apx on your desktop, that is ready to run.
If you get errors, you are likely missing a package. This should be fairly straight-forward, but refer to google and post the results please!
Next, pop your tablet into APX mode - plug in microUSB, hold the RESET button, and press power for around 4 sec. Windows gave me a 'usb detected' noise but Ubuntu just don't care.
Now run the following commands (assuming same root terminal permissions. If not run sudo su beforehand)
./apx
the terminal window should spit back to you a 15 character UID if everythings correct. 0x123456789ABCDEF (yours should be different combos of those hex values)
Proceed to guard this with your life! (although now you know how to retrieve again provided APX works)
now visit http://vache-android.com/v1/index.php?site=sbk MOD EDIT: Link no longer valid. SBK generator is available in the forums. Just check @dibb_nz profile signature and there's a link to a downloadable version in the guides.
and enter your UID. The website should spit back a series of 4, 8 character keys known as your SKB. Guard that too in case the website ever disappears.
Hard parts over. The tablet will live on now.
Next - choose how to recover!
I used a file called:
V8-UNL-ICS-HC-bootloader-MULTI-cwm.zip 32MB
MD5: 33D6692A997649111995CB690EF73213
I sadly lost the link to this package but im sure if you search google/this forum you will find it.
It uses nvflash. Amazing program. Theres also A500APXflash, based off nvflash. The rest mainly require ADB or USB debugging which you can't set as the tablet won't boot so don't waste your time with proggies like afterota (which won't work if you only have APX) You can also do everything in ubuntu with nvflash and the terminal. just read the commands from the batch, they should be nearly identical commands in either environment.
I booted back to windows, ran the V8.bat file, and followed instructions.
In 30 seconds my iconia was booting recovery again and that ROM I initially tried to install worked perfect!
After it booted, I realized I used 44% of my battery attempting to recover the tablet. This whole process takes maybe 30 minutes first-time through, getting ubuntu packages took the longest. LiveBoot will want to update everything as well, which I never considered, and usually fails (due to live install). Everything should be installed from Terminal if possible if using a live distro. It should be one command-line for the packages, reference exact package names in the package manager maybe.
My nandroid backup was still on the flash though! I knew enough that a 'hard reset' wasn't going to fix anything, so I never erased any userdata ironically, but botched the ROM and recovery.
This is the 100% fool-proof way to get your UID using APX. If its your only method this is your only option.
Your method is very useful, thank you!
It doesn't work correctly for me. It gives me only the last 8 digits of my uid. The rest is filled up with zeroes.
Gesendet von meinem Iconia A501 mit Tapatalk 2
VelosCohagen said:
It doesn't work correctly for me. It gives me only the last 8 digits of my uid. The rest is filled up with zeroes.
Click to expand...
Click to collapse
You are probably using a 32bit system, while the others have been using a 64bit system.
Try replacing
Code:
printf("uid: %#016lx\n", *(uint64_t*)data);
with
Code:
printf("uid: 0x%016llx\n", *(uint64_t*)data);
or
Code:
printf("uid: 0x%08X%08X\n", *((uint32_t*)data+1), *((uint32_t*)data+0));
I would expect either to work.
Will try it out.
Edit: You were right. Tried it with 64bit opensuse, and it worked.
Gesendet von meinem Iconia A501 mit Tapatalk 2
Just curious after seeing this on the front page, but couldn't you just dd a new recovery partition from within Android? (assuming you're rooted)
I also had lost recovery after flashing from Thor's rom to CM9. In the end after stressing out and not being able to figure anything out, I ran Blackthund3r's "A500 APX Flash Tool". After running this, I had re instated recovery and was free to launch the Jelly Bean AOSP You will need some knowledge in findiing ANDROIDSERIALNO, but not too hard if you google it.
Recovery failed
Hi, thank you for your post, I apply your solution, i have my cpuid, skb but when i use V8.bat I see "rcm version 0x4 command send failed (usb write failed)" anyone can help me?
"Usb write failed" message appears when your cpuid is wrong. How many digits has your cpuid?
Gesendet von meinem Iconia A501 mit Tapatalk 2
VelosCohagen said:
"Usb write failed" message appears when your cpuid is wrong. How many digits has your cpuid?
Gesendet von meinem Iconia A501 mit Tapatalk 2
Click to expand...
Click to collapse
I've got 16 digits (0x000000XXXXXXXX) got with ubuntu
My problem was resolved with "printf("uid: 0x%08X%08X\n", *((uint32_t*)data+1), *((uint32_t*)data+0));"
The zeros are wrong. Did you use a32bit version of linux? You must use a 64bit one.
Gesendet von meinem Iconia A501 mit Tapatalk 2
VelosCohagen said:
The zeros are wrong. Did you use a32bit version of linux? You must use a 64bit one.
Click to expand...
Click to collapse
32bit should be fine as long as you replace the printout.
Vache's website offline - how do we get get the SBK??
http://vache-android.com/v1/index.php?site=sbk
Horrors, bricked and now this site is offline, does anybody know another way to generate the SBK?
Seriously, what genius decided the only way to flash your tablet was via a magic number you have to get off a website?
Found a really roundabout way to get it without needing his website:
http://forum.xda-developers.com/showpost.php?p=29602543&postcount=3
[OTA TOOL] [A50X/G100W] Afterota v1.09 won't work unless you have a Honeycomb OTA ROM
davr said:
Found a really roundabout way to get it without needing his website:
http://forum.xda-developers.com/showpost.php?p=29602543&postcount=3
Click to expand...
Click to collapse
My bootloader is wiped which is why I need the SBK.
[OTA TOOL] [A50X/G100W] Afterota v1.09 won't work unless you have a Honeycomb OTA ROM
http://forum.xda-developers.com/showthread.php?t=1675939
when i try to get to where the file is on my desktop in terminal it does nothing else i just get this symbol > and if i keep typing the next steps it does nothing but give me the same symbol again i don't know where i went wrong
help please
sanjayayogi said:
does anybody know another way to generate the SBK?
Click to expand...
Click to collapse
Yes, the algorithm it is quite simple and can without to much trouble be reversed out of known UID/SBK pair.
A short description http://projects.pappkartong.se/a500/#generatesbk.
davr said:
Seriously, what genius decided the only way to flash your tablet was via a magic number you have to get off a website?
Click to expand...
Click to collapse
Acer, except for the part where you can actually get it which was most likely not part of the plan.
TechiiGirl said:
when i try to get to where the file is on my desktop in terminal it does nothing else i just get this symbol > and if i keep typing the next steps it does nothing but give me the same symbol again i don't know where i went wrong
help please
Click to expand...
Click to collapse
You will have to be much more specific if you want help.
Describe exactly what did you did and the results, step by step.
eppeP said:
Yes, the algorithm it is quite simple and can without to much trouble be reversed out of known UID/SBK pair.
A short description http://projects.pappkartong.se/a500/#generatesbk.
Acer, except for the part where you can actually get it which was most likely not part of the plan.
You will have to be much more specific if you want help.
Describe exactly what did you did and the results, step by step.
Click to expand...
Click to collapse
0x0288424341e173d7
0x
0288
4243
41e1
73d7
0288
4243
41e1
73d7
FROM THIS LINK: HOW TO CREATE THE SECURE BOOT KEY (SBK) from the UID
http://projects.pappkartong.se/a500/
Generating the SBK
To generate the SBK from the UID (assuming UID is a hexadecimal string)
1. Discard any leading 0x in the UID
2. Split the UID into four 4 character strings
3. For each part, take the ascii values and multiply with 100 raised to the position.
e.g. "89AB" => 56*100**3 + 57*100**2 + 65*100**2 + 66*100**0 = 56576566.
4. xor
5. If using a little-endian architecture, swap the byte order
6. Print the key
============================================
UID:
0x0288424341e173d7
============================================
STEP 1. Remove 0x
0288424341e173d7
============================================
============================================
STEP 2. Split the UID into four 4 character strings
0288
4243
41e1
73d7
============================================
============================================
============================================
STEP 3 - For each part, take the ascii values and multiply with 100 raised to the position.
FIRST SET
Text Converted 0288
http://www.whatasciicode.com/?cmd=submit
Dec
48
50
56
56
============================================
https://www.google.com/search?q=48*100^3&sugexp=chrome,mod=4&sourceid=chrome&ie=UTF-8
0 => 48*100^3 = 48000000
============================================
https://www.google.com/webhp?source...f.&fp=6c7790a71c61b51c&biw=1274&bih=604&ion=1
2 => 50*100^2 = 500000
============================================
https://www.google.com/webhp?source...&bav=on.2,or.r_gc.r_pw.r_qf.&biw=1274&bih=604
8 => 56*100^1 = 5600
============================================
https://www.google.com/webhp?source...&bav=on.2,or.r_gc.r_pw.r_qf.&biw=1274&bih=604
8 => 56*100^0 = 56
============================================
FIRST SET: SUM the PARTS
https://www.google.com/search?q=480...cp.r_qf.&fp=917465cf75d369c2&biw=1274&bih=604
48000000 + 500000 + 5600 + 56 = 48505605
RESULT:
0288 => 48505605
ASCII TO HEX
http://www.dolcevie.com/js/converter.html
34:38:35:30:35:36:30:35
============================================
============================================
SECOND SET
Text Converted 4243
Dec
52
50
52
51
http://www.whatasciicode.com/?cmd=submit
============================================
http://www.google.com/webhp#hl=en&g...pw.r_qf.&fp=6c7790a71c61b51c&biw=1274&bih=648
52 => 52*100^3 = 52000000
============================================
http://www.google.com/webhp?sourcei...&bav=on.2,or.r_gc.r_pw.r_qf.&biw=1274&bih=648
50 = 50*100^2 = 500000
============================================
http://www.google.com/webhp?sourcei...&bav=on.2,or.r_gc.r_pw.r_qf.&biw=1274&bih=648
52 => 52*100^1 = 5200
============================================
http://www.google.com/webhp?sourcei...&bav=on.2,or.r_gc.r_pw.r_qf.&biw=1274&bih=648
51 => 51*100^0 = 51
============================================
SECOND SET: SUM the PARTS
http://www.google.com/webhp?sourcei...&bav=on.2,or.r_gc.r_pw.r_qf.&biw=1274&bih=648
52000000 + 500000 + 5200 + 51 = 52505251
4243 => 52505251
ASCII => HEX
http://www.dolcevie.com/js/converter.html
35:32:35:30:35:32:35:31
============================================
============================================
============================================
THIRD SET
Text Converted 41e1
http://www.whatasciicode.com/?cmd=submit
Dec
52
49
101
49
============================================
http://www.google.com/webhp?sourcei...&bav=on.2,or.r_gc.r_pw.r_qf.&biw=1274&bih=648
52 => 52*100^3 = 52000000
============================================
http://www.google.com/webhp?sourcei...f.&fp=6c7790a71c61b51c&biw=1274&bih=648&ion=1
49 => 49*100^2 = 490000
============================================
http://www.google.com/webhp?sourcei...&bav=on.2,or.r_gc.r_pw.r_qf.&biw=1274&bih=648
101 => 101*100^1 = 10100
============================================
http://www.google.com/webhp?sourcei...&bav=on.2,or.r_gc.r_pw.r_qf.&biw=1274&bih=648
49 => 49*100^0 = 49
============================================
THIRD SET: SUM the PARTS
http://www.google.com/webhp?sourcei...&bav=on.2,or.r_gc.r_pw.r_qf.&biw=1274&bih=648
52000000 + 490000 + 10100 + 49 = 52500149
ASCII => HEX
http://www.dolcevie.com/js/converter.html
35:32:35:30:30:31:34:39
============================================
============================================
============================================
============================================
FOURTH SET
Text Converted 73d7
http://www.whatasciicode.com/?cmd=submit
Dec
55
51
100
55
============================================
http://www.google.com/webhp?sourcei...&bav=on.2,or.r_gc.r_pw.r_qf.&biw=1274&bih=648
55 => 55*100^3 = 55000000
============================================
http://www.google.com/webhp?sourcei...&bav=on.2,or.r_gc.r_pw.r_qf.&biw=1274&bih=648
51 => 51*100^2 = 510000
============================================
http://www.google.com/webhp?sourcei...f.&fp=6c7790a71c61b51c&biw=1274&bih=648&ion=1
100 => 100*100^1 = 10000
============================================
http://www.google.com/webhp?sourcei...f.&fp=6c7790a71c61b51c&biw=1274&bih=648&ion=1
55 => 55*100^0 = 55
============================================
FOURTH SET: SUM the PARTS
http://www.google.com/webhp?sourcei...&bav=on.2,or.r_gc.r_pw.r_qf.&biw=1274&bih=648
55000000 + 510000 + 10000 + 55 = 55520055
ASCII => HEX
35:35:35:32:30:30:35:35
============================================
============================================
============================================
============================================
ASCII => HEX
http://www.dolcevie.com/js/converter.html
ALSO THIS SEEMS TO WORK (I am on MAC OSX 10.7):
echo "48505605" | od -t x1
0000000 34 38 35 30 35 36 30 35 0a
0000011
echo "52505251" | od -t x1
0000000 35 32 35 30 35 32 35 31 0a
0000011
halcasteel$ echo "52500149" | od -t x1
0000000 35 32 35 30 30 31 34 39 0a
0000011
echo "55520055" | od -t x1
0000000 35 35 35 32 30 30 35 35 0a
0000011
48505605 => 34:38:35:30:35:36:30:35
52505251 => 35:32:35:30:35:32:35:31
52500149 => 35:32:35:30:30:31:34:39
55520055 => 35:35:35:32:30:30:35:35
Sorry this is so verbose, but I wanted to show all of my steps.
THIS IS WHERE I AM STUCK, any ideas?
sanjayayogi said:
THIS IS WHERE I AM STUCK, any ideas?
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=1810618 Has everything that you need.
And a HUGE thanks to srbeen for putting the guide up for us. My nephew forgot his lock code and the tablet is pure stock. Never ADB'd it or CWM'd and backup... So, as you can imagine, I'm very happy to have the sbk.
Related
Hi all,
Like many of us, I managed to kill a digitizer on my HTC Aria. Replaced the blasted thing, and now I find my proximity sensor is really sensitive. It's locked in proximity mode (Z-devicetest shows distance 0) in normal conditions.
If I pull off the digitizer, so the prox sensor has a clear path in front of it, it goes out of proximity state and Z-devicetest shows the distance as 1 (and the display works properly during calls, speakerphone works, etc) ...
If I slowly move the tip of my finger towards the prox. sensor, digitizer still removed, Z-devicetest shows it flip from 1 to 0 (out of prox to in prox) as my finger gets within ~2 inches.
So it seems the prox. sensor is working but is too sensitive.
Is this the normal failure mode of a CM3602 prox sensor (read: i dropped it, and not only broke the digizer, but took out the prox sensor too!) .. or, is there some sort of calibration i need to do?
Anyone have a USA source of the CM3602? My usual suppliers digikey and mouser don't carry this component..
*curses self* shoulda listened to my friend who warned me this phone is real easy to bust
There is a guy in the accessories board that is selling parts of his aria. I'd link ya but I don't know how from this app.
Sent from my Liberty using XDA App
Right on.
I didn't want to butcher this poor little POS more so I figured out how to turn the bloody sensor off in software.
append
gsm.proximity.enable=false
to /system/build.prop
or just uncomment the line if you have an editor.. but you can just cat >> build.prop in the shell and type in the line. No editor needed.
Must do this via adb shell with phone in clockwork, otherwise nand is lokt. boo. dev eng hardware doesn't have that problem... stupid consumer devices!
So do you just start Android sdk and then type the following.
append (enter)
gsm.proximity.enable=false (enter)
or is there more to it. I really need to get this disabled.
I tried to do it with ASTRO but it doesnt save my changes.
/system/build.prop is a standard text file.
Remember that stuff in /system is protected, I find the best way to deal with the /system partition is through clockworkmod recovery.
a. Disconnect USB, reboot into clockworkmod recovery
b. Mount the /system partition from the partitions menu
c. Connect USB to a system with adb
d. adb pull /system/build.prop
e. Edit file with your favorite text editor to append gsm.proximity.enable=false
f. adb push build.prop /system/build.prop
g. unmount /system from clockworkmod recovery partition menu
h. reboot phone, receive bacon
If you don't have clockworkmod recovery, just use unrevoked to install it
Oh, i should also say CM6 (and maybe all of Froyo images?) do not honor this setting.
Thank you I will try this when I get home..
I may have an issue because if I open build.prop with root explorer it says...
# try to disable proximity sensor in call by default
# gsm.proximity.enable=false
This is located almost at the bottom of the page does this mean I am sol. It is the liberated Rom and I haven't done anything to it.
Sent from my HTC Liberty using XDA App
Just remove the # ...
# gsm.proximity.enable=false
..to
gsm.proximity.enable=false
thank you so much..... you may be oh wait you are the FN man.
ok so if froyo images dont honor this does that mean when we get froyo I shouldn't upgrade.
anyway thank you so much now I can use my phone again, I didn't realize how much my Pure was dated till I had to use it for a few days.
Glad that helped
I didn't find a property in Froyo that disabled the proximity sensor. Maybe there is one, maybe there is not. I went another method..
Code:
# hexdump -C /system/lib/hw/sensors.liberty.so | grep -C3 dev/cm
00001b10 54 5f 54 46 4c 41 47 20 65 72 72 6f 72 20 28 25 |T_TFLAG error (%|
00001b20 73 29 00 45 43 53 5f 49 4f 43 54 4c 5f 41 50 50 |s).ECS_IOCTL_APP|
00001b30 5f 53 45 54 5f 4d 56 46 4c 41 47 20 65 72 72 6f |_SET_MVFLAG erro|
00001b40 72 20 28 25 73 29 00 2f 64 65 76 2f 63 6d 66 75 |r (%s)./dev/cmfu|
00001b50 6b 74 00 43 41 50 45 4c 4c 41 5f 43 4d 33 36 30 |kt.CAPELLA_CM360|
00001b60 32 5f 49 4f 43 54 4c 5f 45 4e 41 42 4c 45 20 65 |2_IOCTL_ENABLE e|
00001b70 72 72 6f 72 20 28 25 73 29 00 2f 64 65 76 2f 6c |rror (%s)./dev/l|
Offset 1b48 in /system/lib/hw/sensors.liberty.so defines the device name of the proximity sensor, normally /dev/cm3602.
Hexedit the file to change the name of the device to something that doesn't exist, and you will no longer use the proximity sensor.
Nasty and totally the wrong way to do this, but it worked for me. I suppose I could have dug through source code to check for a flag to disable the sensor, but that takes more time and is far less hacking fun than hex editing a system library If I didn't want to live dangerously I'd stick with the stock ROM lol.
Thanks again I will check back when group comes out if I can't figure it out. I am going to stick with the liberated Rom till we get the official Rom and it gets liberated.
Sent from my HTC Liberty using XDA App
Not a bad idea if you're happy with 2.1 and Sense
Yeah I really like the sense UI so I will stay with 2.1 until a 2.2 with sense is available.
Sent from my HTC Liberty using XDA App
Thanks for this info. Just changed CM3602 to XM3602 and it stopped.
I just upgraded to the new attn1 2.2 Rom with sense and I used the same fix you gave me for the 2.1 Rom and it worked so I guess that fix will work on all sence roms.
Sent from my HTC Liberty using XDA App
I just used hexeditor on my phone ( fr 2.2) and went to the location you noted 00001b48 but nothing there. I went on looking and found it on a few lines starting at 00002090. but which value do I change to get it to disable. If you could look at this for me it would help alot.
nrvate said:
/system/build.prop is a standard text file.
Remember that stuff in /system is protected, I find the best way to deal with the /system partition is through clockworkmod recovery.
a. Disconnect USB, reboot into clockworkmod recovery
b. Mount the /system partition from the partitions menu
c. Connect USB to a system with adb
d. adb pull /system/build.prop
e. Edit file with your favorite text editor to append gsm.proximity.enable=false
f. adb push build.prop /system/build.prop
g. unmount /system from clockworkmod recovery partition menu
h. reboot phone, receive bacon
If you don't have clockworkmod recovery, just use unrevoked to install it
Click to expand...
Click to collapse
I am trying to use these steps to disable the sensor, but I am having issues pulling build.prop.
In the command prompt, I enter in:
adb pull /system/build.prop c:\
And receive:
264 Kb/s (4695 bytes in .012s)
The issue I am having is that I cannot find where adb stores the file on my computer. It's not in the c:\ directory. It's not in platform-tools folder. I did a search, and nothing came up
Any suggests would be really appreciated.
Thanks!
I'm confused - why are you guys disabling the proximity sensor???
Is it because you improperly installed a new screen?
Might as well use duct tape to hold the new screen on and then JB Weld the back case. Seriously guys, do things right and take the screen back off and install it the right way.
kaschenberg,
I dropped my phone, shattering the screen; resulting in a lot of fractures in the glass where the sensor is located. The phone and screen works when I add pressure to the upper right corner, leaving me to believe the sensor is being interrupted by the fractures. I am hopeful, as a temporary fix, that if I can disable the sensor, the phone will work more optimally until I replace the screen.
- Thoughts?
Hey geeks,
you might know my hardware hacking thread already:
http://forum.xda-developers.com/showthread.php?t=1199450
Some time ago i started thinking about starting with an open bootloader for Archos Gen8.
So i started from scratch and made use of external boot mode to completely start from external MicroSD and leave the internal memory alone.
Remark: This is a geek project, there's no GUI or something. So don't expect anything useful right now.
At the moment you'll need some hardware hacking, because you'll need a serial console over uart3.
Unfortunately you'll also need a dirty hack to power up the MicroSD permanently.
Don't hesitate to ask for details about it.
So this is for the weird ones out there...
Right now there's work in progress, because stock kernel stucks at some point in the boot process.
Maybe there's some setup missing in the bootcode (it's very basic at the moment) or stock kernel relies heavily on avboot at some point.
I will work on this issue whenever i'll find some time.
Anyway it might be still an interesting project for at least a very few of you, so here's the source code:
- x-loader-archos
- u-boot-2011.09-archos
As pointed out the Archos implementation is very basic at the moment, but the code itself works very well and had been tested on A101IT Gen8.
To further devices, e.g. A70S Gen8, the machine id had to be included in the board file, the rest of the setup in early stage should be very similar.
The code bases:
- x-loader (https://gitorious.org/x-loader/x-loader)
- u-boot (taken from this archive: http://www.technexion.com/images/downloads/ARM_CPU_Modules/TDM-3730/linux-2.6.32-tdm3730.tar.xz)
I'd like to switch to official u-boot release 2011.09 as a base soon.
To start playing with it:
- open your case and start hacking, to get serial console working
- tweak the hardware to power the MicroSD slot permanently
- create a bootable MicroSD for OMAP systems
- place the binaries on your card
- insert the card and use vitalifs kernel module to reboot your device in external bootmode
Please refer to these posts from vitalif (thanks a lot for contributing!!!):
http://forum.xda-developers.com/showpost.php?p=22719203&postcount=105
http://forum.xda-developers.com/showpost.php?p=22765441&postcount=108
You might start digging in the source code and create your own loader:
- use a linux machine with a recent distribution
- setup a cross environment with ARM cross compiler suitable for ARMV7
- extract the sources to directory of your choice
- to compile x-load:
Code:
cd ./x-loader-archos
make archos_config
make
- to compile u-boot-2011.09-archos:
Code:
cd ./u-boot-2011.09-archos
make a101it_config
make
It might be required to tweak the top-level Makefiles to point at your toolchain.
I used my ready to work toolchain (for 32-bit linux only) here:
http://forum.xda-developers.com/showthread.php?t=1328027
Unfortunately i haven't found some time to create a project page at gitorious,
but hopefully i'll manage to do so in the next weeks...
I know this is a very very special project, but anyway if there's some interest, this might lead to something useful in the end.
If the bootcode is working very nice some day, it might also be possible to replace stock loader, but that's fiction yet.
You might ask what for...
I say... it's just for fun!
cheers,
scholbert
Boot console output... so far
Hey,
it had been posted already but her again for completeness...
The console log on UART3 starting custom kernel configured with stock config:
Code:
Texas Instruments X-Loader 1.5.1 (Mar 26 2012 - 20:41:11)
Found 0256 MB
Archos Gen8
Reading boot sector
Loading u-boot.bin from mmc
Done!
U-Boot 2011.09 (Mar 23 2012 - 18:53:39)
OMAP3630/3730-GP ES1.2, CPU-OPP2, L3-165MHz, Max CPU Clock 1 Ghz
Archos 101IT Gen8 + LPDDR/MMC
I2C: ready
DRAM: 256 MiB
MMC: OMAP SD/MMC: 0
Using default environment
In: serial
Out: serial
Err: serial
Die ID #144800029ff800000160a4bb18027009
Hit any key to stop autoboot: 0
reading boot.scr
** Unable to read "boot.scr" from mmc 0:1 **
reading uImage
2987000 bytes read
Booting from mmc ...
## Booting kernel from Legacy Image at 82000000 ...
Image Name: Linux-2.6.29-omap1
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 2986936 Bytes = 2.8 MiB
Load Address: 80008000
Entry Point: 80008000
Verifying Checksum ... OK
Loading Kernel Image ... OK
OK
Starting kernel ...
Uncompressing Linux.............................................................
................................................................................
..................................................... done, booting the kernel.
<6>Initializing cgroup subsys cpu
<5>Linux version 2.6.29-omap1 ([email protected]) (gcc version 4.4.1 (GCC) ) #1
PREEMPT Thu Mar 22 23:59:34 CET 2012
CPU: ARMv7 Processor [413fc082] revision 2 (ARMv7), cr=10c5387f
CPU: VIPT nonaliasing data cache, VIPT nonaliasing instruction cache
Machine: Archos A101IT board
fixup_archos: [console=ttyS2,115200n8 androidboot.console=ttyGS0 init=/linuxrc d
ebug omapdss.debug=0 vram=4915200 omapfb.vram=0:4915200 omapfb.debug=0 mmc_block
.split=0.0001:512M]
Memory policy: ECC disabled, Data cache writeback
<7>On node 0 totalpages: 65536
<7>free_area_init_node: node 0, pgdat c05fd368, node_mem_map c06a5000
<7> Normal zone: 512 pages used for memmap
<7> Normal zone: 0 pages reserved
<7> Normal zone: 65024 pages, LIFO batch:15
<4>L2 CACHE is enabled in bootloader
<6>OMAP3630 ES1.2
<6>DIE ID: 144800029FF800000160A4BB18027009
<6>FEATURE_STATUS: 00000c00
<6>SRAM: Mapped pa 0x40200000 to va 0xfc800000 size: 0x100000
<6>Reserving 4915200 bytes SDRAM for VRAM
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 65024
<5>Kernel command line: console=ttyS2,115200n8 androidboot.console=ttyGS0 init=/
linuxrc debug omapdss.debug=0 vram=4915200 omapfb.vram=0:4915200 omapfb.debug=0
mmc_block.split=0.0001:512M
<3>Unknown boot option `androidboot.console=ttyGS0': ignoring
<3>Unknown boot option `omapdss.debug=0': ignoring
<6>Clocking rate (Crystal/DPLL/ARM core): 26.0/332/600 MHz
BTW, i extracted the function from Archos loader setup up PLL and MPU stuff.
Need some time to extract the stock setup for PLL at early stage.
Maybe this will give some answers.
One of my next plans is, to build some kind of bare bone kernel (console only), which may be used for recovery and debug purpose.
Maybe this gives it a kick and things start up to a login shell
TBC
Have fun!
scholbert
One of my next plans is, to build some kind of bare bone kernel (console only), which may be used for recovery and debug purpose.
Maybe this gives it a kick and things start up to a login shell.
Click to expand...
Click to collapse
Seems like an internal monologue... but i like to point out that i stopped this project for a while.
So don't expect anything like a brick recovery tool or similar.
If others will join in it might be possible that it would led to something,
but as long as no one even starts hacking the hardware this is just for me...
Happy days!
scholbert
scholbert said:
Seems like an internal monologue... but i like to point out that i stopped this project for a while.
So don't expect anything like a brick recovery tool or similar.
If others will join in it might be possible that it would led to something,
but as long as no one even starts hacking the hardware this is just for me...
Happy days!
scholbert
Click to expand...
Click to collapse
Shame you stopped your efforts for now, I always followed your posts with much interest. However I can understand it is frustrating being on your own.
Thanks for what you did this far and for posting your info .
divx118
Sorry to read that, this was a very very interesting reading.
But I don't have the knowledge to make the necessary hardware hack, and above all, my wife would kill me if she saw me opening the tab
Thanks again for all that amazing information scholbert
Hey,
first off all thanks for your interest and your replies
Some words on your comments though...
divx118 said:
Shame you stopped your efforts for now, I always followed your posts with much interest. However I can understand it is frustrating being on your own.
Click to expand...
Click to collapse
I did not want to sound frustrated, because i'm not.
All i do with the device and all that hacking stuff is fun and mostly for educational purpose
Maybe i'll continue working with this stuff, but for now i wanted to point out to not expect too much.
Some guys out there, bricked their devices and were looking for a solution.
That's why i wrote it down.
Basically it should be possible to recover bricks by using external boot procedure, but it's still far from a simple solution.
grim-a101 said:
Sorry to read that, this was a very very interesting reading.
But I don't have the knowledge to make the necessary hardware hack, and above all, my wife would kill me if she saw me opening the tab
Click to expand...
Click to collapse
Yeah that's a good point, the barrier for this kind of hacking is little high.
Unfortunately you'll have to tweak the hardware, to gain access to the serial debugging port and cheat the power management of the MicroSD slot.
Most of you simply want to use the device and do some less harder tweaks at system level.
Anyway, there are some other possibilities as well (e.g. using USB and TI Flash) to access the platform. Maybe i'll do some research here as well.
Thanks again for appreciation!!!
Regards,
scholbert
Hi first time here and first time trying to write android code. Ive done java in eclipse earlier. anyway i follow some guide on utube and he writes charSequence. however I dont seem to have that cause it get red, do i need to import some library?
Well if you don't capitalize the first letter it will be a variable name instead of a data type...
CharSequence charSequence = ....
This should work better
But hey, this is a really really basic thing about java and coding in general, always check if you did the capitalization right!
---------------------------------
Phone : Nexus 4
OS :
- KitKat 4.4.4 stock
- Xposed: 58(app_process); 54(bridge)
- SU: SuperSU
- no custom recovery
---------------------------------
4d 61 73 72 65 70 75 73 20 66 74 77
Gesendet von Tapatalk
As said Masrepus, CharSequence is a class. And all class begin with a capitalize letter.
all other words are variable (if not keyword like if, switch, case, try, etc...) or function name
Hi guys,
I decompiled the file that was causing the key to be set back on (AllowLockScreen) and successfully disabled it. The culprit is in C:\windows\system32\LogonController.dll
You will need to get a hex editor to do this. This is for the 64-bit version, 10.0.14393.0, with md5sum of 3a12a4ce74b958564c0e4346869fcd8c.
This address location jump to file location 0x156EE, It should look like this:
75 4A 48 8B 8C 24 etc
Change the 75 to 74 (jump not zero to jump zero), save it and replace the LogonController.dll in your system folder.
You'll have to take ownership and then rename the file, and drop the new one in its place. Reboot and voila!
Some details of what is going on:
.text:0000000180016270 ; __int32 __fastcall CProcessStateManager:ut_IsLockScreenAllowed(CProcessStateManager *__hidden this, unsigned __int8)
.text:0000000180016270 [email protected]@@[email protected] proc near
text:00000001800162E4 call cs:__imp_RegCreateKeyExW
.text:00000001800162EA mov ebx, eax
.text:00000001800162EC test eax, eax
This line below is what we're patching:
.text:00000001800162EE jnz short loc_18001633A
.text:00000001800162F0 mov rcx, [rsp+78h+hKey] ; hKey
.text:00000001800162F8 lea rax, [rsp+78h+Data]
.text:0000000180016300 mov [rsp+78h+samDesired], 4 ; cbData
.text:0000000180016308 lea r9d, [rsi+3] ; dwType
.text:000000018001630C xor r8d, r8d ; Reserved
.text:000000018001630F mov qword ptr [rsp+78h+dwOptions], rax ; __int32
.text:0000000180016314 lea rdx, aAllowlockscree ; "AllowLockScreen"
.text:000000018001631B call cs:__imp_RegSetValueExW
.text:0000000180016321 mov rcx, [rsp+78h+hKey] ; hKey
.text:0000000180016329 mov ebx, eax
.text:000000018001632B cmp rcx, 0FFFFFFFF80000002h
.text:0000000180016332 jz short loc_18001633A
.text:0000000180016334 call cs:__imp_RegCloseKey
Patched DLL
I've uploaded a patched 64-bit DLL, in addition to disabling the LockScreen it also disables quite a few of the Telemetry functions. Seems to actually boot slightly faster with the extra telemetry disabled.
Patched DLL v2
The first version I posted only prevented windows from re-enabling the lock screen if it was already disabled. This version also disables it if it was enabled.
for me it doesn't work. I only get a spinning ring progress at logon in VM
Hi darkfires!
Love your stuff!
I think you posted elsewhere on the net the final v.3 fix for this that is:
(This is better than what's posted in the first thread)
Code:
0xBF50 48 89 5C 24 08 -> C3 90 90 90 90
It works perfect for me except one small caveat, and that is that returning from "Sleep" sometimes give you a black screen?.
Hitting the keyboard a few times solves that issue as the login screen then "re-appears".
Any other way to patch this dll, adressing this issue to make it "perfect"?
I was wondering, what disassembler tool did you use to get this output?:
.text:00000001800162EE jnz short loc_18001633A
.text:00000001800162F0 mov rcx, [rsp+78h+hKey] ; hKey
.text:00000001800162F8 lea rax, [rsp+78h+Data]
.text:0000000180016300 mov [rsp+78h+samDesired], 4 ; cbData
.text:0000000180016308 lea r9d, [rsi+3] ; dwType
.text:000000018001630C xor r8d, r8d ; Reserved
.text:000000018001630F mov qword ptr [rsp+78h+dwOptions], rax ; __int32
.text:0000000180016314 lea rdx, aAllowlockscree ; "AllowLockScreen"
.text:000000018001631B call cs:__imp_RegSetValueExW
.text:0000000180016321 mov rcx, [rsp+78h+hKey] ; hKey
.text:0000000180016329 mov ebx, eax
.text:000000018001632B cmp rcx, 0FFFFFFFF80000002h
.text:0000000180016332 jz short loc_18001633A
.text:0000000180016334 call cs:__imp_RegCloseKey
Click to expand...
Click to collapse
Would be nice to get some newbie tips on this as this stuff interests me, thanks !
dobbelina said:
Hi darkfires!
Love your stuff!
I think you posted elsewhere on the net the final v.3 fix for this that is:
(This is better than what's posted in the first thread)
Code:
0xBF50 48 89 5C 24 08 -> C3 90 90 90 90
It works perfect for me except one small caveat, and that is that returning from "Sleep" sometimes give you a black screen?.
Hitting the keyboard a few times solves that issue as the login screen then "re-appears".
Any other way to patch this dll, adressing this issue to make it "perfect"?
I was wondering, what disassembler tool did you use to get this output?:
Would be nice to get some newbie tips on this as this stuff interests me, thanks !
Click to expand...
Click to collapse
Hi,
Sorry I didn't get a notification anyone had replied to this thread for some reason! I posted an updated version here that fixes black screen http://repo.ezzi.net/nolock/. And I used IDA to decompile it, send me a PM if you're interested in a copy of it. I had to target a totally different function than what I originally was.
I actually started out by targeting the difference from pre-anniv which was automatically setting the registry key. So that worked in most cases but not all, and instead I targeted the function that checked the key instead and made it return false every time.
As for the 0xBF50 48 89 5C 24 08 -> C3 90 90 90 90, the first part is the file offset, and the rest are op codes. You can look up x86 opcodes on google and get the hex values. The first 5 are actually a single instruction (instruction, address and value), C3 is retn (forces function to return) and 90 are all NOP (no operation). It's pretty trivial with the right tools and some patience
darkfires said:
Hi,
Sorry I didn't get a notification anyone had replied to this thread for some reason! I posted an updated version here that fixes black screen http://repo.ezzi.net/nolock/. And I used IDA to decompile it, send me a PM if you're interested in a copy of it. I had to target a totally different function than what I originally was.
I actually started out by targeting the difference from pre-anniv which was automatically setting the registry key. So that worked in most cases but not all, and instead I targeted the function that checked the key instead and made it return false every time.
As for the 0xBF50 48 89 5C 24 08 -> C3 90 90 90 90, the first part is the file offset, and the rest are op codes. You can look up x86 opcodes on google and get the hex values. The first 5 are actually a single instruction (instruction, address and value), C3 is retn (forces function to return) and 90 are all NOP (no operation). It's pretty trivial with the right tools and some patience
Click to expand...
Click to collapse
Hi again
And thanks for the updated info!
I actually figured out you were using IDA in my quest to dig deeper.
I got a copy, and I really like the graphical overview which makes it easy to navigate between the numerous functions.
This machine language stuff is not as easy to digest though lol!
But thanks for the pointers.
Btw, I was wrong about your patch causing a blackscreen!
This one:0xBF50 48 89 5C 24 08 -> C3 90 90 90 90
It had nothing to do with the patch, but was/is a quirk with VMware when going into sleep mode.
The patch works 100% perfect.
The Home version uses the same dll, I have checked, same MD5.
I'll get back in this thread when I have done some more studying.
It's not that much that the lockscreen is bothering me,
It's just the challenge to get rid of it that's firing me up, because MS decided they should decide it for us.
//EDIT
Would this be the same place to patch 32Bit version as well?:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Thanks! :victory:
Hi hi ! :laugh:
Patch for the 32bit
File version 10.0.14393.0 (Anniversary Edition)
MD5 Original LogonController.dll:
cdcc698bc43848baa789c3a7060167fd
Is:Offset:0x1C680 8B FF -> C3 90
Patched dll attached.
Hi all!
This topic is for those that don't like the lockscreen.
When the anniversary update came, the option to disable this was removed.
There are a few tricks out there to somewhat disable it, but none of
those works from boot.
This solution does.
Earlier I made a patch for LogonController.dll, that has worked beatifully
until today, when the KB3189866 update came out and replaced it.
So I made an autopatcher instead.
Even if a new update replace the patched dll,
just run the autopatcher again!
(It is always the same bytes that need replacing), and it will probably
be a long time before they update this dll again.
It's very easy to use, first run the "Take_Ownership.cmd" file as
Administrator, then run LogonController_Patch.exe also as Admin
and point it to:
%SYSTEMROOT%\system32\LogonController.dll
And click Start, Done!
It automatically creates a backup of your old LogonController.dll.
Works for both Home & Pro and all Languages, just choose
right architecture.
Architecture x86
https://drive.google.com/open?id=0ByXxjI18DZC5YTZWbVRueS1IWVU
(Use d/l arrow up in the right corner to get the zip file)
Architecture x64
https://drive.google.com/open?id=0ByXxjI18DZC5aEd4VVhLZVVIbXc
(Use d/l arrow up in the right corner to get the zip file)
That's it folks !
-------------------------------------------------------
Thanks "darkfires" for the inspiration to patch LogonController.dll !
Awesome job man! You learn quick
You could also combine both arch's into a single script if you wanted, just check %PROCESSOR_ARCHITECTURE% == AMD64 for 64, if you're using C or whatever GetSystemInfo() should do it as well. I was going to make an auto-patcher but haven't had much free time lately as I would have hoped, so I am thrilled to see you did that! I'm not sure how the one you wrote works but it's not entirely safe to assume the location of the patch will never change in newer versions. I was looking into making something that downloaded the associated pdb from microsoft and verify the function location from that (that's how IDA is able to put useful labels on the functions), which would make it dynamically work if the offset ever did change. So I would recommend you make another script that is easy to run from advanced recovery command prompt that would restore the original if it ever changed and they couldn't login, just in case. However I think it's safe to say it's very unlikely this would be a problem until their next major build (the only reason it changed this time was to fix a security vulnerability)
Keep up the great work!
dobbelina said:
Hi all!
This topic is for those that don't like the lockscreen.
When the anniversary update came, the option to disable this was removed.
There are a few tricks out there to somewhat disable it, but none of
those works from boot.
This solution does.
Earlier I made a patch for LogonController.dll, that has worked beatifully
until today, when the KB3189866 update came out and replaced it.
So I made an autopatcher instead.
Even if a new update replace the patched dll,
just run the autopatcher again!
(It is always the same bytes that need replacing), and it will probably
be a long time before they update this dll again.
It's very easy to use, first run the "Take_Ownership.cmd" file as
Administrator, then run LogonController_Patch.exe also as Admin
and point it to:
%SYSTEMROOT%\system32\LogonController.dll
And click Start, Done!
It automatically creates a backup of your old LogonController.dll.
Works for both Home & Pro and all Languages, just choose
right architecture.
Architecture x86
https://drive.google.com/open?id=0ByXxjI18DZC5YTZWbVRueS1IWVU
(Use d/l arrow up in the right corner to get the zip file)
Architecture x64
https://drive.google.com/open?id=0ByXxjI18DZC5aEd4VVhLZVVIbXc
(Use d/l arrow up in the right corner to get the zip file)
That's it folks !
-------------------------------------------------------
Thanks "darkfires" for the inspiration to patch LogonController.dll !
Click to expand...
Click to collapse
darkfires said:
Awesome job man! You learn quick
You could also combine both arch's into a single script if you wanted, just check %PROCESSOR_ARCHITECTURE% == AMD64 for 64, if you're using C or whatever GetSystemInfo() should do it as well. I was going to make an auto-patcher but haven't had much free time lately as I would have hoped, so I am thrilled to see you did that! I'm not sure how the one you wrote works but it's not entirely safe to assume the location of the patch will never change in newer versions. I was looking into making something that downloaded the associated pdb from microsoft and verify the function location from that (that's how IDA is able to put useful labels on the functions), which would make it dynamically work if the offset ever did change. So I would recommend you make another script that is easy to run from advanced recovery command prompt that would restore the original if it ever changed and they couldn't login, just in case. However I think it's safe to say it's very unlikely this would be a problem until their next major build (the only reason it changed this time was to fix a security vulnerability)
Keep up the great work!
Click to expand...
Click to collapse
Hi darkfires!
I know I could have bundled the two architectures and
script it to choose the right one but I was lazy!
I noticed that the patch offset was the same in the updated dll in KB3189866, that's why I made the "Autopatcher".
There are 2 safety features in the patch engine preventing
a bad patch, and that is 1. filename, and 2. filesize.
There is a third option to calculate filehash, but i opted out on that one, as you couldn't apply the patch to any new version of the dll.
If there's a new update coming later on, and the offset changed(Or they re-wrote it totally) I hope fingers crossed that the patch engine errors out.
Your idea to d/l the associated pdb from microsoft and verify the function location would be awesome!
Easily done over a cup of coffe right!? :laugh:
Regarding scripting for recovery purposes I think a small tutorial is the best
option.
Most people wouldn't know how to navigate to a recovery script in the first place, ha ha lol!
Basically I tell them this:
Boot from install media, press SHIFT + F10 at first screen, then at cmd prompt, type D:
(it usually is)
cd windows
cd system 32
del LogonController.dll
ren LogonController.bak LogonController.dll
This is quite straightforward, and off course it's really nice that the patch utility
makes this backup file, otherwise I wouldn't use it.
Always nice to get your feedback!
I bundled the 2 architectures into 1 installer script.
It's now very easy to use, Just run Install.cmd as Administrator.
I also made a restore script.
To restore the backed up LogonController.dll run Restore.cmd as Administrator.
Works for both Home & Pro and all Languages 32bit & 64bit.
Architecture x86
(Patches Offset:0x1C680 8B FF -> C3 90)
Architecture x64
(Patches Offset:0xBF50 48 89 5C 24 08 -> C3 90 90 90 90)
LogonController_Patch.zip
(Use d/l arrow up in the right corner to get the zip file)
As a safety feature you can't apply a patch twice, as you would then overwrite the backup file.
The script looks for LogonController.bak in the system32
folder which is the backupfiles name.
In the future, if MS updates the dll file, manually delete
that backupfile in order to run the autopatcher again.
can you try to provide a service which does inmemory patching of the file?
MagicAndre1981 said:
can you try to provide a service which does inmemory patching of the file?
Click to expand...
Click to collapse
any update? Also can you add RS2 support? For RS3 this will be no longer needed, because here MS allows skipping of Lockscreen in Pro again.
Changes, improvements, and fixes for PC
The existing Group Policy to disable the lock screen is now available for those on the Pro edition of Windows 10. Appreciate all who shared feedback on the subject.
Click to expand...
Click to collapse
dobbelina said:
Hi all!
This topic is for those that don't like the lockscreen.
When the anniversary update came, the option to disable this was removed.
There are a few tricks out there to somewhat disable it, but none of
those works from boot.
This solution does.
Earlier I made a patch for LogonController.dll, that has worked beatifully
until today, when the KB3189866 update came out and replaced it.
So I made an autopatcher instead.
Even if a new update replace the patched dll,
just run the autopatcher again!
(It is always the same bytes that need replacing), and it will probably
be a long time before they update this dll again.
It's very easy to use, first run the "Take_Ownership.cmd" file as
Administrator, then run LogonController_Patch.exe also as Admin
and point it to:
%SYSTEMROOT%\system32\LogonController.dll
And click Start, Done!
It automatically creates a backup of your old LogonController.dll.
Works for both Home & Pro and all Languages, just choose
right architecture.
Architecture x86
https://drive.google.com/open?id=0ByXxjI18DZC5YTZWbVRueS1IWVU
(Use d/l arrow up in the right corner to get the zip file)
Architecture x64
https://drive.google.com/open?id=0ByXxjI18DZC5aEd4VVhLZVVIbXc
(Use d/l arrow up in the right corner to get the zip file)
That's it folks !
-------------------------------------------------------
Thanks "darkfires" for the inspiration to patch LogonController.dll !
Click to expand...
Click to collapse
This patcher does not work anymore with new windows update. I get error: "There was an error applying patch: 0x80070057 (The parameter is incorrect.)"
Can you fix it? Win10 version 1607 build 14393.1480
---------- Post added at 01:43 PM ---------- Previous post was at 01:42 PM ----------
darkfires said:
As for the 0xBF50 48 89 5C 24 08 -> C3 90 90 90 90, the first part is the file offset, and the rest are op codes. You can look up x86 opcodes on google and get the hex values. The first 5 are actually a single instruction (instruction, address and value), C3 is retn (forces function to return) and 90 are all NOP (no operation). It's pretty trivial with the right tools and some patience
Click to expand...
Click to collapse
So should I use this code replace or the first post one 75 -> 74?
I accidentally restored TWRP backup of another Zuk Z2 phone on my new pgone and in this process over-wrote the EFS partition. This left me with a phone having no IMEI, no mac for Wifi and Bluetooth. Effectively No Network on phone.
Worried, I searched across internet to find out ways to restore IMEIs and get my phone working again. The way out was to restore xqcn file and use it to get back IMEIs, mac address etc. But there were various posts and mixed feedbacks. Even when I restored modified xqcn and got IMEIs back, it had only one sim actually working and other had no signal.
I spent many hours searching for finding right steps. It was a long tiring process wherein close to 2 days were gone trying multiple methods, flashing QPST roms around 10 times to observe network in Stock ROM , in Custom ROMs and after reflashing etc etc etc . Shouts go out to Akrapovic & Nordicus for their detailed posts which helped me in understanding lot many things and also finalizing key steps to restore IMEIs, MAC etc and getting phone working
Pre-requisites:
1) QPST installed on PC; Download v 2.7.453 from here or elsewhere if you know of
2) ADB / Fastboot installed
3) Drivers Installed for Zuk Z2
4) Hex Editor to edit xcqn file
5) WriteDualIMEI_W_G_eMMC - to write IMEIs once xqcn has been restored
6) Zuk Z2 rooted with ADB enabled through developer options and connected to computer
For points 2 and 5, pls refer here to download the files and tools.
So the solution which worked for me, and one which has been tried and tested is following:
1) First check the IMEIs dialing *#06#.
If you see IMEI and matching with that on your box, there is no issue and you should stop.
If you see blank / error, process further
2) The EFS is corrupt and hence we don't see IMEIs. Follow this paget and get the EFS partition wiped out to properly prepare EFS for restore of xqcn in next steps.
I had restored xqcn file without wiping EFS partition and later on had issues. But all these issues were gone when first wiped EFS and then restored xqcn. So will suggest doing same.
3) Get the xqcn for our phone Zuk Z2 from here original credits to 唐大土土 and Nordicus who shared it here
Use HexEditor to search below default values and replace them with your devices value. IMEIs / MEID is available on box. MAC can be assumed suitably
MEID: 22 22 22 22 22 22 22
IMEI1: 33 33 33 33 33 33 33 33
IMEI2: 44 44 44 44 44 44 44 44
WIFIMAC: 55 55 55 55 55 55
BTMAC: 66 66 66 66 66 66
4) To be on safer side and avoid other variabilities, it is suggested to first flash QPST rom to ensure that apart from EFS all other partitions are fine. This is optional.
5) Now with rooted phone connected to PC, open command prompt on PC and go to adb folder. From there type these commands
Code:
adb shell
su (looking at the phone screen, as during this second command you need to grant root rights)
setprop sys.usb.config diag
Once done you will see in device manager 3 new com ports are open. If some errors or no success in getting com ports opened you can try following too
Code:
adb shell
su (looking at the phone screen, as during this second command you need to grant root rights)
setprop sys.usb.config diag,rmnet,adb
setprop sys.usb.config diag,acm_smd,acm_tty,rmnet_bam,mass_storage,adb
6) In Device Manager, you will see a com port title Qualcomm Android Diagnosis etc, note the com no.
7) Open QPST, click "Add new port" and enter the port in both places (Port and Port Label), which is written in the device manager.
Next Click Start Client -> Software download. Go to Restore tab, and use the modified xqcn file which you saved in step 2 and press Start.
If any error, tick the check box "Allow phone/file ESN mismatch" and press Start
8) Once restore is 100% done, close the QPST and open the WriteDualIMEI_W_G_eMMC, and put in the IMEIs and flash. You should see Green Pass.
9) Reboot phone and dial *#06# - the IMEIs should be seen. Bingo, job done... give me thanks. Just put in SIM and network should be back.
For Step 7, if more details required, pls refer this post with step by step details
Hope this helps !! I will be extremely happy if this guide helps you in restoring IMEIs, repairing lost network and radio issues.
Reserved
Reserved for FAQs and other experiences.
If i keep a backup of efs patition using twrp..will i be safe in case the partition is corrupt or unreadable?
Bidyadhar said:
If i keep a backup of efs patition using twrp..will i be safe in case the partition is corrupt or unreadable?
Click to expand...
Click to collapse
Yes, that will help in future. Also should take backup of xqcn file using QPST.
I had the lost IMEI problem before, but I did not need rooted phone to solve it. Just turn off the phone, then press Volume (-), and finally connect at the same time the usb cable (make sure drivers were installed before!). You will see 3 new devices, the important is the diagnostics one. Take note of the COM port, and you can use QFIL to backup/flash the qcn. All without root
rainbyte said:
I had the lost IMEI problem before, but I did not need rooted phone to solve it. Just turn off the phone, then press Volume (-), and finally connect at the same time the usb cable (make sure drivers were installed before!). You will see 3 new devices, the important is the diagnostics one. Take note of the COM port, and you can use QFIL to backup/flash the qcn. All without root
Click to expand...
Click to collapse
Interesting, was not aware of this. Is this EDL mode?
mGforCe said:
Yes, that will help in future. Also should take backup of xqcn file using QPST.
Click to expand...
Click to collapse
Sir, can you please tell me how to backup xqcn?
Sent from my Z2 Plus using Tapatalk
Bidyadhar said:
Sir, can you please tell me how to backup xqcn?
Sent from my Z2 Plus using Tapatalk
Click to expand...
Click to collapse
Go till Step 7 as per first post and therein choose backup in place of restore. That's it !
mGforCe said:
Interesting, was not aware of this. Is this EDL mode?
Click to expand...
Click to collapse
I think is not EDL mode, because usb vendor and product ids are different. When I had the IMEI problem, I tried to restore qcn from EDL mode to no avail. After that, I found the suggestion of using Vol(-) and it worked, but it is a diffrent mode, because screen is not black in this one, it shows some options instead (sdcard flash, qcn restore, etc).
mGforCe said:
Use HexEditor to search below default values and replace them with your devices value
Click to expand...
Click to collapse
Please, write here a guide how to edit this values in HEX-editor.
Thanks in advance!
sergsinger said:
Please, write here a guide how to edit this values in HEX-editor.
Thanks in advance!
Click to expand...
Click to collapse
Pls refer below quoted text from OP
Use HexEditor to search below default values and replace them with your devices value. IMEIs / MEID is available on box. MAC can be assumed suitably
MEID: 22 22 22 22 22 22 22
IMEI1: 33 33 33 33 33 33 33 33
IMEI2: 44 44 44 44 44 44 44 44
WIFIMAC: 55 55 55 55 55 55
BTMAC: 66 66 66 66 66 66
Click to expand...
Click to collapse
Use Search and replace feature of Hex Editor to replace above value with your device values
mGforCe said:
Pls refer below quoted text
Click to expand...
Click to collapse
Man, I've tried to do it with two different editors with no luck, because I'm not so close to operate with it. So I ask you to write guide.
Regards.
Problem solved, done by myself.
sergsinger said:
[Man, I've tried to do it with two different editors with no luck, because I'm not so close to operate with it. So I ask you to write guide.
Regards.
Problem solved, done by myself.
Click to expand...
Click to collapse
Good, why don't you share small guide on same for other users now.
mGforCe said:
why don't you share small guide on same for other users now
Click to expand...
Click to collapse
It looks strange. I've asked you to do this, but now you ask me to write a small guide...
I've used Hex Workshop (it's not an advertisement, because I've tried to edit QCN-file with few different editors and they wasn't so friendly to use).
1) Open editor, choose QCN.
Press "Search" and put in data of MEID, Wi-Fi and Bluetooth MACs:
MEID: 22 22 22 22 22 22 22
WIFIMAC: 55 55 55 55 55 55
BTMAC: 66 66 66 66 66 66
!!! Please, notice, that Wi-Fi MAC, that you can see in menu of phone is shown as "54 55 55 55 55 55", but in editor it will be found as "55 55 55 55 55 55" and even in three places. I've changed in all three, because edition of one only doesn't change MAC after reboot.
3) Check after reboot:
- Wi-Fi and Bluetooth MACs are native
- MEID has changed, but it become upside down by group consist of 2 digits (first two digits are now in the end and so on). Problem was solved by "MEID/ESN Tool".
Press "Volume -" and "Power On/Off" (release Power after vibration) until you see "Menu from 0 to 5" (SD update...GetInfo). Connect phone to PC. Launch "MEID/ESN Tool", press "Initialize" (COM-port will be shown), then press button "MEID" and set checkbox "do MEID", enter native MEID (it is like IMEI w/o last digit; it is shown on the box and on the film from the back of the phone), press "Write".
!!! I've tried to change MEID in "MEID/ESN Tool" before QCN was edited, but this was unsuccessful, MEID didn't changed. MEID become native after I've edited QCN in hex-editor and then used "MEID/ESN Tool" as mentioned above.
4) The last one - recover native IMEIs. IMEIs were changed via programm "WriteDualIMEI(W+G_eMMC)". Press "Volume -" and "Power On/Off" (release Power after vibration) until you see "Menu from 0 to 5" (SD update...GetInfo). Connect phone to PC. Launch "WriteDualIMEI(W+G_eMMC)" and enter native IMEIs, press "Start". After reboot you will get native IMEIs.
!!! I've tried to edit IMEIs in hex-editor. But QCN include IMEIs consist of 16 digits, but regular IMEI consist of 15. I've replaced last (useless) number by pressing "space" on keyboard and after reboot there wasn't network. I've supposed that I need to put not a "space", but something like "leave an empty cell" in hex-editor. I haven't tried to do this because I have "WriteDualIMEI(W+G_eMMC)".
@sergsinger don't know why it's strange.. we can give back to xda community only by sharing our knowledge!
Since you had learnt and done it yourself, why not to share the same.
rainbyte said:
I had the lost IMEI problem before, but I did not need rooted phone to solve it. Just turn off the phone, then press Volume (-), and finally connect at the same time the usb cable (make sure drivers were installed before!). You will see 3 new devices, the important is the diagnostics one. Take note of the COM port, and you can use QFIL to backup/flash the qcn. All without root
Click to expand...
Click to collapse
i try your method without rooting, but it didn't work, can you send me qcn file to edit for z2132, also to edit with hex editor is find and replace imei 3333...33 with our imei number is ok or there is other method, also where to look for meid.
sunnythehoney said:
i try your method without rooting, but it didn't work, can you send me qcn file to edit for z2132, also to edit with hex editor is find and replace imei 3333...33 with our imei number is ok or there is other method, also where to look for meid.
Click to expand...
Click to collapse
Pls read OP in detail...the xqcn file is shared there...also to write IMEI you will need tool WriteDualIMEI_W_G_eMMC
Again pls read and download all tools as mentioned in OP as pre-requisite
mGforCe said:
Pls read OP in detail...the xqcn file is shared there...also to write IMEI you will need tool WriteDualIMEI_W_G_eMMC
Again pls read and download all tools as mentioned in OP as pre-requisite
Click to expand...
Click to collapse
i download above 66...6.xqcn file posted above and edit with hexeditor by replacing meid:22.....22 by imei translator hex number. same for imei numbers and restore through qpst config. and then use writedualimei_w_g_emmc all operations shows no error completed successfully but after reboot when dial *#06# shows null meid or imei. now i am going to try by inverting meid no by inverting regular meid no. and imei in inverting pair and make first 8 as 8A. see what happen
sunnythehoney said:
i download above 66...6.xqcn file posted above and edit with hexeditor by replacing meid:22.....22 by imei translator hex number. same for imei numbers and restore through qpst config. and then use writedualimei_w_g_emmc all operations shows no error completed successfully but after reboot when dial *#06# shows null meid or imei. now i am going to try by inverting meid no by inverting regular meid no. and imei in inverting pair and make first 8 as 8A. see what happen
Click to expand...
Click to collapse
where did you find your mied no i am having the same problem
badri21 said:
where did you find your mied
Click to expand...
Click to collapse
It is shown on the box & film from the back of the phone. Usually it is like first IMEI w/o last digit.
In hex-editor MEID which comes with QCN will be simply found by typing "22 22 22 22 22 22 22" in search bar.