Hi All, I was reviewing this chart from this thread:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
and I noticed that the following variants all share the same hardware:
AT&T
T-Mobile
Telus
Bell
Rogers
Virgin
Developer
How come only the T-Mobile variant has access to the HSPA 1700 AWS Band? I've been perusing some of the threads all around XDA, and I was wondering if we could apply similar methods to the HTC One to obtain this hidden band.
[GUIDE] Enable AWS on Samsung Galaxy IV AT&T i337 & Canadian i337M
[Bounty Completed] Enable 3G on TMobile AWS 1700MHz for ATT Galaxy S3 i747
Enable AWS band (3g/4g Tmobile) on ATT Note 2 stock baseband
or what if we had S-Off for the HTC One?
[S-OFF] revone - DEVELOPER EARLY ACCESS PREVIEW EDITION
Could we try changing the CID (SuperCID) first and then try flashing a complete T-Mobile Rom/Radio/Modem onto one of the other Carrier Variants?
Just curious if anyone has given this shot.
MegaMan X said:
Could we try changing the CID (SuperCID) first and then try flashing a complete Flash T-Mobile USA Radio In Recovery onto one of the other Carrier Variants?
Click to expand...
Click to collapse
There are already a few threads, but I don't think any progress so far. I'm interested in this as well, but we'd need the TMO RUU first...
As mentioned, there are a few other threads on this but no progress has been made yet.
The Samsung process requires enabling the DIAG mode (which only works on Sprint model) to enable RNDIS connectivity -- otherwise the Qualcomm software won't work.
WorldIRC said:
As mentioned, there are a few other threads on this but no progress has been made yet.
The Samsung process requires enabling the DIAG mode (which only works on Sprint model) to enable RNDIS connectivity -- otherwise the Qualcomm software won't work.
Click to expand...
Click to collapse
hey nice to see you here ,always saw you on hofo
Since S-OFF is out, its possible to enable qdxc (cant remember the exact) via fastboot,
I have hope now
I'm checking the threads several times a day just so someone can find the fix. I have an att One but I'm with tmobile network so I desperately need this to work.
Sent from my Nexus 4
ytwytw said:
hey nice to see you here ,always saw you on hofo
Since S-OFF is out, its possible to enable qdxc (cant remember the exact) via fastboot,
I have hope now
Click to expand...
Click to collapse
Find out!!
Sent from my HTC One
I hope this works soon as I need that aws band like everybody else on T-mobile with a non htc one branded phone.
So is it a myth when people say these bands are hardware based and for att only ?
Sent from my HTC One XL using xda app-developers app
ceo4eva said:
So is it a myth when people say these bands are hardware based and for att only ?
Sent from my HTC One XL using xda app-developers app
Click to expand...
Click to collapse
There have been some HTC reps who said the TMO version had different hardware. But it was never confirmed (and doesn't really make any sense).
stevedebi said:
There have been some HTC reps who said the TMO version had different hardware. But it was never confirmed (and doesn't really make any sense).
Click to expand...
Click to collapse
I think that is true otherwise the Google edition would have been pentaband hspa+ correct? Basically the Google edition, att version, HTC Dev edition are same hardware and T-Mobile different. Not sure why HTC does that, makes sense to disable bands thru software like Samsung does.
Sent from my HTC One using Tapatalk 2
has anyone tried to do the following on a a stock recovery & rom?
1.) Unlock Bootloader & Root
http://forum.xda-developers.com/showthread.php?t=2260376
2.) S-Off
http://forum.xda-developers.com/showthread.php?t=2314582
3.) Change CID to SuperCID (11111111)
http://forum.xda-developers.com/showthread.php?t=2315319
4.) Change ro.cid to match CID
http://forum.xda-developers.com/showpost.php?p=42351491&postcount=35
5.) change efuse to 4NSL. Check efuse using terminal command getprop ro.boot.efuse_info
http://forum.xda-developers.com/showpost.php?p=31340199&postcount=1912
6.) Flash T-Mobile RUU / T-Mobile Nandroid / T-Mobile Radio/Modem
http://forum.xda-developers.com/showthread.php?t=2207874
http://forum.xda-developers.com/showthread.php?p=40745177
MegaMan X said:
has anyone tried to do the following on a a stock recovery & rom?
1.) Unlock Bootloader & Root
http://forum.xda-developers.com/showthread.php?t=2260376
2.) S-Off
http://forum.xda-developers.com/showthread.php?t=2314582
3.) Change CID to SuperCID (11111111)
http://forum.xda-developers.com/showthread.php?t=2315319
4.) Change ro.cid to match CID
http://forum.xda-developers.com/showpost.php?p=42351491&postcount=35
5.) change efuse to 4NSL. Check efuse using terminal command getprop ro.boot.efuse_info
http://forum.xda-developers.com/showpost.php?p=31340199&postcount=1912
6.) Flash T-Mobile RUU / T-Mobile Nandroid / T-Mobile Radio/Modem
http://forum.xda-developers.com/showthread.php?t=2207874
http://forum.xda-developers.com/showthread.php?p=40745177
Click to expand...
Click to collapse
As of yet, no T-mobile RUU has been released and a Nandroid would likely not contain the radio partition. We need someone to dump their entire eMMC partition table and then clone it onto a dev edition (AT&T phone) to start to make any progress.
sassafras
I'm interested in this as well and I, too, have been tracking a few other posts. I believe I've seen people documenting the T-Mobile US model as PN0713000 (ro.aa.modelid), whereas the US Developer Edition and the AT&T edition have a modelid of PN0712000. I have no idea whether this indicates different hardware or if it's just an indicator that's used elsewhere in the code. Exactly what's used to determine whether to enable the additional T-Mobile frequencies, is still TBD but a good start would be to set correct modelid and CID on a T-Mobile ROM, preferably an RUU. A failure on anything short of that is not, in my opinion, definitive. That's not to say experiments on other than a T-Mobile RUU are worthless -- we may stumble on the correct settings. At a minimum, though, I'd try setting all of
- a T-Mobile US model id
- a T-Mobile US CID
- maybe even using a stock T-Mobile build.prop
short/y said:
I'm interested in this as well and I, too, have been tracking a few other posts. I believe I've seen people documenting the T-Mobile US model as PN0713000 (ro.aa.modelid), whereas the US Developer Edition and the AT&T edition have a modelid of PN0712000. I have no idea whether this indicates different hardware or if it's just an indicator that's used elsewhere in the code. Exactly what's used to determine whether to enable the additional T-Mobile frequencies, is still TBD but a good start would be to set correct modelid and CID on a T-Mobile ROM, preferably an RUU. A failure on anything short of that is not, in my opinion, definitive. That's not to say experiments on other than a T-Mobile RUU are worthless -- we may stumble on the correct settings. At a minimum, though, I'd try setting all of
- a T-Mobile US model id
- a T-Mobile US CID
- maybe even using a stock T-Mobile build.prop
Click to expand...
Click to collapse
That was the first thing I tried after S-Off. Flashed radio via bootloader, changed CID and all IDs. No dice.
PcFish said:
That was the first thing I tried after S-Off. Flashed radio via bootloader, changed CID and all IDs. No dice.
Click to expand...
Click to collapse
Did you happen to use a stock T-Mobile ROM?
short/y said:
Did you happen to use a stock T-Mobile ROM?
Click to expand...
Click to collapse
Yeah, stock, odexed and relocked my bootloader. Everything I could possibly do to make it T-Mo without an RUU.
PcFish said:
Yeah, stock, odexed and relocked my bootloader. Everything I could possibly do to make it T-Mo without an RUU.
Click to expand...
Click to collapse
Dang! OK, thanks. It's not looking good but there still may be something we're not seeing.
Again, we haven't really made any definitive answers because we don't have a T-Mo RUU or an eMMC dump from a t-mo device. The radio partition itself may not be all that is required.
There are other partitions which seem to suggest they play a role in setting up the radio characteristics.
sassafras
Tell me how!
I have both the T-Mobile version and the Dev version. Tell me how to do those dumps and I'll do it.
sassafras_ said:
Again, we haven't really made any definitive answers because we don't have a T-Mo RUU or an eMMC dump from a t-mo device. The radio partition itself may not be all that is required.
There are other partitions which seem to suggest they play a role in setting up the radio characteristics.
sassafras
Click to expand...
Click to collapse
ohiosux said:
I have both the T-Mobile version and the Dev version. Tell me how to do those dumps and I'll do it.
Click to expand...
Click to collapse
The basic method is to use the "dd" command from adb shell or a terminal emulator session. To grab the radio you do
Code:
dd if=/dev/block/mmcblk0p31 of=/sdcard/radio.img
p31 is the partition where the radio's stored. "if=" is the input file or, in this case, the partition. "of=" is where the output is written. Once you get the list of partitions, you can just loop through them on both devices.
Related
Okay, I'm sorry guys, I made a huge mistake and didn't test an actual voice call before posting this guide. I saw it connect to the network, and the data including HSUPA worked, but voice calls have no sound. Not only that, but this DOES only work on 1900 MHz, so if you're in an 850 MHz area, you won't be able to connect to a tower. So for now, this guide is no good. Not all hope is lost though. There are compatible Canadian carriers, and when we get a radio file from them we can try again. For now, don't apply the EU radio to your Captivate or you won't be able to hear anyone in voice calls. Sorry again for not testing better before getting everyone's hopes up. I'll update this thread once I get a Canadian ROM to test.
Well, I've been pretty vocal about this issue, because it's one that really bothered me. Mainly because the Galaxy S supports HSUPA, and really, any new high end phone should. I suspected AT&T was disabling it on the Captivate, likely to save features like that for the iPhone 4, and it looks like that was right.
After a suggestion from trinikartel (thanks twice for good info that helped figure this out!), I flashed the i9000 JP3 modem firmware to the Captivate, and sure enough, the result was:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I've only been an Android owner for less than two weeks, so it took a little while to figure out at first, haha, but the process is very simple:
1. Download an i9000 firmware, I got the JP3 firmware from http://samsung-firmware.webs.com. See my note below
2. Extract the firmware and find the modem firmware tar file. I9000XXJP3.tar for JP3, not to be confused with I9000XXJP3.rar which was the whole archive. If you're not sure, open it up, it should have modem.bin in it.
3. Put your phone into download mode by turning off your phone, plugging it into your computer, waiting for the green battery charging icon to appear, then holding vol+ and vol- at the same time and holding power until the screen goes black, then releasing power ONLY until you get the yellow construction sign that says Downloading...
4. Use odin to flash the modem firmware file. I used all default settings, just click the PHONE button under files and choose the modem firmware tar file, then press start.
It should only take about 10 seconds or so then your phone will reboot and you're done. This is what you should see on odin:
Once it starts up, you can run a speed test to verify that it's working.
NOTES: Of course the standard disclaimer applies, flash at your own risk. Hell, I haven't even had an Android phone for 2 weeks yet and this is my first time flashing, so be careful. It should be a very easy process though.
In regards to step 1 above, I have only tested this with the JP3 modem firmware, however, that's a 2.2 beta or even alpha firmware, so use it at your own risk. Everything seems to work fine with it coupled with my stock JF6 ROM though. I don't see any reason at all why an i9000 2.1 modem firmware wouldn't do the same thing and be more stable though, I just haven't tested it yet. I'm about to test it now, and I'll update this in little while with the results, so if you don't want to use the JP3 firmware, wait a few minutes.
Very nice, it will be even better once they fix the upload issues on their network!
flashing now... I will report results asap.
direct link to firmware:
http://www.multiupload.com/6B0SMQZ5S7
password:
samsung-firmwares.com
CONFIRMED WORKING!
Great job on the write up! Glad to have helped with this one...it's gonna be huge for everyone involved.
Double check to verify GPS, Bluetooth etc are still working like normal
Okay, so there could be one possible issue, but I can't test it in my area. I don't know that the EU modem software will support 850 MHz 3G, but my area is only 1900, so it works fine.
This may cause issues with 3G for people in 850 MHz areas following this guide, but you can always flash back if you do have issues, so we'll know more after someone in 850 MHz area tries it.
I can't get speedtest.net to work properly. It always thinks I am in Pennsylvania even when I am in central il.
madjsp said:
I can't get speedtest.net to work properly. It always thinks I am in Pennsylvania even when I am in central il.
Click to expand...
Click to collapse
Neither can I. As you can see it gives me a Tennessee server as my closest, but I live in Raleigh, NC. I know there is a server that's just down the road from me, but I can't get the damn thing to see the right servers. Just play around with different servers until you get one that seems pretty fast. Even with 10 or so servers closer, I found the Reston, VA server to be the fastest for me when it was finding the proper location.
AJerman said:
Okay, so there could be one possible issue, but I can't test it in my area. I don't know that the EU modem software will support 850 MHz 3G, but my area is only 1900, so it works fine.
This may cause issues with 3G for people in 850 MHz areas following this guide, but you can always flash back if you do have issues, so we'll know more after someone in 850 MHz area tries it.
Click to expand...
Click to collapse
if you don't mind can you also post a link to Odin3 download ?
anilkuj said:
if you don't mind can you also post a link to Odin3 download ?
Click to expand...
Click to collapse
Sure, it's at samsung-firmware.webs.com also, but only in the i9000 section, not the Captivate section: http://www.multiupload.com/DLS7TWUVPY
AJerman said:
Sure, it's at samsung-firmware.webs.com also, but only in the i9000 section, not the Captivate section: http://www.multiupload.com/DLS7TWUVPY
Click to expand...
Click to collapse
thanks buddy!
I am in a 850Mhz coverage area, flashed to the 2.1 MODEM_I19000XXJM1.tar and couldn't connect to a 850Mhz tower. Usually when the phone is by my desk I am on 850Mhz, and I verify it by putting the phone in network mode *#0011#. After flashing the phone showed 1900mhz and poor -db, flashed back to default modem software and locked back onto 850Mhz band.
Someone else in a 850Mhz area should verify my findings that the modem firmware for the EU version disables 850Mhz band.
****, can someone try making a call that has done this mod? I connected, got internet and everything, but I'm not hearing anything in my calls. It looks like it's calling, I just can't hear anything. I guess I never tried actually making a call before posting this.
This whole guide may be pointless other than to show us that it is indeed a restriction in modem firmware.
haha, yup, nothing....
j7899 said:
I am in a 850Mhz coverage area, flashed to the 2.1 MODEM_I19000XXJM1.tar and couldn't connect to a 850Mhz tower. Usually when the phone is by my desk I am on 850Mhz, and I verify it by putting the phone in network mode *#0011#. After flashing the phone showed 1900mhz and poor -db, flashed back to default modem software and locked back onto 850Mhz band.
Someone else in a 850Mhz area should verify my findings that the modem firmware for the EU version disables 850Mhz band.
Click to expand...
Click to collapse
hi where did you find the default modem firmware ?
thanks
Guess we'll want to try and find the Canadian firmware since it will be 850mhz and see if that helps (when it's available).
-James
Well damn, sorry for the premature celebration on this one. I could deal with no 850 MHz 3G since we're only 1900 MHz in my area, even though that wouldn't be a good final solution for everyone, but no voice in call isn't good for anyone.
I guess disregard this guide for now. Like I said, I'm still new to Android, but I've asked and it looks like there's no way to modify the radio firmwares.
It looks like the best bet is to look to the Canadian versions, I know they have networks that run 850/1900. If it's just AT&T with the restriction, perhaps their radio will enable HSUPA without any issues.
Edit: Hah, James beat me to it, exactly what I was thinking. I know Rogers has a Galaxy S planned. As soon as I can get one of those firmware's I'll try this again. Sorry guys, a call should have been the first thing I did, that was my mistake!
anilkuj said:
hi where did you find the default modem firmware ?
thanks
Click to expand...
Click to collapse
The entire JF6 firmware can be downloaded here: http://www.multiupload.com/MGEJ5CZLWC
But I'll upload the radio only right now to make faster for anyone who may have followed this guide before I found the issues.
Edit: Here's the radio only. This is all you need to flash back to the Captivate JF6 radio. http://www.multiupload.com/YJMRCXANR0
AJerman said:
The entire JF6 firmware can be downloaded here: http://www.multiupload.com/MGEJ5CZLWC
But I'll upload the radio only right now to make faster for anyone who may have followed this guide before I found the issues.
Edit: Here's the radio only. This is all you need to flash back to the Captivate JF6 radio. http://www.multiupload.com/YJMRCXANR0
Click to expand...
Click to collapse
How do you flash the .bin file? with Odin?
clubtech said:
How do you flash the .bin file? with Odin?
Click to expand...
Click to collapse
If you haven't flashed anything from the first post, then don't worry about it. This ended up not working on the Captivate, so there's nothing to change right now. I just posted the stock radio for anyone who had done my mod before I realized the mistake. That way they don't have to download the entire firmware, they can download the smaller radio file.
Nice try man. Subbed for your future endevors
AJerman said:
If you haven't flashed anything from the first post, then don't worry about it. This ended up not working on the Captivate, so there's nothing to change right now. I just posted the stock radio for anyone who had done my mod before I realized the mistake. That way they don't have to download the entire firmware, they can download the smaller radio file.
Click to expand...
Click to collapse
No i am asking for another test i am doing unrelated to this.
Do you simply flash the file with odin under modem?
I just got a nexus one last night. it was previously used on ATT and now i'm using it on TMobile. I noticed right away that it would not connect to 3G, only 2G. today I rooted it via rageagainstthecage and adb because it was already updated to 2.2.1. I was just wondering if anyone else had this issue and what can I do to fix it? Do I need to fix the radio or what? The specs of my nexus one are as follows:
Version: 2.2.1
Baseband Version: 32.36.00.28U_4.06.00.12_7
Kernel Version: 2.6.32.9-27240-gbca5320 android-build(at)apa26 #1
Build Number: FRG83
I experienced these issues even before rooting. I really appreciate any help.
Hi,
When I upgraded to Froyo on my N1 I didn't have any 3G, turned out 3G was disabled, I re-enabled it by going to the phone dialler and type in *#*#info#*#*, go to phone information and scroll down to the bottom, should be set to WCDMA preferred.
Something to think about as well, I recently upgraded to 5.08 radio since 3G was very patchy since moving to Froyo, works amazingly well for me, seems hit and miss for people but well worth a try at least.
how do i upgrade to that radio and will that work in the US?
also, i did the dialer thing and it is on that preferred one already, is there anything else i can do? or should i change it from that preferred one?
You can grab the radio from here http://forum.xda-developers.com/showthread.php?t=723839
It will work for all Nexus Ones, make sure you have your phone fully charged before you do this as a failure while flashing will brick your phone. There is a couple of ways to flash it. I used fastboot, you just extract the zip file which contains radio.img, then do the following command, fastboot flash radio radio.img
ATT and TMO use different 3G frequencies in the US (1700 AWS for TMO). An ATT N1 can't use TMO's 3G and vice versa.
thanks, and i can do this without having a custom recovery? just use adb? and do i literally just type "fastboot flash radio radio.img" after going into cmd? sorry for all the questions, I just wanna make sure i don't mess anything up
fredz024 said:
ATT and TMO use different 3G frequencies in the US (1700 AWS for TMO). An ATT N1 can't use TMO's 3G and vice versa.
Click to expand...
Click to collapse
the N1 was unlocked but was used for ATT, is there something I need to do to change it to TMO frequency if that's the case?
It is hardware. Unfortunately it's impossible.
Right, it's hardware, not firmware. You need a TMO-specific N1.
great...so will upgrading the radio do anything for me? and if so, do i extract the radio.img to the sdcard or to sdk tools folder?
Oops, sorry - forgot ATT and T-Mobile run different frequencies, you won't be able to do anything about it.
bsktballstar3131 said:
great...so will upgrading the radio do anything for me? and if so, do i extract the radio.img to the sdcard or to sdk tools folder?
Click to expand...
Click to collapse
no
it's hardware. you can only get 3g FROM tmo on a tmo frequency phone, and only get 3g FROM ATT on a att frequency phone. ... see ?
if you're using att, they're going to slam you with a $30/month fee for smartphones too ;-)
You should be able to trade the phone - the at&t 3G version is no longer on sale, so it is much harder to get than the TMUS version ... you should easily be able to sell it/trade it for a TMUS version.
I have a rooted Roger's HTC Magic running ezterry's official OTA 2.2 ROM. It's fantastic except I continue to have problems where my 3G connection will stop working and the only workaround is to cycle Airplane mode.
Does anyone know if installing the new 6.35 radio (and a support ROM) would help with this problem? I've tried to find out more info on the difference between the two radios but there doesn't seem to be much.
Thanks!
tsouthen said:
I have a rooted Roger's HTC Magic running ezterry's official OTA 2.2 ROM. It's fantastic except I continue to have problems where my 3G connection will stop working and the only workaround is to cycle Airplane mode.
Does anyone know if installing the new 6.35 radio (and a support ROM) would help with this problem? I've tried to find out more info on the difference between the two radios but there doesn't seem to be much.
Thanks!
Click to expand...
Click to collapse
The 6.x radio is not compatible with the same rom structure as the 2.x/3.x and requires some new drivers and utilities..
So if you want a rom made for 2.x/3.x to work you can't use 6.x radios..
The problem is presumably you have radio 3.22.26.17 .. this has buggy 3g but is the one rogers will not disable your data without signing the e911 wavier.
If you are not a rogers customer there is no reason to use 3.22.26.17.. return to 3.22.20.17 via fastboot.
If you have signed the e911 wavier you can also downgrade.
The 6.x can work without the wavier but you will need to find roms for it (various in the sapphire section check carz12's work)
ezterry said:
The problem is presumably you have radio 3.22.26.17 .. this has buggy 3g but is the one rogers will not disable your data without signing the e911 wavier.
The 6.x can work without the wavier but you will need to find roms for it (various in the sapphire section check carz12's work)
Click to expand...
Click to collapse
Correct, I am a Rogers customer and have the 3.22.26.17 radio. I tried signing the online waiver but it just keeps telling me to enter a valid serial number. Maybe you have to be cut-off before you can sign the waiver. I'm not interested in getting my data cut off and then have to wait to get it back.
I guess I'll look into a 6.35 Gingerbread ROM.
tsouthen said:
Correct, I am a Rogers customer and have the 3.22.26.17 radio. I tried signing the online waiver but it just keeps telling me to enter a valid serial number. Maybe you have to be cut-off before you can sign the waiver. I'm not interested in getting my data cut off and then have to wait to get it back.
I guess I'll look into a 6.35 Gingerbread ROM.
Click to expand...
Click to collapse
No you just need to call them.. probably best anyway (as it leaves more options available)
That said that isn't to say anything is wrong with a properly created 6.x radio + related rom... just it makes the device something different than the Dream/Sapphire combo I am used to working on .. and something closer related to the HTC Hero.. This while appears to be a very similar device is not identical.
ezterry said:
No you just need to call them.. probably best anyway (as it leaves more options available)
Click to expand...
Click to collapse
OK, I called Rogers and asked to be put on the waiver list and was told that they couldn't put me on the list until I was blocked. I'm not too confident this is the right answer. Do you know if this is true? If not, what is the right thing to say to get them to do this?
Thanks!
Anyone heard about M9+ S-Off method in development?
It would be very nice to have that so we can change carrier ID.
At the moment we can't change from chinese to asia wwe or Taiwan etc etc firmwares or just CIDs, and thus who has a chinese CID in the aboot partition is bound to get Chinese news on blinkfeed. (I've gathered some information and this is the situation: blinkfeed is working with carrier id of the phone and other language resources. Read about this on E8 and chinese m8 phones, but now there's a solution for this with custom rom and mod, look up in this forum, CleanSlate or Mod Sense Home...)
I'd be willing to donate if S-Off would become possible. Of course we don't have the kernel sources yet, so it's very improbable that someone would be working on it already, but let's just start a discussion about this.
UPDATES:
So what we know so far,
- there's the JCard method possible which needs a service or a JCard at home
- the bootloader is type ABoot
- no method yet for s-offing without JCard
- no kernel sources out yet for the phone
J card works.
so far, only java card works
Thanks good to know about JCard thing!
Hopefully when kernel sources will be out, some brute force method can be found to access the protected partition and flip it to S-Off.
It would be nice to have a method that can be done with only software and PC.
There's been a recent dump of kernel sources yesterday on http://www.htcdev.com/devcenter/downloads but not the m9pw yet. Hope they release it soon enough, so someone can look at it. Hopefully a hoard of M9+ users would be willing to donate for the one who brings such method. I'll be first in line to donate.
Maybe there's already a similar device with MTK and similar boot loading mechanism cracked?
Do someone know if there were any other HTC device with MTK chipset S-Offed without JCard, like S-Off with revone and such methods?
Not sure if the sunshine boys are going to be working on s off on the plus but those guys would probably be the ones who do it, their stomping ground is Qualcomm however
I have access to HTC Authorized service in my City. These guys already have J Card but unfortunately the don't have detailed guideline how to deal with M9 +
They said that in another MTK HTC devices there is a option in the bootloader mode (Sim lock) and they are doing official S off in this menu, but there was no Sim lock Menu in M9+ bootloader.
If someone knows how to deal with this issue I will continue my attempts for S Off.
zazabichi said:
I have access to HTC Authorized service in my City. These guys already have J Card but unfortunately the don't have detailed guideline how to deal with M9 +
They said that in another MTK HTC devices there is a option in the bootloader mode (Sim lock) and they are doing official S off in this menu, but there was no Sim lock Menu in M9+ bootloader.
If someone knows how to deal with this issue I will continue my attempts for S Off.
Click to expand...
Click to collapse
maybe @SteelH or @ntflc has some tips?
tbalden said:
maybe @SteelH or @ntflc has some tips?
Click to expand...
Click to collapse
S-off is possible with jcard. Dont know what tip you are looking for.
SteelH said:
S-off is possible with jcard. Dont know what tip you are looking for.
Click to expand...
Click to collapse
I have access to Jcard but don't know how to S off the device.
Could you please please advice me?
zazabichi said:
I have access to Jcard but don't know how to S off the device.
Could you please please advice me?
Click to expand...
Click to collapse
oem writesecureflag 0
Already S offed. What's next?
zazabichi said:
Already S offed. What's next?
Click to expand...
Click to collapse
Nice! What's your intentions? Do you want to try to convert your phone to another region's full firmware? There's some risk in that, we don't exactly know if the hardware from China and the other regions are fully the same and compatible, like the radio unit. I guess they are, I didn't have any issues running the phone on Asia WWE firmware or European, but I didn't (and couldn't because of S-On on my device) try a full conversion with all the S-On protected partitions of the phone. I only could flash boot/recovery/data and system, but there's a lot more of different partitions related to the hardware functionality.
Practically with s-off you can overwrite the CID (carrierid) to supercid (1111111 or something like that ) of your phone and thus you can convert flash any other regions full RUU firmware zip from 'fastboot oem rebootRUU' mode. Then you can receive OTAs of that different regions.
Otherwise being s-off means nothing much more than that opportunity.
Also probably you could unlock the sim lock to a certain phone company if your sim is bound to a phone company, on an S-Offed device you can do that. But I'm not sure how that's done.
tbalden said:
Nice! What's your intentions? Do you want to try to convert your phone to another region's full firmware? There's some risk in that, we don't exactly know if the hardware from China and the other regions are fully the same and compatible, like the radio unit. I guess they are, I didn't have any issues running the phone on Asia WWE firmware or European, but I didn't (and couldn't because of S-On on my device) try a full conversion with all the S-On protected partitions of the phone. I only could flash boot/recovery/data and system, but there's a lot more of different partitions related to the hardware functionality.
Practically with s-off you can overwrite the CID (carrierid) to supercid (1111111 or something like that ) of your phone and thus you can convert flash any other regions full RUU firmware zip from 'fastboot oem rebootRUU' mode. Then you can receive OTAs of that different regions.
Otherwise being s-off means nothing much more than that opportunity.
Also probably you could unlock the sim lock to a certain phone company if your sim is bound to a phone company, on an S-Offed device you can do that. But I'm not sure how that's done.
Click to expand...
Click to collapse
Yes I wanna have European Firmware.
Is it possible to extract Non Chinese dialer file?
zazabichi said:
Already S offed. What's next?
Click to expand...
Click to collapse
Please give us some more details.
As far as i understand - you connect the jcard, reboot in bootloader, and enter that command?
Thanks!
I have one from UAE. I did everything to s-off this device but no luck until now. It did not work with jcard. I have version 1.61.401.6 installed. Now, I see some people had luck with m9+ from other regions. I mean is it region related or something? I even did unlock my bootloader, installed twrp and rooted my device just to try that sunshine's method. Unfortunately sunshine's method did not work either. Now my question is,, If Taiwanese or Chinese versions can be s-off with jcard, how can I install their software version? Why can't I s-off my m9+ ? I really appreciate if people shared their s-off experiences.
Sorry for the ignorrance, but from where can I get Jcard? I see there a lot of people in here have it.
Also can a Java Card or Jcard be emulated on a PC?
Sent from my HTC One M9+
Good news ahead https://twitter.com/illespal/status/621710108154695680 sunshine maybe soon for m9+ soff exploit
tbalden said:
Good news ahead https://twitter.com/illespal/status/621710108154695680 sunshine maybe soon for m9+ soff exploit
Click to expand...
Click to collapse
I have an XTC2Clip on its way for this, will keep you all posted on how it goes.
Sent from my HTC One M8x using Tapatalk.
Two days ago,I posted a new way to unlock bl.First, Its my mistake that I posted it ambiguous.
But the way really existed.I didnt lied.Beause I am not good at English.I just hope someone can hack it but I didnt express my idea exactly.My firend unlocked his bl by a specilist that controling remotely his computer. Maybe he used a tool like a Hard solution tool of HTC excetpt these adb cmd shared by me. He may shared his tool to my firend PC by Usbover(not sure).He would not publish his way.So my firend payed him money.But my firend took photos secretively when he was controling his computer.He firstly rewrited CID then downgraded to 7.1.1 from 7.1.2 by adb cmd (Maybe he used the special tool among the period.Then he flashed the ROM pacaged in a new way. he made it specially .Finally he unlocked bl. And all these steps was disussed by a group people not myself.We just dont have that tool. I have the address of the special ROM .[emoji40] Hoping someone can make it
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
from taptalk
Those screenshots dont make sense on a Pixel. The CID commands do not work on a Pixel.
chenery said:
Two days ago,I posted a new way to unlock bl.First, Its my mistake that I posted it ambiguous.
But the way really existed.I didnt lied.Beause I am not good at English.I just hope someone can hack it but I didnt express my idea exactly.My firend unlocked his bl by a specilist that controling remotely his computer. Maybe he used a tool like a Hard solution tool of HTC excetpt these adb cmd shared by me. He may shared his tool to my firend PC by Usbover(not sure).He would not publish his way.So my firend payed him money.But my firend took photos secretively when he was controling his computer.He firstly rewrited CID then downgraded to 7.1.1 from 7.1.2 by adb cmd (Maybe he used the special tool among the period.Then he flashed the ROM pacaged in a new way. he made it specially .Finally he unlocked bl. And all these steps was disussed by a group people not myself.We just dont have that tool. I have the address of the special ROM .[emoji40] Hoping someone can make it
from taptalk
Click to expand...
Click to collapse
Okay, responding to this, there are a few problems, and some interesting things.
The initial tool you mentioned must play a hell of an important role here.
By default, no Pixel has cid/mid read/write oem commands, and I don't know of a Pixel bootloader that does. This makes it odd. He then also uses htc_fastboot to flash "zip" which is a way to flashed signed RUU's on HTC phones. It is also worth noting he flashes NDE63H which was the first 7.1 build that shipped on the Pixel (vulnerable to DePixel8 at that point).
Our current bootloader doesn't support flashing "zip" either. It does oddly have a remnant oem rebootRUU command that does absolutely nothing, but we can't flash an RUU.
It is possible that there is some leaked signed HTC internal stuff being used here, which would explain the added HTC commands, and ability to flash an RUU. The only thing this wouldn't explain is why the rollback protection didn't block this (maybe their RUU doesn't include the older bootloader).
I don't know, additional information would be necessary to conclude anything about this.
I know this,my Verizon xl has been unlocked by the method.but the skill I don't have.days ago I buy the service from a merchant.the main method is downgrade the Android to 7.1.maybe someone can hack it.
---------- Post added at 09:54 AM ---------- Previous post was at 09:49 AM ----------
But in fact.i cannot get the img and he must have some documents to crack the cid to 111111.than it will go to htc download mode.
jackzhu said:
I know this,my Verizon xl has been unlocked by the method.but the skill I don't have.days ago I buy the service from a merchant.the main method is downgrade the Android to 7.1.maybe someone can hack it.
---------- Post added at 09:54 AM ---------- Previous post was at 09:49 AM ----------
But in fact.i cannot get the img and he must have some documents to crack the cid to 111111.than it will go to htc download mode.
Click to expand...
Click to collapse
Where did you buy the service from?
I'm still very dubious about this.
If there was a way, I've a feeling our developers would be aware of it here.
also, why is everything labelled HTC ?
Milly7 said:
Where did you buy the service from?
Click to expand...
Click to collapse
Taobao
y2grae said:
I'm still very dubious about this.
If there was a way, I've a feeling our developers would be aware of it here.
also, why is everything labelled HTC ?
Click to expand...
Click to collapse
I agree.. and HTC is the phone's manufacturer.
@jcase any ideas as this may be a good way for those to unlock the bootloader?
jackzhu said:
I know this,my Verizon xl has been unlocked by the method.but the skill I don't have.days ago I buy the service from a merchant.the main method is downgrade the Android to 7.1.maybe someone can hack it.
---------- Post added at 09:54 AM ---------- Previous post was at 09:49 AM ----------
But in fact.i cannot get the img and he must have some documents to crack the cid to 111111.than it will go to htc download mode.
Click to expand...
Click to collapse
Remember The name g-2pimg_m1_whl_n70_htc_generic_nde63h_user_release_r adio_not_specify_release_485606_2_4.zip exclusive
jackzhu said:
Remember The name g-2pimg_m1_whl_n70_htc_generic_nde63h_user_release_r adio_not_specify_release_485606_2_4.zip exclusive
Click to expand...
Click to collapse
I would try
from taptalk
It looks like the file in question can be found here: http://www.easy-firmware.com/index.php?a=browse&b=category&id=16647
My GoogleFU is strong.
I am at work and cannot download to find out what is in it, as anything else I try to do on the site is blocked. I do not think this firmware is for the Pixel, but if someone with an idea how our phone works can download the file, we can see what's inside and if it looks applicable. I find the entire thing VERY dubious, but if there's a way we can write the CID on our Verizon models, believe me, I WILL change mine.
Edit: I found the file on two other websites. All of them had it behind a paywall, but I found a different file with the same naming convention on another site that wasn't paywalled. I downloaded that file just now and will see if it is even software for our phones. I suspect this might be fore the HTC One Mini, but I'll see what's in this zip.
PWn3R said:
It looks like the file in question can be found here: http://www.easy-firmware.com/index.php?a=browse&b=category&id=16647
My GoogleFU is strong.
I am at work and cannot download to find out what is in it, as anything else I try to do on the site is blocked. I do not think this firmware is for the Pixel, but if someone with an idea how our phone works can download the file, we can see what's inside and if it looks applicable. I find the entire thing VERY dubious, but if there's a way we can write the CID on our Verizon models, believe me, I WILL change mine.
Click to expand...
Click to collapse
It's one of the process,I cannot remember all the steps
Could you please put up link to service that unlocks bootloader
So the other file that I downloaded with a similar name: G-2PIMG_M1_WHL_N70_HTC_Generic_NMF26U_user_release_Radio_Not_Specify_release_493363_2 contains a _VERY_ weird set of zip files inside. Inside atleast one of the zip files is a signed bootloader. There's an Android file that has model descriptor numbers that match the Pixel XL per what I found here: https://www.techwalls.com/google-pixel-pixel-xl-model-number-differences/
Inside the file that has the signed BL image is a file that contains what looks like a list of steps that tell it to wipe every partition on the device. I have no idea what program would be used to flash this firmware in the format it's in (the system image is chopped up into small chunks, and there are other oddities). I am posting the file in question on my Google Drive. Can @jcase look at this or someone who's got more knowledge than I do about how these phones work?
File can be downloaded here: https://drive.google.com/open?id=0B6BaDxaggle2YndJU2Ywd3BHRkk
FOR THE LOVE OF GOD AND ALL THAT IS GOOD, DO NOT FLASH ANYTHING FROM THIS ZIP UNTIL WE KNOW WHAT WE ARE LOOKING AT. IF YOU BRICK YOUR DEVICE, I WILL DIE LAUGHING
PWn3R said:
So the other file that I downloaded with a similar name: G-2PIMG_M1_WHL_N70_HTC_Generic_NMF26U_user_release_Radio_Not_Specify_release_493363_2 contains a _VERY_ weird set of zip files inside. Inside atleast one of the zip files is a signed bootloader. There's an Android file that has model descriptor numbers that match the Pixel XL per what I found here: https://www.techwalls.com/google-pixel-pixel-xl-model-number-differences/
Inside the file that has the signed BL image is a file that contains what looks like a list of steps that tell it to wipe every partition on the device. I have no idea what program would be used to flash this firmware in the format it's in (the system image is chopped up into small chunks, and there are other oddities). I am posting the file in question on my Google Drive. Can @jcase look at this or someone who's got more knowledge than I do about how these phones work?
File can be downloaded here: https://drive.google.com/open?id=0B6BaDxaggle2YndJU2Ywd3BHRkk
FOR THE LOVE OF GOD AND ALL THAT IS GOOD, DO NOT FLASH ANYTHING FROM THIS ZIP UNTIL WE KNOW WHAT WE ARE LOOKING AT. IF YOU BRICK YOUR DEVICE, I WILL DIE LAUGHING
Click to expand...
Click to collapse
i tried flashing the file you uploaded* and now my phone won't turn on.. do you know why or can you fix it for me? lmao
jokes aside, thanks for looking so far into this, especially when it could have been a malicious file.
fatapia said:
i tried flashing the file you uploaded* and now my phone won't turn on.. do you know why or can you fix it for me? lmao
jokes aside, thanks for looking so far into this, especially when it could have been a malicious file.
Click to expand...
Click to collapse
can you go into bootloader mode? If so, try running some htc commands
lucky_strike33 said:
can you go into bootloader mode? If so, try running some htc commands
Click to expand...
Click to collapse
I havent tried flashing it, I need my phone for day-to-day purposes at work so I can't risk bricking it. only made a joke because of the necessary disclaimer
fatapia said:
I havent tried flashing it, I need my phone for day-to-day purposes at work so I can't risk bricking it. only made a joke because of the necessary disclaimer
Click to expand...
Click to collapse
Missed that joke! Lol
After looking at this a bit, I don't have a good way to figure out if this bootloader is valid, and I'm not sure I want to buy a new phone if I brick my Pixel. If this actually does work, here's what I suspect was done. The file in question (possibly the specific version this guy used, maybe even the one I downloaded) is a version of the bootloader for our phone that supports additional commands. The guy installed the other version of the bootloader, changed the CID and other information then unlocked the bootloader. If I had a pixel laying around that had a broken screen or something, I would be willing to try to do what I think needs to be done to test this. That said someone else with more expertise may know of a way to check if the bootloader image is signed or check other things. I support the Beanstalk ROM on the Nexus 6 still but have not tried to make a build for the Pixel yet. While I am capable of making that happen, I am a retard compared to @jcase and others when it comes to this stuff.