English project closed.
hi
he will be work on HP hw6910?
hola a todos.
es real esta rom ?????
zbebus
Yea. BUT! not now. Now only rom work with this bootloader version.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
because i have 6915 with this boot =P
Then i'll tell if someone have different version what to do
PS Also we will work on "NO GSM" problem
cant wait, ill beta test for sure
i have the g.39 bootloader, and also suffer from the "no gsm" issue.
at current the device is sitting in a drawer getting rather lonely!
i dont care if it bricks the hw6915, its been sitting in the drawer for over a year!!
Is this rom for G3 or G4 flash models?
I can confirm the flash works on 6955 series phones
some instructions....
well there are links to the files in the 4pda forum at the top.
one BIG CAVEAT as Vervol stated is:
Vervol said:
Yea. BUT! not now. Now only rom work with this [vG. 39] bootloader version.
Click to expand...
Click to collapse
First the warnings and then the steps
Warning:
Steps confirmed to work using Windows XP on a G4 based flash device if you're not sure look it up in your device:
Start/System/HP Asset Viewer/
under the heading "Flash Chip Type"
if you have any other Flash chip type it is not confirmed to work and may cause your PDA to be inoperable.
Steps:
1. put pda into bootloader mode: hold two buttons next to Send and End + power + push reset button with stylus
(with activesync running) extract the SPL vG.39.7z file and double click on "Command Prompt"
2. then type in :
Code:
pdocwrite spl -n0 -b 0x20000 0 0x80000
wait till it's done
3. double click on the activesync logo in the taskbar, make sure to disable usb connection to the device.
4. extract the 6915_ENG.7z file and run the Sable_RUU.exe file and by now it should start flashing....
5. when it's finished flashing double click activesync again and re-enable usb connections and that's it.
Experience so far...
NOTE: These files only flashes the O.S so it wont' affect those with the NO-GSM problem.
So in order to get more people to try this, I'd like to share what I've tried so far :
What works:
Phone: Sending and receiving calls
SMS : sending and receiving messages
Wifi: Connects to both Open networks, WEP, and WPA WPA-PSK (though there is a known bug with WEP and WPA in WM6.1, right now a workaround is switching wifi on and off really quickly and it connects fine without using odyssey access client) but other than that it works normally. A possible patch could fix this, but I haven't tested it out yet
Camera: Takes both photos and video
Notes: Audio note recording feature works.
What doesn't work:
GPS: I haven't managed to get this working so far but it might just be an issue with settings (the program I tried was Garmin Mobile XT)
MMS: I can't seem to find feature in messaging app.
Bluetooth: Profiles are missing so I can't properly pair with devices EDIT: I tried this again and managed to pair with a headset
Haven't tried:
Tethering: Since I don't have a data plan with my provider, it doesn't allow me to use GPRS/Edge except to check account information on mobile browser or unless I buy a 24/hr package in bulk so I haven't tested this.
....But I did manage to make a GPRS connection to check my account info.
O.k good luck everyone
Is this rom multilanguage? does it have spanish?
great news, i hope this proyect get more stable and we can upgrade our olds Hp 6915
tOz666 said:
Is this rom multilanguage? does it have spanish?
Click to expand...
Click to collapse
It's in english, it does support changing the basic regional settings like before... but I am sure the possibility for other languages is more likely once more people start getting involved with dissecting the ROM in kitchens.
Please can you upload to some service available outside Russia ?
Thanks
dreamH6 said:
Please can you upload to some service available outside Russia ?
Thanks
Click to expand...
Click to collapse
Uploaded it [here]
ROM + SPL
Spiaatie said:
Uploaded it [here]
ROM + SPL
Click to expand...
Click to collapse
thanks a lot, but... I have a G3 flash and 0.38 bootloader ....
does anyone has tested on this version?
I am not sure it would be compatible
Ok... did more testing of Bluetooth devices, and it does pair with headsets
I figured I would post some stuff from the asset viewer of before and after, and to see if people have the same version:
before is linked here
AFTER:
Memory
System ROM Size : 128MB
System RAM Size : 64MB
ROM Is Flash : Yes
Flash Chip Type : G4
Flash Block Size : 256KB
PSM Driver Version : N/A
Version
Product Revision Level :
ROM Date : 06/02/12
ROM Revision : 1.21UK.00 ENG
Extended ROM Version : N/A
OS Version : Windows CE 5.2
Bootloader Version : G.39
XIP Version : 1.0.0.0
Display
Color : No
Horizontal Pixels : 240
Vertical Pixels : 240
Color Depth : 65536
Display Type : TFT
Panel ID : 0
System
Manufacturer : Hewlett-Packard Company
Product ID : 414750-001
Model ID : hp iPAQ hw6955
Processor Type : PXA270-416MHz
Processor Revision : C5
Language : ENGLISH
UUID: -x-------------------
Camera
Module Present : Yes
Hardware Revision : 9650
Hardware Driver Version : 0.8.0
Software Driver Version : 4.1.0
Software Version : 1.0.21
Camera API Interface Version : 1.0.7
Camera Information : 1.3 MP 8X Zoom
Bluetooth
Radio Present : Yes
Firmware Version :
Hardware Revision :
Driver Version : 1.7.1.6700
Software Version : 1.7.1.6700
MAC Address : ---------------
Wi-Fi
Radio Present : Yes
Firmware Version : (missing)
Hardware Revision : (missing)
Driver Version : 1.00.00
Software Version : 2.0.53
IP Address : -----------------
MAC Address : -----------------
GSM
Radio Present : Yes
N/A
N/A
N/A
N/A
N/A
IMEI Number : --------------------
GPS
GPS Present : Yes
Status : N/A
Manufacturer : Global Locate
Revision Level : N/A
Driver Version : 2.00
Firmware Version : 4.1099.123.0
Software Version : 0.14.2214.0
jambongo said:
well there are links to the files in the 4pda forum at the top.
one BIG CAVEAT as Vervol stated is:
First the warnings and then the steps
Warning:
Steps confirmed to work using Windows XP on a G4 based flash device if you're not sure look it up in your device:
Start/System/HP Asset Viewer/
under the heading "Flash Chip Type"
if you have any other Flash chip type it is not confirmed to work and may cause your PDA to be inoperable.
Steps:
1. put pda into bootloader mode: hold two buttons next to Send and End + power + push reset button with stylus
(with activesync running) extract the SPL vG.39.7z file and double click on "Command Prompt"
2. then type in :
Code:
pdocwrite spl -n0 -b 0x20000 0 0x80000
wait till it's done
3. double click on the activesync logo in the taskbar, make sure to disable usb connection to the device.
4. extract the 6915_ENG.7z file and run the Sable_RUU.exe file and by now it should start flashing....
5. when it's finished flashing double click activesync again and re-enable usb connections and that's it.
Click to expand...
Click to collapse
Hi Jambongo! Can you please tell me if second half of step 1 and the whole step 2 - is only for bootloader upgrading? or is it some sort of patch for bootloader? Also please advice what's code instruction all about? Is it the same code for all ipaq 6900 series? And finally, did you manage to get the GPS running again? If so, I might just give it a go also.. Thanks a lot
Best regards,
GENE J-TAG 100% WORKING FOR DEAD HTC GENE,
ALSO KNOWN AS HTC P4300/3400i
USE THIS METHOD YOUR OWN RISK
I Successfully Restore My Gene With This Method, Then I Decide To Make This Guide For Those People Who Are Paying For J-TAG.
1. Using this instruction at a certain curvature of the hand you risk permanently kill your machine at the hardware level.
2. If you are unsure of their skills, give the unit for repair technician.
3. All claims for the consequences of using this algorithm are sent to the basket without consideration!!
The technique is based on the recovery Wizard'a loaded through the JTAG bootloader executable code into RAM and transfer control to it.
As a result, you get a temporary working bootloader, and from it produces a complete firmware device (bootloader + system )
Requirement For Do This:-
1. 5 resistors of 100 ohm ¼ value (color code can be change but value has same)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
2. 25-pin LPT Port (old printer cable)
3. Wires for JTAG interface MUST not be longer 20 - 25 cm.
4. A soldering Iron Skill
5. Software H-JTAG included in gene_jtag_restore.zip file.
6. Software NoIce included in gene_jtag_restore.zip file.
7. spl.nb – bin file with patched bootloader for OLD/NEW GENE in gene_jtag_restore.zip file.
8. ruu_signed.nbh – OLD/NEW Gene base ROM with IPL and patched SPL in gene_jtag_restore.zip.
9. Download The gene_jtag_restore.zip file For Later Use.
Prepare Your Phone:
First of all To dissasemble Your device look at this site
http://www.pdacenter.ru/razborka/razbor_htc_3400_gene/
Or Some Screen shot hare..
You see these TDI,TDO,TCK,TMS,nTST Pins on board called JTAG Pin reside on your phone green litghts.
Now Solder The Wire On Borad With Very Carefully.. Otherwise it Damage Your Hardware
Prepare Your LPT Cable:
Use the diagram for Creating LPT (Parallel Port) Cable For JTAG.
You Need a port on the computer called LPT Port, in its absence (for example on some laptops) may be used PCMCI LPT.
It Look Like This....
Done,, Now Connect Your Gene With This LPT Port Or You Can Say JTAG Cable
Twist the wire each other perfectly and use the tape for cover the joints...
Done...
Prepare H-JTAG Software:
1. Install And In H-JTAG.
2. Do Some Setting Like Like This...
1) In tap configuration should be this.
2) In Target Manager setting should be this.
3) In LPT JTAG Setting should be this, and nTRST checkbox must be clear. And User Define Pin Assignment Should Same As Like in The Picture.
Test H-JTAG Software is Connecting With Your Device:
Before Going Next You Must Have Full Charge Battery Of The Your Gene..
Now Put it in Your Gene And Go Next Step..
1. Set the H-JTAG.
2. We Press buttons and hold Power and Camera for 5 seconds. If the device is enabled through the power supply is activated.
3. In H-JTAG press Detect Target. Our processor with ID 0x0692602F Should be defined.
Are You Looking This..
Done. Your Half Part Is Completed...
Now Setup NoIce Software:
1. Install NoIce Software on Your PC.
2. Open NoIce Software and Setup NoIce With H-JTAG Software (Means Connect Both Software Each Other Will use Late).
3. Choose Options-Target Communications.
4. Select the RDI Interface.
5. Indicates where the H-JTAG.dll for RDI.
6. Put frequency of the processor (specify 200).
See The Picture And Do The Above Mention Steps..
7. Then click OK and close the program NoICe.
8. Done...
Now Play The Game...
1. Prepare Dead device for Restore.
2. Connect LPT JTAG Cable to LPT Port of Your PC. (Or Already Connected)
3. Start the H-jtag (the settings for the processor are given above).
4. Turn device - we press and hold the Camera button and POWER.
5. In H-jtag perform Detect Target Device - you should decide on the processor with the correct ID (0x0692602F).
You See This..
6. Run NoICe if everything is normal and all right-minded above program should be the address of 0000 and you see the code ARM.
7. If you have NEW GENE create a folder NEWGENE in c:\ (root) without any space example C:\NEWGENE . And copy spl.nb & ruu_signed.nbh file from (for new Gene (SN - HT8x)) folder which include in gene_jtag_restore.zip to in this NEWGENE Folder and also copy the full RomUpdateUtility in this folder.
OR
8. If you have OLD GENE create a folder OLDGENE in c:\ (root) without any space exmpale C:\OLDGENE . And copy spl.nb & ruu_signed.nbh file from (for new Gene (SN - HT7x)) folder which include in gene_jtag_restore.zip to in this OLDGENE Folder and also copy the full RomUpdateUtility in this folder.
Next, consider the following illustration, And Use The Step Below The Picture..
1. Necessarily ..first we put a tick on Load as binary image.
2. We Specify the address of loading in RAM 10000000 (Check it Correctly).
3. We Choose a file bootloader for loading spl.nb form Folder.
4. Choose This File Form,, If Your Gene is New Use NEWGENE Folder.
Or
5. Choose This File Form,, If Your Gene is OLD Use OLDGENE Folder.
6. We press Ok and we see progress a bar of loading (it is necessary to wait some time).
7. As soon as its filled with the file we choose item of menu View and choose submenu Disassemble at...
8. Address necessary to be specified 10000000,
9. We press Ok and we see code ARM - if aall ij well and the file is loaded , then the first command should be EA0003FE.
6. Press And Hold Camera Button and Press on the program menu RUN and to submenu Go FROM...
7. We Specify 10000000 in address and press Ok....
8. Device must be run in mode bootloader.
9. If Your Device Boot In Bootloader Mode So, Now Camera And Power Button can be released..
Now Flash The Device With Boot Rom
1. Now We connect to usb and it is flashed with ruu_signed.nbh file from Folder OLDGENE/NEWGENE depend on Your Gene Model..
2. It is possible remove Jtag and to collect Your phone.
3. Further we flash with a good ROM(cooked) and no stock ROM please.. it’ll kill it again...
DOWNLOAD : - gene_jtag_restore.zip
Good Bye.....
Thats a Step-By-Step Guide on JTAG for New bees
Hi Guru,
You have done an awesome compilation. You have really made a step-by-step guide for JTAG for the new bees. I like to thank you for your valuable work. And also like to thank the members of XDA-Developers -
Orefkov, BesFen, Krazy_about_technology, Addicted2xda, Vaibhav_batra_the_techguy, haree, karan999, sumeet922, gurusinghbrar and so on...
for their valuable work on HTC Gene - JTAG Recovery & ROM Development.
Last but not the least... Keep it up, Guru. I give you Lots of Applause for this Post.
Moderators can you make this post Sticky... Its a request, Please.Thanks to XDA-Developers for giving such a team support.
Awesome !!!!!!!!!!!!!!!! great work.thanks for sharing.
thanks for sharing
Help us to start dead p3400i
please tell me location of Bootloader file, you have mentioned (sspl-s_wizard.nb) in bitmap.. i am unable to find bootloader.. for loading.
Thanx for solution........but accidentally my Phone's TDI pin has Damaged..........pls tell me any solution of tracing or clone of the TDI pin.
Help please!!!!
I have bricked my HTC Gene While flashing it with a official rom
I went through your Step by step instruction for unbricking with J TAG
but the main problem i use a netbook and it does not have the port for printer
i have even sent the phone for service and it was useless
this phone is very dear to me and cant see it just lying . please suggest a alternative method im also willing to send the phone to you if you will help me unbrick it
gurusinghbrar said:
GENE J-TAG 100% WORKING FOR DEAD HTC GENE,
ALSO KNOWN AS HTC P4300/3400i
USE THIS METHOD YOUR OWN RISK
I Successfully Restore My Gene With This Method, Then I Decide To Make This Guide For Those People Who Are Paying For J-TAG.
1. Using this instruction at a certain curvature of the hand you risk permanently kill your machine at the hardware level.
2. If you are unsure of their skills, give the unit for repair technician.
3. All claims for the consequences of using this algorithm are sent to the basket without consideration!!
The technique is based on the recovery Wizard'a loaded through the JTAG bootloader executable code into RAM and transfer control to it.
As a result, you get a temporary working bootloader, and from it produces a complete firmware device (bootloader + system )
Requirement For Do This:-
1. 5 resistors of 100 ohm ¼ value (color code can be change but value has same)
2. 25-pin LPT Port (old printer cable)
3. Wires for JTAG interface MUST not be longer 20 - 25 cm.
4. A soldering Iron Skill
5. Software H-JTAG included in gene_jtag_restore.zip file.
6. Software NoIce included in gene_jtag_restore.zip file.
7. spl.nb – bin file with patched bootloader for OLD/NEW GENE in gene_jtag_restore.zip file.
8. ruu_signed.nbh – OLD/NEW Gene base ROM with IPL and patched SPL in gene_jtag_restore.zip.
9. Download The gene_jtag_restore.zip file For Later Use.
Prepare Your Phone:
First of all To dissasemble Your device look at this site
http://www.pdacenter.ru/razborka/razbor_htc_3400_gene/
Or Some Screen shot hare..
You see these TDI,TDO,TCK,TMS,nTST Pins on board called JTAG Pin reside on your phone green litghts.
Now Solder The Wire On Borad With Very Carefully.. Otherwise it Damage Your Hardware
Prepare Your LPT Cable:
Use the diagram for Creating LPT (Parallel Port) Cable For JTAG.
You Need a port on the computer called LPT Port, in its absence (for example on some laptops) may be used PCMCI LPT.
It Look Like This....
Done,, Now Connect Your Gene With This LPT Port Or You Can Say JTAG Cable
Twist the wire each other perfectly and use the tape for cover the joints...
Done...
Prepare H-JTAG Software:
1. Install And In H-JTAG.
2. Do Some Setting Like Like This...
1) In tap configuration should be this.
2) In Target Manager setting should be this.
3) In LPT JTAG Setting should be this, and nTRST checkbox must be clear. And User Define Pin Assignment Should Same As Like in The Picture.
Test H-JTAG Software is Connecting With Your Device:
Before Going Next You Must Have Full Charge Battery Of The Your Gene..
Now Put it in Your Gene And Go Next Step..
1. Set the H-JTAG.
2. We Press buttons and hold Power and Camera for 5 seconds. If the device is enabled through the power supply is activated.
3. In H-JTAG press Detect Target. Our processor with ID 0x0692602F Should be defined.
Are You Looking This..
Done. Your Half Part Is Completed...
Now Setup NoIce Software:
1. Install NoIce Software on Your PC.
2. Open NoIce Software and Setup NoIce With H-JTAG Software (Means Connect Both Software Each Other Will use Late).
3. Choose Options-Target Communications.
4. Select the RDI Interface.
5. Indicates where the H-JTAG.dll for RDI.
6. Put frequency of the processor (specify 200).
See The Picture And Do The Above Mention Steps..
7. Then click OK and close the program NoICe.
8. Done...
Now Play The Game...
1. Prepare Dead device for Restore.
2. Connect LPT JTAG Cable to LPT Port of Your PC. (Or Already Connected)
3. Start the H-jtag (the settings for the processor are given above).
4. Turn device - we press and hold the Camera button and POWER.
5. In H-jtag perform Detect Target Device - you should decide on the processor with the correct ID (0x0692602F).
You See This..
6. Run NoICe if everything is normal and all right-minded above program should be the address of 0000 and you see the code ARM.
7. If you have NEW GENE create a folder NEWGENE in c:\ (root) without any space example C:\NEWGENE . And copy spl.nb & ruu_signed.nbh file from (for new Gene (SN - HT8x)) folder which include in gene_jtag_restore.zip to in this NEWGENE Folder and also copy the full RomUpdateUtility in this folder.
OR
8. If you have OLD GENE create a folder OLDGENE in c:\ (root) without any space exmpale C:\OLDGENE . And copy spl.nb & ruu_signed.nbh file from (for new Gene (SN - HT7x)) folder which include in gene_jtag_restore.zip to in this OLDGENE Folder and also copy the full RomUpdateUtility in this folder.
Next, consider the following illustration, And Use The Step Below The Picture..
1. Necessarily ..first we put a tick on Load as binary image.
2. We Specify the address of loading in RAM 10000000 (Check it Correctly).
3. We Choose a file bootloader for loading spl.nb form Folder.
4. Choose This File Form,, If Your Gene is New Use NEWGENE Folder.
Or
5. Choose This File Form,, If Your Gene is OLD Use OLDGENE Folder.
6. We press Ok and we see progress a bar of loading (it is necessary to wait some time).
7. As soon as its filled with the file we choose item of menu View and choose submenu Disassemble at...
8. Address necessary to be specified 10000000,
9. We press Ok and we see code ARM - if aall ij well and the file is loaded , then the first command should be EA0003FE.
6. Press And Hold Camera Button and Press on the program menu RUN and to submenu Go FROM...
7. We Specify 10000000 in address and press Ok....
8. Device must be run in mode bootloader.
9. If Your Device Boot In Bootloader Mode So, Now Camera And Power Button can be released..
Now Flash The Device With Boot Rom
1. Now We connect to usb and it is flashed with ruu_signed.nbh file from Folder OLDGENE/NEWGENE depend on Your Gene Model..
2. It is possible remove Jtag and to collect Your phone.
3. Further we flash with a good ROM(cooked) and no stock ROM please.. it’ll kill it again...
DOWNLOAD : - gene_jtag_restore.zip
Good Bye.....
Click to expand...
Click to collapse
dude m bit confused in connection of wire in lpt port the diagram image here in this page is different n the diagram image is different in the gene_Jtag_restore.rar ,so plz help me which connect i should do for my restore process,reply.
thank in advance
Haha
lol nobody gives a fukc
Btw is it like something usb jigg !
THANKS
Thanks this will help me with my dads old phone.
NOTE: This is the same as the Vodafone R210.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Someone handed me a Huawei E589u-12 Mobile 4G LTE WiFi Router, so I thought
I'd have a look at the firmware. However, I was not able to find any firmware
for this device, so I started looking at firmware for similar devices such as
the E5776 and the E392. The only one I found something for, was the E392u-92.
I looked inside and found some undocumented proprietary Huawei/Qualcomm AT
commands. They're listed in the next posts.
So I'm just posting some of my findings here, so don't expect any major events here.
But most importantly: DO NOT ask for device unlocking codes!
(I don't have the new Huawei unlock algorithm and neither the software.)
The devices mentioned above should use the following Qualcomm modems:
Code:
[SIZE=2]E589u-12 MDM9200 (WiFi)
E392u-92 MDM9200 (USB dongle)
E5776u-72 MDM9615 (150 Mbps + voice capability)[/SIZE]
Then after first having installed the device drivers (in Windows), I used the DC-unlocker (Client 1.00.1034) tool.
From that I got the following information:
Code:
[SIZE=2]--------------------------------------------------------
Found modem : E589u-12
Model : Huawei E589
IMEI : 86303001*******
Serial NR. : P2T7NB929*******
Firmware : 11.433.13.00.01
Compile date / time : Jun 18 2012 13:27:56
Hardware ver. : CL1E589M22
Chipset : Qualcomm MDM9200
NAND Flash : TC58NYG1S3C
SIM Lock status : unlocked
Wrong codes entered : 10 (unlock attempts left : 0)
--------------------------------------------------------[/SIZE]
AFAIK the DC-unlocker is just connecting to modem via the AT command interface,
and querying the various info from a set of AT commands (ATC's).
Some additional info:
Code:
[SIZE=2][URL="http://transition.fcc.gov/oet/ea/fccid/"]FCCID[/URL]: [URL="https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=285796&fcc_id=QISE589U-512"]QISE589U-512[/URL]
Battery: Huawei [B]HB5P1H [/B]3.7V, 3000 mAh, Li-Polymer
USB-ID: [B]12d1:1f01[/B]
Modem: Qualcomm MDM9200
RF: Qualcomm RTR8600
PMIC: Qualcomm PM8028
Wifi: Qualcomm WCN1314
[/SIZE]
So why bother with all this? Perhaps to answer:
Where can we get and download the firmware?
Answer: We can't! We have to extract it...
How can we manually update the FW?
Answer: Get the FW first and I'll show you...
Can we use standard Qualcomm tools like QPST/QXDM with this?
Answer: YES!
What other hidden ATC's are available?
Answer: See Post#2.
What is the new Huawei router unlock algorithm?
Answer: It's secret, so that greedy people can make $$$.
Apparently this device firmware is based on Qualcomm Gobi, and thus we may find some clues in those repositories.
Certainly the Qualcomm MSM Interface (QMI) documents are all available there as well...
If you want to play with this device, you'll need to install the device drivers. The easiest way is probably to install
Huawei's Mobile Partner (Windows) application or to avid bloatware, use only the drivers in Huawei Drivers (4.25.18) .
I have no idea where the hell Huawei keep all their software,
or if there's better way. Perhaps by just extracting application and just use the drivers. Then you should be able to
use any terminal program to connect with. I use RealTerm or Putty, but you can also use the online
Java AT command tester/terminal.
For a complete bunch of useful Windows utilities, see post#12 to download the Huawei Modem HackPack.
After connecting to the router modem via microUSB connection and a terminal application (Putty or RealTerm) we can issue some standard ATC's. Here are the results.
Huawei/Qualcomm standard AT commands (E589u-12 via "AT+CLAC")
The 3GPP ETSI standard [part 1/2]:
Code:
[SIZE=2]&C
&D
&E
&F
&S
&V
&W
A
D
E
H
I
L
M
O
P
Q
T
V
X
Z
\Q
\S
\V
%V
S0
S2
S3
S4
S5
S6
S7
S8
S9
S10
S11
S30
S103
S104
+CACM
+CAMM
+CAOC
+CBC
+CBST
+CCFC
+CCLK
+CCUG
+CCWA
+CDIP
+CEER
+CEMODE
+CEREG
+CFUN
+CGACT
+CGATT
+CGCLASS
+CGCMOD
+CGCONTRDP
+CGDATA
+CGDCONT
+CGDSCONT
+CGEQMIN
+CGEQNEG
+CGEQOS
+CGEQOSRDP
+CGEQREQ
+CGEREP
+CGMI
+CGMM
+CGMR
+CGPADDR
+CGQMIN
+CGQREQ
+CGREG
+CGSCONTRDP
+CGSMS
+CGSN
+CGTFT
+CGTFTRDP
+CHLD
+CHSN
+CHUP
+CIMI
+CIND
+CLAC
+CLCC
+CLCK
+CLIP
+CLIR
+CMEC
+CMEE
+CMER
+CMGC
+CMGD
+CMGF
+CMGL
+CMGR
+CMGS
+CMGW
+CMMS
+CMOD
+CMSS
+CNMA
+CNMI
+CNUM
+COLP
+COPN
+COPS
+CPAS
+CPBF
+CPBR
+CPBS
+CPBW
+CPIN
+CPLS
+CPMS
+CPOL
+CPUC
+CPWD
+CQI
+CR
+CRC
+CREG
+CRES
+CRLP
+CRSM
+CSAS
+CSCA
+CSCB
+CSCS
+CSDH
+CSIM
+CSMP
+CSMS
+CSQ
+CSSN
+CSTA
+CTFR
+CTZR
+CTZU
+CUSD
+CV120
+CVHU
+DR
+DS
+ES
+ESA
+FAR
+FCL
+FCLASS
+FDD
+FIT
+GCAP
+GCAP
+GMI
+GMM
+GMR
+GSN
+ICCID
+ICF
+IFC
+IPR
+PACSP
+VTS
+WS46
[/SIZE]
The Qualcomm Specific standard AT's [part 2/2]:
Code:
[SIZE=2]*CNTI Displays the access technology; refer to GSM 07.07 subclause 9.2 for err value
$BREW ?? Start a "Brew MP" serial session (by entering the BrewMP Command Processor)
$CCLK ?? sets the clock of the device
$CREG ?? gives information about the registration status and access technology of the serving cell.
$CSQ
$QCAPNE Command is used to edit APN values in APN table.
$QCBANDPREF Sets the band preferences of the device
$QCBOOTVER Returns boot image version
$QCCLR Clears mobile error log
$QCCNMI Similar to 27.005 +CNMI except for the behavior with $QCCNMI=1,2
$QCDEFPROF Sets the given profile number as default profile for the family of the specified technology and subscription.
$QCDGEN Generates data over +CGACT activated PDP context
[B]$QCDMG[/B] [COLOR=Red]Transitions to Diagnostics Monitor (DM) operation[/COLOR]
$QCDMR Sets DM baud rate
$QCDNSP Sets primary DNS IP address
$QCDNSS Sets secondary DNS IP address
$QCHWREV Provides MDM1000 chip hardware revision
$QCMRUC Command is used to edit/set MRU database.
$QCMRUE Command is used to clear/delete MRU database
$QCPDPCFGE Sets PDN teardown time interval
$QCPDPIMSCFGE Command is used to edit PDP profile registry
$QCPDPLT Enables/disables tolerance to long delays in PDP call setup
$QCPDPP Sets authentication for PDP-IP packet data calls
$QCPINSTAT? Sends to the ME the status of all PINs for all cards
[B]$QCPWRDN[/B] Power Down the UE
$QCSIMAPP This command is applicable only for DSDS target. User can select Active subscription.
$QCSIMSTAT Get/Set SIM status (init completed?)
$QCSLOT Sets SIM card on which slot commands will operate
$QCSYSMODE Get hardware available network modes (e.g. WCDMA + HSDPA + HSUPA)
$QCTER Sets TE-DCE baud rate; baud rates supported are identical to +IPR command
$QCVOLT Provides the input voltage level of VMAIN_3.3 as measured by the DUT power management IC
[/SIZE]
Here is a list of Huawei OEM extracted AT commands. They were extracted from
the E392u-12 firmware update (11.836.13.00.209), since I didn't have any
firmware for my own router. Later, I also managed to extract the firmware (via
QPST's Memory Debug Application) for the E589. The result after having spent
considerable time manually checking the availability for most of these, are
shown in the table below. It is very likely that there could be other commands
in our router firmware, not shown here, that I have either missed, or that
remain disabled until certain features are enabled and other criteria
fulfilled. For example, DIAG,FTM,LTE,USSD modes etc.
Unsolicited ATCoP Messages
When connected directly to your modem port via some terminal application,
the ATCoP will occasionally produce informative messages about the status
and changes to network connections etc. These messages are called
"Unsolicited message". In many of the newer Qualcomm based Huawei (OEM)
mobile USB routers/modems, these messages appear prefixed with the
tilde/carrot, "^". But although Huawei uses the carrot for their
proprietary AT commands, these are not actually commands. In newer Huawei
modems, these messages are controlled by the AT^CURC command. Here is a
list of these unsolicited messages and their meanings.
From 909u-512 manual:
Code:
[SIZE=2]^ACTIVEBAND
^ANLEVEL
^BOOT [info] During device re/boot-up
^CEND
^CONF
^CONN
^CRSSI
^CSNR
^DATASETRULT
^DATAVALIDITY
^DSDORMANT
^DSFLOWRPT [info] about the current connection statistics during dial-up. (curr_ds_time,tx_rate,rx_rate,curr_tx_flow,curr_rx_flow, qos_tx_rate,qos_rx_rate)
^EARST
^ECCLIST
^ECLSTAT
^HCSQ
^HDRRSSI
^HRSSILVL
^HWNAT [info] Service State Change Indication (GSM,CDMA,LTE etc.)
^IPDATA
^IPSTATE
^LOCCHD
^MODE [info] System mode change event indication
^NDISEND
^NDISSTAT
^NWTIME
^ORIG
^OTACMSG
^POSEND
^POSITION
^RFSWITCH
^RSSI [info] RSSI change indication
^RSSILVL
^SIMFILEREFRESH
^SIMST [info] USIM card state change indication
^SMMEMFULL [info] When message storage is full, this unsolicited indication is sent.
^SRVST [info] Service state change indication
^STIN
^THERM
^TIMESETRULT
^WNINV
^WPDCP
^WPDDL
^WPDOP
^XDSTATUS
Maybe in E589:
^THERMST [info] ?? Thermal Step Timer
[/SIZE]
Error/Response Table
To see what ATC work or not, I just marked the various ATC with their allowed options.
Code:
[SIZE=2]Type:
-------------------------
[B]-[/B] Command Not Supported
[B]! [/B]Unsolicited message[B]
E[/B] ERROR
[B]CE[/B] +CME ERROR: 1
[B]/[/B] [no response] or just "OK"
Allowed options:
[B]1[/B] Raw: Used without parameter)
[B]2[/B] Read: Read with "?"
[B]3[/B] Query: Read write options with "=?"
[/SIZE]
Huawei Proprietary AT commands (Qualcomm Modems)
Code:
[SIZE=2]
^ANQUERY Query current network parameters (rscp,ecio,rssi,antenna_level,cellid)
^APBATLVL *1 Battery State/Level (chargerState,batterylvl)
^AUTHDATA 123
^AUTHVER 2
^BSN ?? Get Backward Sequence Number. The sequence number of the last correctly received MTP frame received.
^BTRSN
^CARDLOCK Unlock SIM network lock. Set: AT^CARDLOCK="<unlockcode>" (Query: state,times,operator) [NV item 50001]
^CARDMODE Get currently installed SIM/USIM card type. [2]
^CCV / ??
^CELLMODE 123 ?? Get current cell mode (0-9)??
^CMDLEN 2 ?? 480 ??
^CPBR Get Phonebook entries
^CPBW Set Phonebook entries
^CPIN 23 Get?set SIM PIN/PUK management
^CPNN E ?? Calling Party Number?
^CPWORD / [1]
^CQLM /
^CRADLE -
^CRPN /E
^CSDFLT ?? Circuit Switched Data? Related to Field Test Mode
^CSVER 2 Get XXXX version number. I.e. "1004"
^CSQLVLEXT +CSQ? Level Extension, shows RSSI Level and BER (rssilv,ber)
[B]^CURC[/B] *23 [COLOR=DarkGreen]Get/Set presentation of unsolicited results (^BOOT, ^RSSI etc.) [0-disable, 1-enable standard set, 2-modes][/COLOR]
^DATACLASS Get info on supported UMTS protocols
^DATALOCK
^DHCP CE Get interface IPv4 addrs assigned by network DHCP server
^DHCPv6 Get interface IPv6 addrs assigned by network DHCP server
^DIALMODE Get/Set dial-up mode (Modem/NDIS)
^DISLOG ?? Disable Diagnostics Mode use for ceratin NV items? (NV_FORBID_DIAG) Also see [1]
^DLR ?? Current USB? Download Rate (in kbps)
^DNSP Get/Set the Primary DNS server address
^DNSS Get/Set the Secondary DNS server address
^DSFLOWCLR Clears the DS traffic to zero, including the DS accumulated connection time
^DSFLOWQRY Show last DS connection time and traffic
^ECIOCFG ?? Ec/Io Configuration (related to signal quality) RSSI [dBm] = RSCP [dBm] - Ec/I0 [dB]
^ENABLESD *23 Enable/Disable router SD-card slot. (0:disable, 1:enable) [NV_SD_CARD_ENABLE_I]
^FACINFO / Get/Set Factory Information
^FCHAN /E [2]
^FDAC CE [2]
^FLASH Get NAND flash information (chiptype, block statistics etc.)
^FLNA [2]
^FPA CE [2] Set RF Power Amplifier level
^FREQLOCK Enable/disable RF PLL lock to specific ARFCN (By setting NV item "NV_FREQLOCK_I".)
^FRSSI CE [2] Get GSM/LTE RSSI values
^FRXON 2 [2] ?? RF Receiver On
^FTXON 2 [2] ?? RF Tranmitter On
^GETPORTMODE 1 ?? Show active port mode: "TYPE:WCDMA:Qualcomm,PCUI:0,DIAG:1"
^GLASTERR E Get list of latest firmware errors
^GPIOPL 2 Get/Set PIN on OPL ??? (14 bits?)
^HS E ?? Switching to HS USB mode? (id,protocol,IsOffline,p_class,p_id,s_id)
^HSPA Get/Set "recommended" UMTS protocol
^HVER 1 Get PCB? hardware version/name
^HWDUMP 2
^HWNATQRY Get NAT of current network
^HWVER Get the Hardware Version number (31 characters)
^ICCID 2 Get the SIM card CID
^IMSICHG [3] Change IMSI
^INFORBU
^IPV4V6TEST -
^IPV6CAP - Check if IPv6 is supported
^JAPAN [1]
^LED 12
^LEDTEST Check color combinations of device's LED
^LTECAT 2 Get the device LTE Category
^LTECS 2 ? Get/Set LTE circuit switched (CS) fallback?? See: http://tinyurl.com/l2k3drz http://tinyurl.com/mjemr2u
^LTEPDPTIME ? [4]
^LTERSRP E [4] Get RSRP and RSRQ for serving cell
^LTESCINFO E [4] Get PCI, SINR, MIMO rank and bandwidth for serving cell
^MAXLCKTMS Get/Set (protected) maximum number of tries to enter wrong NCK [NV item 50005]
^MDATE E
^NDISDUP Get/Set NDIS based dialing (ECM) [Require enabled NDIS port]
^NDISEND ?? NDIS/WWAN Disconnect report
^NVMBN 123
^NVTEST 12
^OPL [3] ?? Get Operator PLMN List
^OPWORD [1]
^PHYNUM ?? Get/Set (protected) IMEI
^PLATFORM 2
^PNN [3] ?? Get PLMN Network Name (PNN) List
^PORTLOCK Enable/Disable switching PC UI to Diag mode
^PORTSEL 23 Proactive event report port setting for non-data service (Modem,PCUI,...) (0-disable*, 1-enable)
^PREFMODE Get/Set the preferential network mode
^RDCUST 123 Get/Set various Huawei customization parameters (NV), may need password! (~29 in total)
^RRCVER 23 ?? Get/Set RRC version? [0-4] (Begin to parse "Receiver" messages?)
^RSCPCFG Get/Set lower UMTS RSCP thresholds
^RSFR ??SF=SIM Filesystem?? Read
^RSFW ??SF=SIM Filesystem?? Write
^RSIM ?
^RSTRIGGER *23 ?? Writing to Huawei NV item [NV_HUAWEI_WMS_CONFIG_INFO_I]
^SCPBR ?? See +CPBR and ^CPBR Get Phonebook entries
^SCPBW ?? See +CPBW and ^CPBW Set Phonebook entries
^SD CE
^SETPID [3] Change device's USB PID to generic 1001 (until reboot)
^SETPORT Set modem port modes: (MODEM,PCUI,DIAG,PCSC,GPS,CDROM,SD, ... etc.)
[B]^SFM Set modem to "Factory Mode": AT^SFM=1 (Disconnect and reconnect) [NV_FTM_MODE_I ?? nv number?][/B]
^SIMLOCK
^SLOTCFG Get/Set maximum number of allocated data timeslots (GPRS/EDGE)
^SN ?? Write Serial Number into factory NV item 114 "Factory Information" [NV_FACTORY_ITEM ???]
^SPN [3] TE Query the Service Provider Name (SPN) file of 2G/3G stored on the SIM/USIM card through the ME.
^SSID Wifi ESSID? [NV-item 50290]?
^STGI [3]
^STGR [3]
^STIN [3]
^STSF [3] Related to writing NV item [NV_HUAWEI_STK_CFG_I]
^SWDUMP 2
^SYSCFG - (old) System configuration reference setting (Mode,Acqorder,Band,Roam,Srvdomain)
^SYSCFGEX 23 (new) System configuration reference setting (Acqorder,Band,Roam,Srvdomain,lteBand)
^SYSINFO 1 (old) Query the current system information (service state, domain, roaming etc.)
^SYSINFOEX 1 (new) Query the current system information (service state, domain, roaming etc.)
^SYSMODE 1 Get current network mode (WCDMA, HDSPA etc) [use ]
^TBAT *2 ?? Perhaps battery charger mode or Type? (0-normal, 1-, 2-charging)??? [NV-item 90]?
^TCHRENABLE *3 ?? Is trickle charge enabled ??
[B]^TMODE[/B] [COLOR=Red][2] ?? Enter Factory Test (?) Mode (WARNING: Will reboot/reset router)[/COLOR]
^TSELRF 2 ?? Get selected/supported RF modes/bands?
^UIMDELAY 23 ?? (0,1,2)
^USSDMODE Get/Set the USSD method to process the USSD data.
^VERSION 2 Get External/Internal hardware and firmware version information.
^WIKEY *23 [NV-item 50291]?
^WIWEP *23 [NV-item 50292]?
^YJCX 1 ?? Show some kind of combo of HW features (at least in other modems)
-------------------------------------------------------------------------------
* New in E589u-12 compared to E392u-12 FW
[1] DoCoMo (Japan) specific OEM and/or "authority" related commands.
Affected commands: ^JAPAN, ^OPWORD, ^CPWORD and ^DISLOG ?
[2] Some commands give weird responses, it could be that they're only
available when modem is set to Factory Test Mode (FTM) or when in
Diagnostic Mode (DIAG) ?
[3] Related to SIM Tool Kit (STK) functions.
[4] Certain LTE related commands has to have an active LTE connection
in order to work.
-------------------------------------------------------------------------------
[/SIZE]
These are device dependent, so obviously not all of them will work on all devices. There are probably
many others on more advanced routers, which is why we need the firmware.
Here are a few command descriptions/examples:
Code:
[SIZE=2]at^sysinfo
^SYSINFO:2,3,1,5,1,,4
at^setport?
FF;1,2,3,7,A1,A2
WHERE:
1:MODEM
2:PCUI
3:DIAG
4:PCSC
5:GPS
6:GPS CONTROL
7:NDIS
A:BLUE TOOTH
B:FINGER PRINT
D:MMS
E:PC VOICE
A1:CDROM
A2:SD
at^getportmode
^GETPORTMODE:TYPE:WCDMA:Qualcomm,PCUI:0,DIAG:1
at^portsel?
^PORTSEL:0
at^portsel=?
^PORTSEL:(0-1)
at^rdcust=?
(0: 0) (1: 0) (2: 1) (3: 0) (4: 0) (5: 0) (6: 0) (7: 0) (8: 0) (9: 0) (10: 0) (1
1: 0) (12: 1) (13: 0) (14: 0) (15: 0) (16: 0) (17: 0) (18: 0) (19: 0) (20: 0) (2
1: 0) (22: 0) (23: 1) (25: 0 0) (26: 0) (27: 0) (28: 1 1) (29: 0)
at^cardmode
^CARDMODE: 2
at^hver
^HVER:"CL1E589M22"
[/SIZE]
For more info on the at^syscfgex command, please have a look at the Russian forum post HERE.
References:
[1] HUAWEI UMTS Datacard Modem AT Command Interface Specification_V2.3.pdf
[2] HUAWEI CDMA Datacard Modem AT Command Interface Specification (2008)
[3] AT Command Interface Specification (2010) [MG323 GSM]
[4] Comprehensive AT Command Set in AMSS Software [80-VR432-1 C]
[5] ME909u-521Application-Guide.pdf
[6] ME909u-521-AT-Command-Specification.pdf
The OLD Huawei unlock algorithm
For reference I post a Python script using the OLD method for obtaining the
NCK and Flash unlock codes. The original source for this was found in THIS
thread at GSM-forum. However, all recent Huawei routers use a NEW method, which
has already been compromised but is strongly held secret by a bunch of
greedy hackers. Fortunately my router was already unlocked. But it would
still be interesting for the common good to understand how this works.
The general outline of the OLD method can be summarized as follows:
Generate your constants ("salt") from "hwe620datacard" and "e630upgrade",
using MD5 and discarding first 8, last 8 bytes of the result.
Concat IMEI + the constant for unlock or flash code
Apply MD5 to this string
Apply XOR operations to get 4 special bytes
Apply AND, OR operations to byte 3 (most significant byte)
Convert result to decimal <code>
Unlock modem/router with AT command: at^cardlock=<code>
Then you'll have:
Code:
[SIZE=2]SaltText MD5(SaltText) Salt
------------------------------------------------------------------------
hwe620datacard a32fe72c 5e8dd316726b0335 d5513ba0 5e8dd316726b0335
e630upgrade aa91cee2 97b7bc6be525ab44 cdc63be0 97b7bc6be525ab44
------------------------------------------------------------------------
==>
#salt = "5e8dd316726b0335" # sim: hwe620datacard
#salt = "97b7bc6be525ab44" # flash: e630upgrade[/SIZE]
Here the two salts obtained are used for the Sim unlock (NCK) and Flash
unlock, respectively. As you can see, this was valid for the very old
Huawei E620 data-card, but used on many other devices since.
The OLD Python script:
Code:
[SIZE=2]#!/usr/bin/python
import os, sys, re, StringIO
import hashlib
def getCode(imei, salt):
digest = hashlib.md5((imei+salt).lower()).digest()
code = 0
for i in range(0,4):
code += (ord(digest[i])^ord(digest[4+i])^ord(digest[8+i])^ord(digest[12+i])) << (3-i)*8
code &= 0x1ffffff
code |= 0x2000000
return code
salt = "5e8dd316726b0335"
imei = "863030010760596"
print getCode(imei, salt)[/SIZE]
The NEW Huawei unlock algorithm
As for the the new method of obtaining these constants I have no idea,
but many people do seem to know. However, if you like to find out for
yourself, you have to reverse engineer the at^cardlock command in the
modem firmware.
But from THIS post (and the ones following) on GSM-forum, you will find
out that the new "algorithm", really consists of 7 separate sub-routines using
slightly different algorithms/methods depending on the IMEI. At least one of
these use the new constant "hwideadatacard"...
The algorithm selection code look like this in PHP:
Code:
[SIZE=2]function HW_ALGO_V2_SELECTOR($imei){
$id = "";
for ($i = 0; $i<15; $i++) {
$id = $id + (ord($imei[$i]) +($i+1))*($i+1);
}
return ($id % 7);
} [/SIZE]
If you do decide to dig in to this problem statement, here are a couple
of publicly available IMEI and unlock combinations, you can use to test
with, for the E589u-12.
Code:
[SIZE=2]IMEI Unlock
--------------------------------
863030010760596 26561436
863030010201062 24290098
863030010953233 52096763
863030011597427 56285257
[/SIZE]
Opening the E589
The E589 tear apart or tear down!
So, since I could not find any information anywhere, on how to tear this baby
open, I had to do essentially that. I though the the FCC internal and external
photos would have helped me out, but with my inexperience, I did not recognize
the signs of the attachment mechanics. This made me break two plastic pryer
tools and almost the back cover itself, until I found that magic screw!
The screw is hidden under the SD card slot and under a cover of white paint,
which is why I missed it, since I thought it was the SD card eject button!
This is a normal Phillips head screw (PH00), and once you get it out, you
should be able to slide the cover off easily. Here's a picture showing the SD
card slot with the screw and the direction of the cover slide-off movement.
This movement is downwards from the back side/label point of view.
Then the battery seem attached somehow, first with a plastic flap and then most
likely with some glue/sticky tape... It seem very hard to detach, so I gave
up at this point, in fear of braking something that I need and that is not
already broken. (I don't wanna ruin the battery.) Here's a picture of that.
Now you should be able to remove the whole battery and then the battery connector.
The battery is glued to the back plate which also works as a heat sink for the underlying
components, so you have to be very careful not to pull too hard on the battery or you
risk also pulling some components from the PCB. Use some kind of tool to carefully pry the
battery lose, one side at the time.
Secrets under the battery
Thanks to chup in THIS post at MobilaBredband, we find some more secrets
behind the battery.
The first thing that sticks out, is the 5-pad slot. If it's a serial connection,
we only need 3 pads; Rx/Tx/GND. Indeed the square pad is connected
to GND. So what are the other options?
It could be either one of:
1) a set of minimal JTAG terminals according to SW-DP specifications for IEEE P1149.7.
2) a way to shorten something out, like an MDM9200 XO BOOT device option pin.
3) a second set of UART serial connection. We know MDM9200's have more than one...
4) a battery replacement port during assembly, service or factory testing.
Here we can also see the various internal antennas. There are three (3)
strip-line antennas integrated into the plastic parts on the top and the
bottom of the router PCB. Two in the top parts and one in the bottom. On the
top-left of the front/screen side of the PCB, is the connector to what Huawei
call the "Wifi Antenna". Then on the top-left, of the backside of the PCB, we
find what Huawei call the "Diversity Antenna" connectors, while on the
bottom-right, we find the "Main Antenna" connectors. Basically:
Code:
TOP-F "WiFi Antenna" Wifi (~2400 GHz)
TOP-B "Diversity Antenna" <GPS/unknown>
BOT "Main Antenna" Mobile RF (GSM/LTE etc.)
Here we continue to notice that:
The external antenna jack is connected to the mobile "Main Antenna".
The left-hand-side internal RF jack is connected to the "Diversity Antenna".
The right-hand-side internal RF jack may be connected to the "Wifi Antenna",
on the back, or something else...
According to Google, a "Diversity Antenna" is part of an intelligent
multi-antenna system that senses the incoming signals to automatically
select the antenna best positioned to receive it...
A more clear description can be found HERE.
Now, let's wildly speculate about this design. Many phones have their main
antennas in the bottom. Check! Then, since this device was meant to be carried
in the pocket, which mostly means back-pocket, with the screen towards your
body, because of shape. The Wifi signal need to go through your body, and thus
antenna should be on the screen side. Check! Then if you're to recive any
external/GPS signal at all, you'd like the antenna to be pointed on the
outside, which means on the backside of the PCB. Check!
All-in-all, we have 6 antenna connectors!
Beyond the event horizon
Next, you have 4 Torx (T5?) screws around the corners and 2 more behind the
battery, to undo. Then you can gently push into the holes, and the front
screen will hopefully come out (?) and should not have any other attached
connections.
I leave the rest up to you (or to me for a much later date), to fill in the
remaining blanks and post some internal pictures...
In the meantime, you can look at these internal pictures, that I obtained
from the FCC website and searching for FCCID: QIS E589U-512.
Front Side PCB.
As you can see on the front side we the following:
- 2-7 test points
- Chips:
(1) Toshiba TC58NYG1S3C NAND flash chip
(2) Qualcomm
(3)
Back Side PCB.
Here you can see:
- 2 internal RF connectors
- a 4G external RF antenna connector (See one HERE.)
- JTAG pads in typical Huawei layout of 10 pads in line (See HERE)
- Possible UART/Serial islands (5 pads)
< More Dragons TBA >
The NAND Memory
Is a Toshiba TC58NYG1S3C, and according to THIS document, we can decode the Toshiba product code to find:
Code:
[SIZE=2]TC58NYG1S3C
TC58 NY G1 S 3 C
| || | | | +-- 70 nm
| || | | +---- 2 KB page size, 128 KB block size.
| || | +------- 2 Level cells
| || +--------- 2 Gbit = [B]256 MB[/B]
| |+------------ 1.8 V
| +------------- NAND
+--------------- Single Chip
[/SIZE]
But the only datasheet I could find HERE, is for the slightly different
TC58NYG1S3 EBAI4 which should be just fine.
The NAND pin assignments
Built-in GPS capability!
It all started when I noticed that my router showed "GPS" as part of the interface ports that can be enumerated. Surely enough after playing with the at^setport command, my PC enumerated a "HUAWEI Mobile Connect - 3G GPS Interface" serial interface. However, I did not see anything on this, but then again I'm not sure how to use it properly either. So...
After having looked at my router using QXDM, I noticed there were GPS messages in the info logs. Later Googling around and a brief chat with vve (from gsm-forum), confirms that indeed the MDM9200 has a built-in gpsOne Generation 8 engine. I then found some Qualcomm documents that clearly states that the components (SAW filters etc.) needed for full GPS + GLONASS functionality are "strongly recommended", even if not used/enabled. Here is a picture of that.
In addition, there are (apparently from the bad FCC photo above) 2 internal antenna connectors on the PCB,
that could be related, in addition to the external connector.
However, all this info is little worth without ripping apart my router to see what's actually present inside.
So unless someone else has something to say about this, you'll just have to be patient...
Later, we will see which GPS-related NV-items are set in firmware, if any.
Thanks to autoprime's exhaustive list of NV-items, we can easily find those
only related to the GPS subsystem, HERE.
< more TBA >
Huawei firmware numbering system / description
How does Huawei classify their firmware versions/revisions?
Well, let's have a look at my own example. My firmware is:
11.433.13.00.01
We that that it consists of 5 sets of numbers. These can be described as:
Code:
[SIZE=2]
"[B]11[/B]" - is for [I]Qualcomm [/I]based devices ([B]23[/B] for [I]HiSilicon[/I])
"[B]433[/B]" - is the firmware [I]Build [/I]version:
Same HW platforms generally use the same builds. For example:
All MDM9200-based modules: E392u, E397u, E398u, EM920u, EM930u etc.
"[B]13[/B]" - is the [I]Debug[/I][/SIZE][SIZE=2][SIZE=2] version and prefixed by "D"[/SIZE] in FW updates.
"[B]00[/B]" - probably [I]Service Pack[/I] version and prefixed by "SP" in FW updates.
"[B]01[/B]" - Network Operator / [I]Carrier[/I] Customization. ("00" = No customization.)
[/SIZE]
[Many thanks to VVE (from GSM-Forum) for this info.]
Similarly for firmware updates. For example:
Code:
[SIZE=2]HUAWEI_E589u-12_[B][COLOR=Red]V[/COLOR][/B]100[COLOR=Red][B]R[/B][/COLOR]001[B][COLOR=Red]B[/COLOR][/B]433[B][COLOR=Red]D[/COLOR][/B]15[B][COLOR=Red]SP[/COLOR][/B]02[B][COLOR=Red]C[/COLOR][/B]260_Finland (Elisa)_05021CTE.zip
Just add "Version" after each:
V = Version
R = Release
B = Build
D = Debug
SP = Service Pack
C = Customization [/SIZE]
Huawei Carrier Customization Codes
The firmware distributed by Huawei for use on their 3G/4G mobile wifi routers
(MiFi) and dongles, are usually customized by each of the mobile service
provider that sell them. Here we attempt to list all the customization codes
used by Huawei, so that we can better understand the many variations that are
purely firmware dependent versus hardware dependent.
According to belief, a customization code of "00" refer to no-customization,
in other words it should be original "vanilla" Huawei firmware.
So far we have:
Code:
[SIZE=2]code Provider Country
--------------------------------------
00/000 <na> <na>
01 Netcom Norway
07 Telia Sweden
08 MTN SA
16 KPN Holland
18 TME Spain
24 H3G Sweden
26 H3G Denmark
43 Etisalat UAE
55 DT Germany
56 Tele2 Sweden
58 Optimus Portugal
61 Cosmote Greece
69 Polkomtel Poland
74 Optus Australia
77 Telenor Hungary
78 T-Mobile Hungary
84 TMN Portugal
87 Mobitel Slovenia
99 Maxis Malaysia
110 Entel Chile
115 Nawras Oman
132 Utel Ukraine
136 Nova Island
141 Batelco Bahrain
143 MTS Russia
149 Vivo Brazil
151 Channel?? India
157 PCCW HK
158 Globe Philippines
161 Beeline Russia
174 Kyivstar Ukraine
180 Orange Spain
186 Zain Kuwait
192 TIM Italy
203 M1 Singapore
209 MegaFon Russia
222 MTS Ukraine
228 Personal Argentina
238 Smart Philippines
253 Personal Paraguay
260 Elisa Finland
272 Mobinil Egypt
284 Airtel India
309 Bytel France
349 Telia Denmark
362 MoldCell Moldova
388 Life Ukraine
391 Tele2 Russia
397 KTC Kuwait
400 OM* UK
409 Mobistar Belgium
422 Telenor Sweden
436 Omantel Oman
464 Telus Canada
479 Bytel France
570 UNE Colombia
577 Beeline Kazakhstan
618 Polsat Poland
622 "SFR" ??
626 Orange Uganda
632 STC Bahrain
634 MTS Uzbekistan
673 Altel Kazakhstan
697 MTN SA
778 OM* Russia
801 A1TA Austria
838 Global Saudi Arabia
883 Beeline Uzbekistan
991 MTC(Zain) Lebanon
1020 iinet Australia
1047 Orange France
1049 Eastlink Canada
1050 USCC ?? US
1055 EE UK
1062 Orange France
1064 OM* Norway
1099 OM* US
1102 20/20 ?? Sweden
1129 A&C Belgium
1134 OM* "Baltic Region"
1158 Spectranet Nigeria
--------------------------------------
OM* = "Open Market" and possibly without customization
UAE = United Arab Emirates
UK = United Kingdom
US = United States
HK = Hong Kong
SA = South Afrika
--------------------------------------
[/SIZE][SIZE=2]
[/SIZE]
AT^RDCUST: Analysis & Research
Most Qualcomm based 3G/4G Huawei devices have this special proprietary command that you will not find documented anywhere! So I decided to take the first steps in that direction. The typical output from that command look like this:
Code:
[SIZE=2]at^rdcust=?
(0: 0) (1: 0) (2: 0) (3: 0) (4: 0) (5: 0) (6: 0) (7: 0) (8: 0) (9: 0)
(10: 0) (11: 0) ([B]12: 1[/B]) (13: 0) (14: 0) (15: 0) (16: 0) (17: 0) (18: 0) (19: 0)
(20: 0) (21: 0) (22: 0) ([B]23: 1[/B]) [B]---?---[/B] ([COLOR=Red]25: 0 0[/COLOR]) (26: 0) (27: 0) ([COLOR=Red]28: 1 1[/COLOR]) (29: 0)
[/SIZE]
We see that items 25 and 28 are special as they return two numbers, while item
24 is missing altogether. So far we understand that rdcust consists of a
table of ID's (probably the ones above). Some of these items in the table has
an NV-item associated.
So from poking around in the firmware, I composed the following table.
Code:
[SIZE=2]-------------------------------------------------------------------------------------------------------
Item Function (allow/change/forbid) Source NV-item/Comment
-------------------------------------------------------------------------------------------------------
0 Replace Firmware Version rdcust_version_replace.c "00.000.00.00.00"
1 ?Forbid 2G registration rdcust_efust_disable.c
2 Forbid AT^CURC type/port rdcust_forbid_curc.c
3 Change Mean TPT Size rdcust_mean_tpt_size.c "Token Passing Tree"? (Ad-Hoc Wifi)
4 Change MTU size rdcust_mtu_size.c
5 Replace Product ID (PID) rdcust_product_id_replace.c
6 Change APN values rdcust_apn_set.c
7 Disable Video Calls rdcust_disable_video_call.c
8 Change USSD Mode rdcust_ussd_mode.c
9 Change? Full Frequency Scan rdcust_full_freq_scan.c
10 ? LED Light rdcust_led_light_cust.c
11 Exclusive Cardlock rdcust_exclusive_cardlock.c nv_huawei_specail_simlock_ind NV
[B]12 Huawei Special SIM lock [/B] rdcust_egy_cardlock.c
13 Permanent Cardlock rdcust_permanent_cardlock.c
14 Class-0 SMS Route rdcust_class0_sms_route.c calss0_sms_route NV
15 Roaming HPLMN (count?) rdcust_not_roam_plmn.c
16 Diasble RPLMN (PME?) rdcust_disable_rplmn_act.c RDCUST_DISABLE_RPLMN_ACT
17 Change GPRS Recent Activity Timer rdcust_gprs_recent_activity_timer.c
18 Change Default Traffic Class rdcust_default_traffic_class.c
19 Change STK rdcust_stk.c
20 Huawei Manual 3G? band Search Order rdcust_manual_srch_order_3.c NV_HUAWEI_MANUAL_BAND_SRCH_ORDER_I
21 Current ^SYSCFGEX Mode List rdcust_syscfgex_mode_list.c nv_syscfgex_mode_list NV
22 Get/Set Attach PDP Parameters rdcust_attach_pdp.c ..Inactivity timer, and also EFS related..
[B]23 Disable F-DPCH (WCDMA)[/B] rdcust_disable_fdpch.c NV-item?
[COLOR=Purple]24 Huawei IPV4 and IPV6 Configuration[/COLOR] rdcust_ipv4v6_cfg.c
[COLOR=Red]25* ? Modified UI Network PLMN[/COLOR] rdcust_uinetwk_plmn_modified.c
26 [1] GID1 Customer Forbid Band rdcust_forbid_band.c NV_HUAWEI_CUST_FORBID_BAND_I
27 [1] Start Telus GID1 check rdcust_gid1.c NV_HUAWEI_GID1_I
[COLOR=Red]28* Set HS-DSCH Physical Layer Category [/COLOR] rdcust_set_hsdsch_phy_layer_cat_ext.c
29 [1] Set GID1 LTE Band Preference rdcust_lte_band_pref.c
-------------------------------------------------------------------------------
* Returns 2 digits in E589u-12.
[1] GID1 = "Group Identifier Level 1" and is a type of SIM network
lockout mechanism. The GID1 elementary files on the SIM are
specified in GSM 11.11 (ETS 300 977)
[/SIZE]
Now, the item numbering was completely arbitrary, based on the order of appearance in the firmware. But closer inspection seem to confirm that this is not at all very arbitrary, as the colored items actually seem to confirm what fits the behavior of my device. How so? I don't have IPV4/6 (#24) configured, nor using WCDMA (#23). But hey, I could also be completely wrong here!
It would certainly be interesting to see what exactly items #11 and #12 does, as they're called "Exclusive Cardlock" and "Huawei Special SIM lock", respectively. Could one of these be part of the mysterious QXDM 16-digit password, that can be used to further unlock access to certain EFS files and NV-items?
...
< More TBA >
I like your courage and passion in each your post ! anytime fully documented ..
The Battery
The internal battery is labelled "HB5P1H" and is a 3.7V, 3000mAh (11.1 Wh)
Li-Polymer battery. The battery has 5 lead ribbon connector. Which seem to
indicate that it has an internal programmable charge controller aka "gas gauge".
A typical internal battery design can be seen in THIS (bq27x00) TI datasheet.
So as an initial guess (until tested), the pins on the battery connector
could have the following functions.
Code:
[SIZE=2]pin color signal function
----------------------------------------------
1 red PACK + Battery Positive
2 red SCL I2C Serial Clock Input
3 white GND ground
4 black SDA I2C Serial Data Input
5 black PACK - Battery Minus
[/SIZE]
These type of batteries generally have 5 internal power "modes".
Code:
[SIZE=2]Active During normal ON operation
Sleep Low power mode
Ship Low power mode for shipping
Hibernate Used when Vcc drops below Vpor
Data Retention (RBI) ??
[/SIZE]
A few battery related ATC's...
Code:
[SIZE=2]at^apbatlvl (chargerState,batterylvl)
^APBATLVL:1,4 ==> STATE: 1, LEVEL=4
at^tbat?
^TBAT:2
at^tchrenable=?
^TCHRENABLE:0
at+cbc
+CBC: 0,100
[/SIZE]
< more TBA >
Table of Contents (ToC)
Table of Contents (ToC)
The next steps in looking under the hood of this device, have been rather heavy.
The collection of relevant software, information and analysis of all that above and
below, have been extremely time consuming and suprisingly hard to organize in
a pedagogical and useful manner. Here is a short and partial summary of what
is to come.
The Huawei Modem HackPack
Huawei, Windows Drivers & COM ports...
SD-card sharing: Huawei FAILURE!
Backing the Router Settings
Backing the Router Firmware
- Qualcomm NV-items
- Qualcomm EFS2 (internal file system)
- Huawei/Qualcomm Firmware (internal partitions)
Extracting the router firmware
a) From Huawei firmware update
b) From raw NAND dump
c) From T32 JTAG debugger
d) From 3rd party raw JTAG ram dump
The Web User Interface (Web UI)
The Huawei Mobile Partner Software
Click to expand...
Click to collapse
PLEASE HOLD ANY COMMENTS UNTIL COMPLETE!
(and this message removed)
Huawei Modem HackPack
Version: 0.1
Last Update: 2013-09-26
Here is a collection of some very useful windows tools when dealing with any
Qualcomm-based devices, such as our Huawei.
This HackPack is to be considered a one-time only, as-is download. That means:
I will not maintain it.
I will not update it.
I will not answer any questions about it.
I will not be held responsible if any of the tools mess up your system, wife or life.
I will not keep a copy on my PC for you to send me PM's asking for it.
In fact I will probably not even maintain the download link below, in case it dies.
If I decide otherwise, you will find this post updated.
Download ==> HERE <==
=======================================
All utilities are for 32-bit Windows!
And that's YOUR problem, if any.
=======================================
Package Contents:
Code:
[SIZE=2]3rd party Qualcomm Tools:
CDMA Workshop [3.9.0] [URL="http://www.cdma-ware.com/workshop.html"]HERE[/URL]
DFS CDMA Tool [13.9.19.0] [URL="http://cdmatool.com/download"]HERE[/URL]
RevSkills / PSAS [2.08.6] [URL="http://revskills.de/downloads/revskills.zip"]HERE[/URL] EOL 2013-03-01: [URL="http://tinyurl.com/phpkbca"]HERE[/URL]
MDMA [1.1.0.1] [URL="http://www.nerve.org.za/mdma/index.html"]HERE[/URL] Forum: [URL="http://tinyurl.com/peq9635"]HERE[/URL]
RadioComm [11.12.2] [URL="http://tinyurl.com/pqgg3v3"]HERE[/URL] Download: [URL="http://tinyurl.com/p43a5gp"]HERE[/URL]
3rd party Huawei Tools:
DC-Unlocker Client [1.00.1045] [URL="https://www.dc-unlocker.com/downloads"]HERE[/URL]
Huawei Flasher [1.6] [URL="http://www.francesco-pompili.it/"]HERE[/URL] Download: [URL="http://tinyurl.com/k4z3blr"]HERE[/URL]
Huawei Drivers [[COLOR=Red]4.25.18[/COLOR]] [URL="http://vve.su/vvesu/files/misc/MP/Huawei_Driver_4.25.18.zip"]HERE[/URL]
Windows Utilities (various):
UsbTreeView [2.1.8] [URL="http://www.uwe-sieber.de/usbtreeview_e.html"]HERE[/URL]
SerialMon [?] [URL="http://www.serialmon.com/"]HERE[/URL]
SPCA [1.1.1] [URL="http://www.yo3ggx.ro/spca/spca.html"]HERE[/URL] Serial Port Communication Analyzer
vspd [7.1.289] [URL="http://www.eltima.com/products/vspdxp/"]HERE[/URL] Virtual Serial Port Driver
com0com [3.0.0.0] [URL="http://sourceforge.net/projects/com0com/"]HERE[/URL] Null-modem emulator
ReAssignCOMPortNumb.exe [1.0.0.0] [URL="http://www.ftdichip.com/Support/Utilities/Reassign%20COMNo%20Utility.zip"]HERE[/URL]
Windows Utilities (Nirsoft):
USBDeview [2.27] [URL="http://www.nirsoft.net/utils/usb_devices_view.html"]HERE[/URL]
DevManView [1.35] [URL="http://www.nirsoft.net/utils/device_manager_view.html"]HERE[/URL]
DriverView [1.45] [URL="http://www.nirsoft.net/utils/driverview.html"]HERE[/URL]
DeviceIOView [1.02] [URL="http://www.nirsoft.net/utils/device_io_view.html"]HERE[/URL]
RegFromApp [1.30] [URL="http://www.nirsoft.net/utils/reg_file_from_application.html"]HERE[/URL]
RegScanner [2.01] [URL="http://www.nirsoft.net/utils/regscanner.html"]HERE[/URL]
Data:
nv_complete.zip [2013-06-07] [URL="http://forum.xda-developers.com/showthread.php?t=1954029"]HERE[/URL]
[/SIZE]
Additional Links:
Code:
QPST [2.7.402] Download [URL="http://tinyurl.com/oggkkz6"]HERE[/URL]
QXDM-winxp [3.12.714] Download [URL="http://tinyurl.com/nkvv636"]HERE[/URL]
USBlyzer [2.0] Download [URL="http://www.usblyzer.com/files/USBlyzer.zip"]HERE[/URL]
Putty [beta 0.63] Download [URL="http://www.chiark.greenend.org.uk/~sgtatham/putty/"]HERE[/URL]
RealTerm [2.0.0.70] Download [URL="http://sourceforge.net/projects/realterm/"]HERE[/URL]
Huawei Mobile Partner[COLOR=Red]**[/COLOR] [23.009.05.03.1014] Download [URL="http://www.huaweidevice.com/mpartner"]HERE[/URL]
** NOTE:
This version is using the older (4.25.10.00) Huawei drivers.
So if you want to use this, install this first, and then the new driver package.
There is an update on that link, but it is not clear what it does.
Click to expand...
Click to collapse
Huawei, Windows Drivers & COM ports...
First Connections
Connecting your E589 to a windows box, for the first time, will enumerate a couple of (possibly old default windows) drivers. This of course depends on what you have installed and used before. As I have never used any Huawei device before, all I got was something like this. "Something", because I don't remember exactly what was there, since I tried to use the DC-Unlocker Client to get some device info.
Initially the only thing I could see in the windows Device Manager was this:
Code:
[SIZE=2]DeviceType VID:PID Description
-------------------------------------------------------------------
USB Mass Storage Device 12d1:1f01 Router SD card slot
[/SIZE]
However, when using DC-Unlocker Client to find the modem, it seem to find and/or install its own drivers and ended up enlist the following, as shown
in Device Manager under "Ports (COM/LPT)" as:
Code:
[SIZE=2]Device Name VID:PID SYS INF Ver Date
---------------------------------------------------------------------------------------------------------
FC - Application Interface 12d1:1442 FcSerial.sys oem214.inf 2.0.6.705 1/17/2012
FC - PC UI Interface 12d1:1442 FcSerial.sys oem214.inf 2.0.6.705 1/17/2012
G:\ wpdfs.inf 6.0.6002.18112 6/21/2006
Huawei SD Storage? 12d1:1f01 disk.sys wpdfs.inf 6.0.6002.18005 6/21/2006
[/SIZE]
This is much better, but not at all satisfying. So I proceeded to install the proper Huawei Device Drivers (see HackPack). After rebooting machine (and/or selecting the drivers when asked), I got these:
Code:
[SIZE=2]Device Name VID:PID INF InfSec Ver Date
-----------------------------------------------------------------------------------------------------------------------------------------
HUAWEI Mobile Connect - 3G Modem 12d1:1001 oem204.inf Modem0.NT 2.0.6.720 3/19/2013
HUAWEI Mobile Connect - 3G Application Interface 12d1:1001 oem203.inf QportInstall00.NT 2.0.6.720 3/19/2013
HUAWEI Mobile Connect - 3G PC UI Interface 12d1:1001 oem203.inf QportInstall01.NT 2.0.6.720 3/19/2013
[/SIZE]
What happened to my SD card and storage device!? Nobody knows, but enabling the hidden view in Device Manager, eventually helped... Doing some studying of the Huawei AT command set led me to connecting to the modem via terminal (Putty) and issue the following AT commands:
Code:
at^sfm=1
at^setport="FF;1,2,3,A2"
Disconnect, and reboot router, and reconnect. BAM! There they are:
Code:
[SIZE=2]Device Name Drive VID:PID SYS INF InfSec Ver Date
-----------------------------------------------------------------------------------------------------------------------------------------
HUAWEI Mobile Connect - 3G Modem 12d1:1413 modem.sys oem204.inf Modem0.NT 2.0.6.720 3/19/2013 USB\VID_12D1&PID_1413& MI_00 \6&39cbb52c&0& 0000
HUAWEI Mobile Connect - 3G Network Card 12d1:1413 ewusbnet.sys oem205.inf qcwwan.ndi 1.0.4.017 2/17/2013 USB\VID_12D1&PID_1413& MI_01 \6&39cbb52c&0& 0001
HUAWEI Mobile Connect - 3G Application Interface 12d1:1413 ewusbmdm.sys oem203.inf QportInstall00.NT 2.0.6.720 3/19/2013 USB\VID_12D1&PID_1413& MI_02 \6&39cbb52c&0& 0002
HUAWEI Mobile Connect - 3G PC UI Interface 12d1:1413 ewusbmdm.sys oem203.inf QportInstall01.NT 2.0.6.720 3/19/2013 USB\VID_12D1&PID_1413& MI_03 \6&39cbb52c&0& 0003
HUAWEI Mobile Connect - 3G GPS Interface 12d1:1413 ewusbmdm.sys oem203.inf QportInstall01.NT 2.0.6.720 3/19/2013 USB\VID_12D1&PID_1413& MI_04 \6&39cbb52c&0& 0004
HUAWEI Mass Storage USB Device G: 12d1:1413 USBSTOR.SYS 6.0.6002.18005 USB\VID_12D1&PID_1413& MI_05\6 &39cbb52c&0& 0005
HUAWEI SD Storage USB Device H: 12d1:1413 USBSTOR.SYS 6.0.6002.18005 USB\VID_12D1&PID_1413& MI_06\6 &39cbb52c&0& 0006
[/SIZE]
9 new drivers and they smell fresh! The info above was obtained by playing around with the USBDeview (from HackPack). Very useful when you have USB driver issues. We can also list the available ports by issuing the following AT command:
Code:
[SIZE=2]at^getportmode
^GETPORTMODE:TYPE:WCDMA:Qualcomm,MDM:0,NDIS:1,DIAG:2,PCUI:3,GPS:4,CDROM:5,SD:6
[/SIZE]
Tracking Down Windows Driver Issues
The best way to resolve windows device/driver issues is to first being able to see what drivers are already installed and available. Problem is that windows defaults to hiding drivers not used. We will need to remedy this. in order to remove faulty drivers.
There are 3 ways to list hidden devices in device manager.
(a) Set a permanent environment variable.
(b) Use a temporary environment variable in a command shell and
open Device Manager from within that shell.
(c) Make a simple permanent change to your registry.
The best way (from HERE) is (c) :
Open Registry Editor.
In Registry Editor, navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Create the following value (DWORD):
devmgr_show_nonpresent_devices
Change it's value to 1. Close Regedit.
Kill and restart Windows Explorer or just reboot.
But if you want to try this first, use (b):
Open a command window.
Type "set DEVMGR_SHOW_NONPRESENT_DEVICES=1" without the quotes at the command line then press enter.
Type "devmgmt.msc" without the quotes at the command line then press enter.
Under the "View" menu click on "Show hidden devices".
Navigate to "Ports (COM & LPT)" and there should be many more devices listed and can be removed with a simple right click uninstall.
Some of the Nirsoft tools in the HackPack can do some of this automatically...
You'll be surprised how much driver junk you will find in your machine after only a year...
Too Many COM Ports
It's quite annoying that every time you change USB port on your Windows box, the Device Manager insists on re-installing the drivers for that device and give them a new COM port! You'll endup having several dozens of COM ports in a short time. The very small and nice FTDI utility in the HackPack allow you to easily re-assign the COM ports to where ever you like. And you can use some of the other utilities to remove device drivers that are using old/other COM ports.
SD-card sharing: Huawei FAILURE!
It is not clear from the instructions that came with the router, what the
exact intended function of an internal SD card would be. But from looking at
other Huawei Mifi routers, it seem to be that one should be able to "share"
the microSD card data in such a way, that anyone connected to the router
should be able to open the web interface to up/download files. However, this
"feature" as it is marketed for the E589, is not available. I have tried
pretty much everything apart from throwing it against the wall, and still no
sign of a working SD card-reader connection in the web-interface, even though
the SD-card is recognized in Window's Device Manager when connected via micro
USB cable. So WTF Huawei!?
Here are 2 pictures of a working interface for the E5776. This is exactly the same
as for the E589u-12, but without the "Sharing" tab enabled.
And here's the actual "sharing" settings page...
So now you think, whoa, no reason for it to work on a different device...right? Wrong!
By poking around in the firmware, I know the "interface" is in there. In fact it is over here:
http://192.168.1.1/html/sdcardsharing.html
However, it is not enabled and does not register my SD card for some reason,
and any clicking on this page results in an error. It seem that the web server
content for this "feature" has been disabled somewhere. We need to find where
and why, and then try to fix it by flashing a new hacked EFS filesystem.
So what would it take to accomplish this?
Answer: Something like this.:
Inspect the HW to make sure SD is connected as it should.
Status: Most likely OK, since already recognized by PC.
Inspect the web-interface and web-server settings, to make sure it has the intended support.
Status: WIP
Partial reverse engineering of the firmware, to make sure it's able to support this "feature".
Status: To do.
Extract the EFS2 to get all the required files and modify as needed.
Status: Partially done. Protected EFS still need to be extracted.
Re-flash modified EFS.
Status: Should be easy, unless EFS files are signed!
A first step is to inspect the JavaScript code, doing all the web serving. Playing around with
the interface, we immediately find the following potential problems:
For example they use iframe's which have been known to be browser dependent, in the past,
and some of the critical variables are disabled and possibly wrong.
sdcard.js
Code:
[SIZE=2]...
var SD_STATUS_DISABLE = '0';
var SD_NO_FORMATED = '2';
var SD_SHARE = '1';
var SD_NOSHARE = '0';
var SD_WEB_SHARE = '[B]0[/B]'; <-- [COLOR=Red]Is this correct?[/COLOR]
var SD_USB_SHARE = '1';
var SD_ACCESS_READ = '[B]0[/B]'; <-- [COLOR=Red]Is this correct?[/COLOR]
var SD_ACCESS_WRITE = '1';
var SD_SHARE_ALL_FILE = '0';
var SD_SHARE_CUSTOM_FILE = '1';
var SD_ROOT_DIRECTORY = '[B]tffs0b[/B]'; <-- [COLOR=Red]Is this correct?[/COLOR]
var FILE_LIST_TYPE_FOLDER = '0';
var FILE_LIST_TYPE_FILE = '1';
var LOGIN_STATE_NOMAL = '0';
var LOGIN_STATE_ERROR = '1';
...
[/SIZE]
Then, when loading the following EFS file:
Code:
EFS2 location: hdev/ftl1h0p1/WebApp/common/api/sdcard/sdcard
web-server: http://192.168.1.1/api/sdcard/sdcard
in the browser, we obtain the result:
Code:
[SIZE=2]<?xml version="1.0" encoding="utf-8"?>
<response>
<sdcard>
<SDShareMode>0</SDShareMode> [COLOR=Red]<-- Is this correct?[/COLOR]
<SDCardShareStatus>1</SDCardShareStatus>
<SDShareFileMode>1</SDShareFileMode>
<SDAccessType>1</SDAccessType>
<SDSharePath>/music</SDSharePath> [COLOR=Red]<-- Is this correct?[/COLOR]
<SDCardStatus>1</SDCardStatus>
</sdcard>
</response>
[/SIZE]
As you can see, these were only 2 files out of hundreds...
But before we go any further, it is wise to backup everything possible. That means
the default router web UI settings, internal router firmware and the router's internal
chip/factory settings, known as NV-items, in case it is a Qualcomm based chipset.
Backing up the router web UI settings (NV data)
Although, they call this "NV data" backup, it is not the same as backing
up the Qualcomm NV-items used to configure the internal modem processor.
This need to be done from another application such as QPST, CDMA-tools,
or RevSkills etc... Instead, this is only a backup of the router's web user interface (UI).
There are 2 different ways to do this.
One way is to:
Go to the web interface and login. Then navigate to:
Settings --> System --> "Back up and Restore"
Click on "Backup" button.
The other way is this:
Just go to: http://192.168.1.1/nvram.bak to download & save the file.
Then to see the contents which are Base64 encoded, you need to decode
by ignoring non-Base64 characters:
Code:
base64.exe -d -i nvram.bak >nvram.txt
Here's my output with the IMSI, "<custom-dir>" (which are the 8-first digits of the IMSI) and wifi SSID edited out with #'s:
Code:
[SIZE=2]model_verify
start_file
E589u-12
end_file
softversion_verify
start_file
11.433.13.00.01
end_file
dailup_file:
/hdev/ftl1h0p1/userdata/dialup/config.xml
start_file:
<?xml version="1.0" encoding="UTF-8"?>
<config>
<profile_imsi>###############</profile_imsi>
<current_profile>1</current_profile>
</config>
end_file:
profile_list_file:
/hdev/ftl1h0p1/userdata/dialup/profilelist.xml
start_file:
<?xml version="1.0" encoding="UTF-8"?>
<config>
<profile>
<index>1</index>
<is_valid>1</is_valid>
<profile_name>NetCom</profile_name>
<apn_is_static>1</apn_is_static>
<apn>internet.netcom.no</apn>
<dailup_num>*99#</dailup_num>
<username/>
<password/>
<auth_mode>2</auth_mode>
<ip_is_static>0</ip_is_static>
<ip_address/>
<dns_is_static>0</dns_is_static>
<primary_dns/>
<secondary_dns/>
<read_only>2</read_only>
</profile>
<profile>
<index>2</index>
<is_valid>1</is_valid>
<profile_name>Chess internet</profile_name>
<apn_is_static>1</apn_is_static>
<apn>internet.netcom.no</apn>
<dailup_num>*99#</dailup_num>
<username>chess</username>
<password>chess</password>
<auth_mode>2</auth_mode>
<ip_is_static>0</ip_is_static>
<ip_address/>
<dns_is_static>0</dns_is_static>
<primary_dns/>
<secondary_dns/>
<read_only>2</read_only>
</profile>
<profile>
<index>3</index>
<is_valid>1</is_valid>
<profile_name>Vitel</profile_name>
<apn_is_static>1</apn_is_static>
<apn>internet.netcom.no</apn>
<dailup_num>*99#</dailup_num>
<username/>
<password/>
<auth_mode>2</auth_mode>
<ip_is_static>0</ip_is_static>
<ip_address/>
<dns_is_static>0</dns_is_static>
<primary_dns/>
<secondary_dns/>
<read_only>2</read_only>
</profile>
</config>
end_file:
lan_config_file:
/hdev/ftl1h0p1/userdata/lan/config.xml
start_file:
<?xml version="1.0" encoding="UTF-8" ?>
<config>
end_file:
firewall_config_file:
/hdev/ftl1h0p1/userdata/firewall/config.xml
start_file:
<?xml version="1.0" encoding="UTF-8"?>
<config>
<fwswitch>
<firewallwanportpingswitch>0</firewallwanportpingswitch>
<firewallipfilterswitch>0</firewallipfilterswitch>
<firewallmainswitch>0</firewallmainswitch>
</fwswitch>
</config>
end_file:
ipfilter_file:
/hdev/ftl1h0p1/userdata/firewall/ipfilter.xml
start_file:
<?xml version="1.0" encoding="UTF-8"?>
<config>
<ipfilters>
<ipfilter>
<lanipfilterprotocol>0</lanipfilterprotocol>
<lanipfilterstatus>0</lanipfilterstatus>
<lanipfilterlanstartaddress/>
<lanipfilterlanendaddress/>
<lanipfilterlanstartport>0</lanipfilterlanstartport>
<lanipfilterlanendport>0</lanipfilterlanendport>
<lanipfilterwanstartaddress/>
<lanipfilterwanendaddress/>
<lanipfilterwanstartport>0</lanipfilterwanstartport>
<lanipfilterwanendport>0</lanipfilterwanendport>
<lanipfiltersrcstartipmask>0</lanipfiltersrcstartipmask>
<lanipfilterdeststartipmask>0</lanipfilterdeststartipmask>
<lanipfilterpolicy>0</lanipfilterpolicy>
</ipfilter>
... [several more]
</ipfilters>
</config>
end_file:
specialapp_file:
/hdev/ftl1h0p1/userdata/firewall/specialapp.xml
start_file:
<?xml version="1.0" encoding="UTF-8"?>
<config>
<lanports>
<lanport>
<specialapplicationtriggername/>
<specialapplicationtriggerport>0</specialapplicationtriggerport>
<specialapplicationtriggerportend>0</specialapplicationtriggerportend>
<specialapplicationtriggerprotocol>0</specialapplicationtriggerprotocol>
<specialapplicationstartopenport0>0</specialapplicationstartopenport0>
<specialapplicationendopenport0>0</specialapplicationendopenport0>
<specialapplicationstartopenport1>0</specialapplicationstartopenport1>
<specialapplicationendopenport1>0</specialapplicationendopenport1>
<specialapplicationstartopenport2>0</specialapplicationstartopenport2>
<specialapplicationendopenport2>0</specialapplicationendopenport2>
<specialapplicationstartopenport3>0</specialapplicationstartopenport3>
<specialapplicationendopenport3>0</specialapplicationendopenport3>
<specialapplicationstartopenport4>0</specialapplicationstartopenport4>
<specialapplicationendopenport4>0</specialapplicationendopenport4>
<specialapplicationtriggerstatus>0</specialapplicationtriggerstatus>
<specialapplicationopenprotocol>0</specialapplicationopenprotocol>
</lanport>
... [several more]
</lanports>
</config>
end_file:
virtualserver_file:
/hdev/ftl1h0p1/userdata/firewall/virtualserver.xml
start_file:
<?xml version="1.0" encoding="UTF-8"?>
<config>
<servers>
<server>
<virtualserveripname/>
<virtualserverstatus>0</virtualserverstatus>
<virtualserverremoteip/>
<virtualserverwanport>0</virtualserverwanport>
<virtualserverwanportend>0</virtualserverwanportend>
<virtualserverlanport>0</virtualserverlanport>
<virtualserveripaddress/>
<virtualserverprotocol>0</virtualserverprotocol>
</server>
... [several more]
</servers>
</config>
end_file:
device_config_file:
/hdev/ftl1h0p1/userdata/firewall/config.xml
start_file:
<?xml version="1.0" encoding="UTF-8"?>
<config>
<fwswitch>
<firewallwanportpingswitch>0</firewallwanportpingswitch>
<firewallipfilterswitch>0</firewallipfilterswitch>
<firewallmainswitch>0</firewallmainswitch>
</fwswitch>
</config>
end_file:
device_config_file:
/hdev/ftl1h0p1/userdata/device/config.xml
start_file:
<?xml version="1.0" encoding="utf-8" ?>
<config>
</config>
end_file:
global_config_file:
/hdev/ftl1h0p1/userdata/global/config.xml
start_file:
<?xml version="1.0" encoding="UTF-8"?>
<config>
<custom_dir>########</custom_dir>
</config>
end_file:
webserver_config_file:
/hdev/ftl1h0p1/userdata/webserver/config.xml
start_file:
<?xml version="1.0" encoding="UTF-8"?>
<config>
end_file:
wifi_config_file:
/hdev/ftl1h0p1/userdata/wifi/config.xml
start_file:
<?xml version="1.0" encoding="UTF-8"?>
<config>
<wifiwps>
<wpspin></wpspin>
</wifiwps>
<wifisec>
<WifiRestart>0</WifiRestart>
<wifiwpscfg>1</wifiwpscfg>
<wifiwpsenbl>1</wifiwpsenbl>
<wifiwepkeyindex>1</wifiwepkeyindex>
<wifiwpaencryptionmodes>MIX</wifiwpaencryptionmodes>
<wifibasicencryptionmodes>NONE</wifibasicencryptionmodes>
<wifiauthmode>WPA/WPA2-PSK</wifiauthmode>
<wifiwpapsk>10234873</wifiwpapsk>
<wifiwepkey4>34873</wifiwepkey4>
<wifiwepkey3>34873</wifiwepkey3>
<wifiwepkey2>34873</wifiwepkey2>
<wifiwepkey1>34873</wifiwepkey1>
</wifisec>
<wifibasic>
<WifiRestart>1</WifiRestart>
<wifiprotectionmode>0</wifiprotectionmode>
<wifipamode>0</wifipamode>
<wifiwme>1</wifiwme>
<wifibcnintvl>100</wifibcnintvl>
<wifidtmintvl>1</wifidtmintvl>
<wifirtsthrshld>2347</wifirtsthrshld>
<wififrgthrshld>2346</wififrgthrshld>
<wifitxpwrpcnt>128</wifitxpwrpcnt>
<wifiofftime>600</wifiofftime>
<wifioffenable>0</wifioffenable>
<wifiisolate>0</wifiisolate>
<wifimaxassoc>10</wifimaxassoc>
<wifirate>0</wifirate>
<wifimode>b/g/n</wifimode>
<wificountry>NO</wificountry>
<wifihide>0</wifihide>
<wifichannel>0</wifichannel>
<wifienable>1</wifienable>
<wifissid>###-############</wifissid>
</wifibasic>
</config>
end_file:
upnp_config_file:
/hdev/ftl1h0p1/userdata/upnp/config.xml
start_file:
<?xml version="1.0" encoding="utf-8"?>
<config>
</config>
end_file:
[B]<checksum>29905063</checksum>[/B]
[/SIZE]
At the very end of the file, you find a "checksum" tag like this:
Code:
<checksum>29905063</checksum>
I don't know how this checksum is calculated. (Anyone?) But I think it could be some kind of CRC of the contents previous to, and above the tag.
The eagle-eyed would also have noticed the lack of the closing "</config>" tag for the "lan_config_file:". Could this influence the SD-card sharing problems?
Backing up the router Firmware
Now, this is the place where siht is starting to get real. The main problem is that Huawei
has blatantly abandoned their device support, in pursuit for a more profitable build-sell-and-forget
strategy. Just what we're used to Samsung doing! So we're left in the dust of greed, to fight for
ourselves. The firmware for this device is nowhere to be seen in the wild apart some occasional
JTAG dumped fakes, behind some far-east pay-walls. So we have to resort to our own back-to-basics
low-level tools. Fortunately, Qualcomm is on our side, with occasional document leaks and
various OEM tools. Let's see what we can do with them and what need to be done.
Basically, the "firmware" (FW) consists of several parts.
The raw CP firmware code containing the RTOS.*
The raw AP (here UI) firmware code containing the APPS OS.*
The factory hardware settings, containing chip specific configuration data.
E.g. Qualcomm MDM9200 + related chipset data.
The OEM (Huawei) hardware settings, containing device design specific configuration data.
E.g. microSD-card, display, USB and antenna/band settings.
The Carrier customization settings, that determines the available/allowed networks,
bands and carriers, including the web-interface and server.
* Note that in our E589, (1) and (2) are the same as there is no real AP nor UI. That means all
UI-like (display and web-UI) operations are happening in (1), the modem itself.
Parts (1) and (2) are generally stored on the eMMC in separate partitions, while parts (3-5) are redundantly stored on one or more partitions, using a special (virtual) file system called Embedded File System, EFS2. This is not a real FS, in the low-level HW sense. Within this EFS, are all the parameters and settings required for normal operation of the device, including the web-server and UI filesystem. That means (in our case), that we have the following:
all IMEI/IMSI and carrier data
web-server and UI data
all RF related parameter data
most/all of AP/CP/PMIC/WiFi/BT/NFC low/chip-level parameters
carrier customization configuration
etc etc
However, most of the data and parameters that are not directly part of the web-interface, are stored in a number of proprietary Qualcomm Non-Volatile (NV) items, the "NV-items". Each individual NV-item is usually stored in its own separate file in the EFS under the "nv" directory. They can have names or simply numbers, depending on OEM and NV-item values. To simplify the loading, editing, backup and restore of these, Qualcomm uses a special file format, called a QCN file. Special tools like, QPST, QXDM etc, are used to create, edit, compare, merge or upload these files to the device. We will look in more detail at these tools later.
The important thing here, is that we want to backup both the full EFS and the QCN file for easy access. Later we'll attempt to make a low-level (partion-level) backup, of the rest of the internal firmware, in case something would go wrong or if we would need a more low-level RTOS firmware modification.
< WIP >
Backing up the EFS
There are several ways to backup the EFS2, internal filesystem.
Qualcomm QPST
Qualcomm QXDM
RevSkills
< tba >
One way to backup the EFS2, is to use the QPST plugin, "EFS Explorer".
a) Open QPST and connect your phone
b) Go to: menu > EFS Explorer
c) In the new EFS Explorer window, ...
d) < tba >
e) Send your SPC, normally "000000" for unlocked modems.
f) ...
This will also generate the EFS logfile "efs.log". This is a text-file that contains all filenames part of the backup. Here you will not only find the path to all XML configuration files, JavaScript, nv/item_files/ and manuals etc, but will also be very useful to show you what URL's are available through the router web-UI.
HERE is the entire list, with some edits for readability.
We'll discuss the details of this in a later post about the web-UI and API.
Incomplete EFS Backup
Backing up your EFS in this way, will not allow you to get all items. Some of the EFS files containing crucial HW specific data are read/write protected. These protected folders are shown in EFS Explorer as crossed out, like this:
I have not yet figured out how to get these out in a simple way, without having to resort to more advanced methods, as mentioned later.
Please send me a PM if you know how!
< WIP >
The Huawei E589u-12 Firmware is here!
Thanks to some very helpful GSM-forum members, we now have 3 different
firmware versions for our 4G MiFi router. Here they are:
Code:
[SIZE=2]MDM9200Update_11.433.14.01.[B]1064[/B].B788.exe <none> (Norway) [URL="http://d-h.st/4Lj"]HERE[/URL] (15.33 MB) [URL="http://tilbehor.emcom.no/download/Huawei/E589/MDM9200Update_11.433.14.01.1064.B788.exe"]original[/URL]
MDM9200Update_11.433.15.01.[B]673[/B].B788.exe Altel (Kazakhstan) [URL="http://d-h.st/fo3"]HERE[/URL] (15.08 MB) [URL="http://vve.su/vvesu/files/misc/E589/MDM9200Update_11.433.15.01.673.B788.exe"]original[/URL]
MDM9200Update_11.433.15.00.[B]422[/B].B788.exe Telenor (Sweden) [URL="http://d-h.st/lea"]HERE[/URL] (15.27 MB) [URL="http://www.telenor.se/published_images/MDM9200Update_11.433.15.00.422.B788.zip"]original[/URL][/SIZE]
These have been compressed with 7zip.
[UPDATE: 2014-01-05]
We have now many more E589 firmwares available HERE at the Russian 3ginfo site. They are:
Code:
Huawei E589 11.433.15.00.375 Zain +sdimage
Huawei E589 11.433.15.01.115 Nawras +sdimage
Huawei E589 11.433.15.01.157 PCCW +sdimage
Huawei E589 11.433.17.01.260 Elisa
Huawei E589u-12 11.433.14.02.990 OpenMarket
Huawei E589u-12 11.433.14.02.1055 EE +sdimage
Huawei E589u-12 11.433.15.00.158 Globe +sdimage
Huawei E589u-12 11.433.15.00.422 Telenor +sdimage
Huawei E589u-12 11.433.15.01.673 Altel +sdimage
Huawei E589u-12 11.433.15.02.260 Elisa +sdimage
Huawei E589u-12 11.433.15.03.1020 iinet +sdimage
Huawei E589u-12 11.433.15.04.192 Tim
Huawei E589u-512 11.433.19.00.228 Personal +sdimage
Huawei E589u-512 11.433.19.00.256 Personal
Huawei E589u-512 11.433.99.51.000.B730 normal
Some of these include a mysterious file: SDimage.BIN (~44 MB)
I don't know what it does, but hope that perhaps it could fix the SD-card sharing problem. Please post if you have any idea!
WARNING
Do not randomly flash these to your modem.
These have not yet been tested and confirmed to work.
They are just for your convenience in case you have
a dead router or other serious problem. I will not be
held responsible for what happens, if you do.
Most likely they will completely change the LTE-band availability,
depending on the carrier it was originally meant for. Perhaps
we will see later what exact bands and features they have.
See post#7 for more Huawei firmware descriptions.
Hi just wondering, how you able to hack Japan E-mobile's Huawei GL04P LTE mifi? Im trying to get it work with other country's LTE network. Currently only 3G is able to.
I would really guess that the two reds are both connected to battery+ and the two blacks to battery-.
That leaves one pin leftover.
I'd guess that it is a standard 10K NTC thermistor.
It would be easy enough to measure the resistance of the white to the black.
I2C would be cute, but how could it have that?
Your work is awesome!!!!
I've only one question... I would like reboot this router with some scripts, or similar (curl, telnet,lynx..),,, Did you find any tips?
Thank you!
A friend has asked me to look at this Nokia Lumia 520, apparently it turned on one day and displayed this error message "unable to find a bootable option. Press any key to shutdown"
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Nokia Software Update for Retial recognises the phone and says software can be installed:
This downloads fine and starts the install process, however always fails with the message "phone not supported by nokia software updater retail"
I have also tried using NaviFirm+, searching for the product code 059S3T5 which lets me download the RM914_3058.50000.1425.0006_RETAIL_eu_euro1_327_06_452364_prd_signed firmware.
However i'm unable to flash this with the Nokia Care Suite, it states: 0xFA001106: Signature check of FFU file fails. Reason(s): The FFU file is not correctly signed or not signed for this device.
Has anyone got any suggestions on what else i can try to flash this firmware? or to try fix the phone?
I was following the tutorial here Flash/unbrand Lumia devices thinking if the firmware was re flashed all would be fine.
Cheers for any advice
Have you try with this
http://www.microsoft.com/en-us/mobile/support/faq/?action=singleTopic&topic=FA142987
Thanks for the suggestion, I have tried that, it will download the firmware too, however fail before flashing it stating the device is not supported.
InsaneNutter said:
Thanks for the suggestion, I have tried that, it will download the firmware too, however fail before flashing it stating the device is not supported.
Click to expand...
Click to collapse
I think win partition is crash. (like memory damage/corruption)
Hardware related problems.
InsaneNutter said:
A friend has asked me to look at this Nokia Lumia 520, apparently it turned on one day and displayed this error message "unable to find a bootable option. Press any key to shutdown"
Nokia Software Update for Retial recognises the phone and says software can be installed:
This downloads fine and starts the install process, however always fails with the message "phone not supported by nokia software updater retail"
I have also tried using NaviFirm+, searching for the product code 059S3T5 which lets me download the RM914_3058.50000.1425.0006_RETAIL_eu_euro1_327_06_452364_prd_signed firmware.
However i'm unable to flash this with the Nokia Care Suite, it states: 0xFA001106: Signature check of FFU file fails. Reason(s): The FFU file is not correctly signed or not signed for this device.
Has anyone got any suggestions on what else i can try to flash this firmware? or to try fix the phone?
I was following the tutorial here Flash/unbrand Lumia devices thinking if the firmware was re flashed all would be fine.
Cheers for any advice
Click to expand...
Click to collapse
Hi,
Have you sorted your phone out yet?
BruceKDallas said:
Hi,
Have you sorted your phone out yet?
Click to expand...
Click to collapse
Hi,
Nope i could never fix the phone, I spent loads of time messing about with it however think it was a hardware related problem.
I've given it back to my friend and shes since got a new phone.
I am into the same situation... NOKIA 520 RM-914 Code 059S7H0
"ERROR: Unable to find a bootable option. Press any key to shut down". Any button I push, the phone is going in bootloop ending with this ERROR...
I have tryed first with Windows Device Recovery Tool (WDRT) 3.1.4 to repair it, but no success...
In WDRT my Lumia is not detected automatically, so i must choose manually device manufacturer. To be detected I must restart the Lumia when DWRT is trying to detect it.
The Phone is detected as LUMIA phone, firmware version: unknown, Software available on server: 3058.50000.1425.003.
When I try to install the software after I download the package, the result is:
"Operation ended with failure. The software is not correctly signed or not signed for this device."
The NOKIA driver is seen as NOKIA BOOTMGR.
Then I've search on the internet about this problem and I've found this thread.
I tried the advanced mode with thor2.exe, I downloaded manually the firmware for my device Lumia 520, RM-914, Code 059S7H0
I opened Command Prompt as administrator, then used the command:
cd c:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool\
I used the command line to extract gtp0.bin from ffu image:
thor2 -mode ffureader -ffufile "C:\rm-914\RM914_3058.50000.1425.0003_RETAIL_eu_hungary_422_03_447211_prd_signed.ffu"
The result was 2 files, gpt0.bin and GPT1.bin. I renamed gpt0.bin as msimage.mbn.
RKH of the device is:
RKH of SBL1: F771E62AF89994064F77CD3BC16829503BDF9A3D506D3FACECAEF3F808C868FD
RKH of UEFI: F771E62AF89994064F77CD3BC16829503BDF9A3D506D3FACECAEF3F808C868FD
I've downloaded the hex file for my Lumia RM-914 to have the 2 files HEX.hex and msimage.mbn for the command line:
thor2 -mode emergency -hexfile "C:\TEMP\HEX.hex" -mbnfile "C:\TEMP\msimage.mbn" -orig_gpt
THOR2 1.8.2.18
Built for Windows @ 13:36:46 Jun 16 2015
Thor2 is running on Windows of version 6.1
thor2 -mode emergency -hexfile C:\TEMP\HEX.hex -mbnfig_gpt
Process started Sun Dec 06 23:12:08 2015
Debugging enabled for emergency
Initiating emergency download
Operation took about 10.00 seconds.
THOR2_ERROR_CONNECTION_NOT_FOUND
THOR2 1.8.2.18 exited with error code 84000 (0x14820)
The Phone is still in NOKIA BOOTMGR mode...
If I try to disconnect the phone and restart, it goes into the the same message:
"ERROR: Unable to find a bootable option. Press any key to shut down", not showing me the RED screen like it should be.
If I go into the next step for flashing the device with the command line:
thor2.exe -mode vpl -maxtransfersizekb 1 -vplfile "C:\RM-914\RM914_059S7H0_3058.50000.1425.0003_037.vpl"
the screen changes into a big NOKIA logo, the driver goes from NOKIA BOOTMGR into NOKIA FLASH...
Thor2 is running on Windows of version 6.1
thor2.exe -mode vpl -maxtransfersizekb 1 -vplfile C:\RM-914\RM914_059S7H0_3058.5
0000.1425.0003_037.vpl
Process started Sun Dec 06 23:22:20 2015
Logging to file C:\Users\Marta\AppData\Local\Temp\thor2_win_20151206232220_Threa
dId-3864.log
Parsing VPL file C:\RM-914\RM914_059S7H0_3058.50000.1425.0003_037.vpl
Successfully parsed VPL
Flashing .ffu file RM914_3058.50000.1425.0003_RETAIL_eu_hungary_422_03_447211_pr
d_signed.ffu (SW version 3058.50000.1425.0003)
Debugging enabled for uefiflash
Initiating FFU flash operation
WinUSB in use.
isDeviceInNcsdMode
isDeviceInNcsdMode is false
Device mode 6 Uefi mode
[THOR2_flash_state] Pre-programming operations
Disable timeouts
Get flashing parameters
Lumia Boot Manager detected
Check status of battery
State of charge 8, charging current 282
Protocol version 1.1 Implementation version 1.16
Detecting UEFI responder
HELLO success
Lumia Boot Manager detected
Check status of battery
State of charge 8, charging current 266
Protocol version 1.1 Implementation version 1.16
Booting to FlashApp
Reboot to FlashApp command sent successfully.
DetachFrom connection
Verifying that device is online
Device is online
Detecting UEFI responder
HELLO success
Lumia Flash detected
Protocol version 1.15 Implementation version 1.28
Disable timeouts
Get flashing parameters
Lumia Flash detected
Protocol version 1.15 Implementation version 1.28
Size of one transfer is 2363392
Size of buffer is 2359296
Number of eMMC sectors: 15269888
Platform ID of device: Nokia.MSM8227.P6036.1.2
Async protocol version: 01
Security info:
Platform secure boot enabled
Secure FFU enabled
JTAG eFuse blown
RDC not found
Authentication not done
UEFI secure boot enabled
SHK enabled
Device supports FFU protocols: 0019
[THOR2_flash_state] Device programming started
Using secure flash method
CoreProgrammer version 2015.06.10.001.
Start programming signed ffu file C:\RM-914\RM914_3058.50000.1425.0003_RETAIL_eu
_hungary_422_03_447211_prd_signed.ffu
FfuReader version is 2015061501
Send FlashApp write parameter: 0x4d544f00
Perform handshake with UEFI...
Flash app: Protocol Version 1.15 Implementation Version 1.28
DevicePlatformInfo: Nokia.MSM8227.P6036.1.2
Unknown sub block detected. Skip...
Unknown sub block detected. Skip...
Supported protocol versions bitmap is 19
Secure FFU sync version 1 supported.
Secure FFU async version 1 supported.
Secure FFU async version 3 supported.
Get CID of the device...
Get EMMC size of the device...
Emmc size in sectors: 15269888
CID: Samsung, Size 7456 MB
Start charging...
Requested write param 0x43485247 is not supported by this flash app version.
Start charging... DONE. Status = 0
Unable to send ECHO REQ or ECHO REQ not supported
Get security Status...
Security Status:
Platform secure boot is enabled.
Secure eFUSE is enabled.
JTAG is disabled.
RDC is missing from the device.
Authentication is not done.
UEFI secure boot is enabled.
Secondary HW key exists.
Get RKH of the device...
RKH of the device is F771E62AF89994064F77CD3BC16829503BDF9A3D506D3FACECAEF3F808C
868FD
Get ISSW Version...
Get ISSW Version, SKIPPED!
Get system memory size...
Size of system mem: 524288 KB
Read antitheft status...
Requested read param 0x41545250 is not supported by this flash app version.
Send backup to RAM req...
Clearing the backup GPT...SKIPPED!
Successfully parsed FFU file. Header size: 0x000e0000, Payload size: 0x000000006
2900000, Chunk size: 0x00020000, Header offset: 0x00000000, Payload offset: 0x00
000000000e0000
RKH match between device and FFU file!
Option: Skip CRC32 check in use
Start sending header data...
FlashApp returned reported error in SecureFlashResp!
Status: 0x1106, Specifier: 0x8000000E
FA_ERR_FFU_SEC_HDR_VALIDATION_FAIL
Send of FFU header failed!
[IN] programSecureFfuFile. Closing C:\RM-914\RM914_3058.50000.1425.0003_RETAIL_e
u_hungary_422_03_447211_prd_signed.ffu
programming operation failed!
0xFA001106: Signature check of FFU file fails. Reason(s): The FFU file is not co
rrectly signed or not signed for this device.
Operation took about 3.00 seconds.
THOR2_ERROR_FA_SIGNATURE_FAIL
THOR2 1.8.2.18 exited with error code -100658938 (0xFA001106)
Here, after this step, if the flash is 100% succesful, the screen must change in Green,
mine finished with the same error: "The FFU file is not correctly signed or not signed for this device..."
I guess the most of us are into the same situation, I can't make the device to skip the signature check... Any sugestions?
have you jtag?
As far as I read, JTAG is a toolbox for repairing Phones which have the same problem, but what we are trying to do is without this toolbox, we have a dead phone at home. Microsoft said is a hardware failure and they must change complete motherboard, but with Jtag Toolbox can be repaired without change anything, just a complete writing of the bootloader and software. I don't want to buy the toolbox just to repair my Lumia 520, I don't need it, I'm just a home user not a repairing company...
melhisedec said:
As far as I read, JTAG is a toolbox for repairing Phones which have the same problem, but what we are trying to do is without this toolbox, we have a dead phone at home. Microsoft said is a hardware failure and they must change complete motherboard, but with Jtag Toolbox can be repaired without change anything, just a complete writing of the bootloader and software. I don't want to buy the toolbox just to repair my Lumia 520, I don't need it, I'm just a home user not a repairing company...
Click to expand...
Click to collapse
are you should to find testpoint for qcom9008. and flashing phone.
Mine was running everything give I install windows 10 just give the battery does not know dai was appearing this message (Erro Unable to find a bootable option error. Press any key to shut down,) Lumia 925 Brazil
---------- Post added at 03:41 AM ---------- Previous post was at 03:36 AM ----------
Mine was running everything give I install windows 10 just give the battery does not know dai was appearing this message (Erro Unable to find a bootable option error. Press any key to shut down)
Usually, is the main problem with Lumia Software update and stupid engineers from Microsoft does not fix it...
you deleted header partition, and lumia don't power on. help you only jtag.
I didn't know anything about this problem of almost any Lumia device until my phone has done the automatic software update from Win8 to 8.1 or 10, I don't know which one... And the the phone restarted with this stupid problem:
"ERROR: Unable to find a bootable option. Press any key to shut down"...
I have one week of searching over the internet to fix this but i couldn't make it...
If i can remove or unlock the bootloader, maybe I can force the phone to be Flashed with WDRT 1.34 and no more error:
"The FFU file is not correctly signed or not signed for this device."
melhisedec said:
I
Click to expand...
Click to collapse
Only you can help the programmer and all) nokia, wpinternals not flashing it. pins or seek to enter the 9008 regime (disassembly required).
partition table got off
i know this problems on my lumia 720(1 motheboard- After the firmware is not those files, 2 motherboards- After stitched sbl3 not true - died).
jtag helped to you, and me.
InsaneNutter said:
Hi,
Nope i could never fix the phone, I spent loads of time messing about with it however think it was a hardware related problem.
I've given it back to my friend and shes since got a new phone.
Click to expand...
Click to collapse
Cool. I had the same issue and many other issues with my 520. I have a very cool way of fixing this and all other issues if you struggle to start the phone up. If you are interested, let me know and I will explain to you. Very easy and process takes about 5 minutes.
Cheers
BruceKDallas said:
Cool. I had the same issue and many other issues with my 520. I have a very cool way of fixing this and all other issues if you struggle to start the phone up. If you are interested, let me know and I will explain to you. Very easy and process takes about 5 minutes.
Cheers
Click to expand...
Click to collapse
How did you do ?
melhisedec said:
As far as I read, JTAG is a toolbox for repairing Phones which have the same problem, but what we are trying to do is without this toolbox, we have a dead phone at home. Microsoft said is a hardware failure and they must change complete motherboard, but with Jtag Toolbox can be repaired without change anything, just a complete writing of the bootloader and software. I don't want to buy the toolbox just to repair my Lumia 520, I don't need it, I'm just a home user not a repairing company...
Click to expand...
Click to collapse
Did you follow http://forum.xda-developers.com/showthread.php?t=2515453 correctly?
InsaneNutter said:
A friend has asked me to look at this Nokia Lumia 520, apparently it turned on one day and displayed this error message "unable to find a bootable option. Press any key to shutdown"
Nokia Software Update for Retial recognises the phone and says software can be installed:
This downloads fine and starts the install process, however always fails with the message "phone not supported by nokia software updater retail"
I have also tried using NaviFirm+, searching for the product code 059S3T5 which lets me download the RM914_3058.50000.1425.0006_RETAIL_eu_euro1_327_06_452364_prd_signed firmware.
However i'm unable to flash this with the Nokia Care Suite, it states: 0xFA001106: Signature check of FFU file fails. Reason(s): The FFU file is not correctly signed or not signed for this device.
Has anyone got any suggestions on what else i can try to flash this firmware? or to try fix the phone?
I was following the tutorial here Flash/unbrand Lumia devices thinking if the firmware was re flashed all would be fine.
Cheers for any advice
Click to expand...
Click to collapse
hy bro try this...... http://forum.gsmhosting.com/vbb/f67...mc-error-unable-find-bootable-option-1931094/ i have sucses
feherneoh said:
I have seen this error millions of times on 520, and could fix it always
what you'll need:
PC
micro USB cable
WPInternals
.hex loader for 520
.ffu for 520
T4 screwdriver
Small wire
All you have to do is to short the resistor on eMMC clock lane, and connect USB, phone will be in emergency mode. You can either select unlock or relock in WPInternals, but for unlock, be sure to use an SBL3, because that won't fix the problem on its own.
The best would be selecting relock, then flashing the ffu, so EFIESP gets fixed
If you need help finding that resistor, PM me
Click to expand...
Click to collapse
Ok, so I found the resistor on a picture in another forum - so I just short it out and connect to USB while still shorted?