Database Users

Regulatory domain, Wifi channels 12 and 13

Hi all!
I have noticed that my Arc S does not receive AP on channels 12 and 13. After doing some searches I concluded that the Regulatory domain must be set to US which is incorrect in my case, as I live in Europe.
I tried following this guide http://forum.xda-developers.com/showthread.php?t=1067944 to enable these channels, of couse doing the necessary modifications for this to work on a SE, but with no results unfortunatly.
My phone still has a locked bootloader and I cannot try custom roms, but will a custom rom solve this problem?
Moveover I am curious to know if this is a problem of the kernel module used which is locked to 11 channels or if it is because of some setting hardcoded in android itself.
Thank you!

as i can see, for the european area the only restriction is the signal power<20db, channels 11-13 are allowed and are working in Europe! My arc S is also locked but i can see channels 11-13.

Tkx for you reply labrok!
Then I cannot understand. I verified this using an app on the market called "Wifi Analyser", and the fact is that even in the wifi connect menu, all AP with these channels are not visible.
Also in the sqllite database available with the command
# /system/bin/sqlite3 /data/data/com.android.providers.settings/databases/settin
gs.db "select * from secure"
I can see:
wifi_num_allowed_channels|11
If I try to change this number to 13, it allows the change, but whenever I deactivate/activate the wifi, the number goes back to 11..
What is the version of the firmware that you are running?
I have 4.0.2.A.0.42.
Tkx!

same version, phone is European like yous so it uses same region settings,router TP-link TL-WR1043ND WITH ddwrt and router`s region set to Canada (to gain an extra 3db of power) i can set it till channel 13 and i can see it and i can connect too, to use channel 14 i must change region to japan but channel 14 is not usable from my arc s! but channels 12-13 working, they are not so good for an N network but my phone can see them an connect to them, maybe you should try to reflash your phone!

It's good to know that it works ok and that the problem lies only in software. I have asked some other users of the Arc S/Neo and they report the same problem
Maybe with your help we can solve this problem once and for all for everyone.
If your phone is rooted all I need you to do, is send me your Wifi drivers, running the following commands on the adb shell. Adb comes with the android sdk and is located at C:\Program Files (x86)\Android\android-sdk\platform-tools and then run "adb shell" command on a command line. You also need to activate the usb debugging on your phone.
Code:
su
cp /system/lib/modules/tiwlan_drv.ko /mnt/sdcard
cp /system/lib/modules/sdio.ko /mnt/sdcard
You now should have 2 files on the root of your sdcard, sdio.ko and tiwlan_drv.ko.
Can you please send these files to me?
I will then replace them on my phone and effectively determine if the problem is actually caused by the drivers or by the Android system itself.
Thank you so much for your help!!

My friend my phone is not rooted, if there is a way to help you, but because my phone is new I cannot root it and avoid my guarrantee.
Sent from my LT18i using XDA App

Thank you anyway labrok! I will keep searching for someone that has this working and with root to see if I can solve my problem

Ok, actually I found out how you can do this without root and without touching the warranty.
I will guide you through the process.
Install the Android SDK available at http://developer.android.com/sdk/index.html
Activate the USB debugging on "Applications"->"Development"->"USB Debugging"
Then open a command line prompt on windows and go to the directory where you installed android, typically C:\Program Files\Android\android-sdk\platform-tools, with the command
Code:
cd "C:\Program Files\Android\android-sdk\platform-tools"
Copy the driver files now from the phone with the commands
Code:
adb pull /system/lib/modules/tiwlan_drv.ko
adb pull /system/lib/modules/sdio.ko
The command prompt should look like this
Code:
C:\Program Files\Android\android-sdk\platform-tools>adb pull /system/lib/modules
/tiwlan_drv.ko
4636 KB/s (973324 bytes in 0.205s)
C:\Program Files\Android\android-sdk\platform-tools>adb pull /system/lib/modules
/sdio.ko
1618 KB/s (26520 bytes in 0.016s)
Files tiwlan_drv.ko and sdio.ko should be on C:\Program Files\Android\android-sdk\platform-tools folder now. Zip them and send them to me plz

i will try, but i think is not drivers problem.More likely its region restrictions, in Greece its allowed channels from 1-13, maybe in your is different than Greece! but i will send you the drivers as soon as possible!

I'm having the same issues with Xperia Arc S in Bulgaria. The phone has set it's wifi radio to operate on channels 1-11 so any networks on channels 12, 13 and 14 aren't visible to me.
Pure Android has the option to set the regulatory domain, but SE has decided to disable (or hide) it.
Here you can see how to set it on a non-SE Android: firdouss.com/2011/07/wifi-network-android-reason/
I've asked SE to check this on their forum too:
talk.sonyericsson.com/message/127760

Thank you the_mouse_bg!
I have bootloader unlocked my Arc S and tried a few roms like CM7.2, MIUI where I can see all 13 channels fine, so from this I have concluded that the problem is really from the firmware as due to the lack of answers on this topic, I was getting really worried this could be a hardware problem from my phone..phewwww
I now have stock firmware .42 with DooMKernel installed and the regulatory domain does appear in the menu but fails to be changed
I asked in the DooMLord's kernel topic to see if I can in any way debug this problem to try to solve it as I'm still little experienced with linux android workings.
Let's see if we can solve this issue asap!!

Regulatory domain (Wi-Fi channels 12 and 13) fix for the factory (default) ROM
I managed to fix the regulatory domain in order to be able to use the wireless channels 12 and 13 in the factory ROM. I only tested this procedure in the Xperia Pro (MK16a) and using the factory GingerBread ROM, although the procedure should be similar for other Xperia models and for the ICS ROM.
Well, it still needs rooting, but for those worried about the warranty it should be better than unlocking the bootloader or installing another ROMs, because you can root your phone, apply the fix, then unroot it, and nobody will ever know the phone was once rooted unless they do a deep forensic analysis.
How the regulatory domain works in Xperia devices
Sony added a class named "com/android/server/WifiService$RegulatoryDomain" which isn't part of standard AOSP. This class checks in which country you currently are based on the current MCC (Mobile Country Code), extracted from the first 3 digits of the current PLMN. Then there is a list of MCCs of countries on which 13 Wi-Fi channels are allowed. If your MCC is on the list, it enables 13 channels, otherwise it only enables 11 channels.
If your current MCC is not on the list, your wifi_num_allowed_channels setting has no effect. It is always reseted to 11.
Note that this is an "Android framework-level lock", not a "Linux-level or driver-level lock", because if you try to run iwlist (you can build yours from this svn repo) it shows channel 12 and 13 Wi-Fi networks even without any modification to the factory ROM.
The problem
The problem is that not all countries which allow 13 Wi-Fi channels are listed in the "WifiService$RegulatoryDomain" class. Apparently, there are typo errors in some MCCs.
For example, Brazil is MCC 724, but the class lists MCC 742, which according to this listing is a non-existent MCC. So it's apparently a typo error. They typed 742 instead of 724.
Fixing it
First, root your device. I used FlashTool for this.
Then, copy /system/framework/services.jar from your device to your computer using adb. Then unpack it (unzip or 7zip or whatever), use baksmali for disassembling classes.dex, and open "com/android/server/WifiService$RegulatoryDomain.smali" in a text editor.
Look for something like:
Code:
const/16 v7, 0x24
const-string v8, "742"
aput-object v8, v6, v7
iput-object v6, p0, Lcom/android/server/WifiService$RegulatoryDomain;->mHighChannelsMccs:[Ljava/lang/String;
This is where the 13-channels-allowed MCC list is being built. The "742" is the apparently non-existent MCC. Just replace it by the MCC of your country. Look at this listing or look at the first 3 digits of the PLMN:
Code:
$ adb logcat | grep PLMN
E/WifiService( 241): Could not get PLMN!
E/WifiService( 241): Could not get PLMN!
E/WifiService( 241): Could not get PLMN!
I/WifiService( 241): PLMN = 72410
I/WifiService( 241): PLMN = 72410
In my case I just replaced "742" by "724".
Then use smali for assembling the code back to the classes.dex file, and repack the services.jar file using jar, zip or another tool.
Finally, copy your modified services.jar to your device's /system/framework/services.jar using adb, and reboot your phone. Now everything should work.
About the attached file
My modified services.jar is attached for reference. Remember it is for the Xperia Pro factory GB ROM. If you use ICS or if you have another Xperia device, you need to baksmali/modify/smali your own jar file as described above.

[REF]Booting/Unlocking Xperia 2011 series: What's under the hood? (Update 13.03.13)

I know that there are many guides about unlocking bootloader and things have been posted a million times.
From what i've learned from various sources all over the web there's still a lot of confusion,
if and how a device could be unlocked and what is really happening under the hood.
In fact i didn't want to create yet another unlocking bootloader thread, but hopefully a collection of facts,
already known about the process and if it's safe or could be done this way or the other.
Another thing i'd like to put some light on, are some details about the boot process in general.
Please refer to this older thread as well:
http://forum.xda-developers.com/showthread.php?t=1429038
Noob's posting will never end, unless we lift some secrets and make more clear how the processes are basically working.
This should as well cover some basics on how the bootloader/kernel are protected by the manufacturers.
Would be better to use the term security locked/unlocked bootloader anyway.
See this nice page (also referenced in the thread above), which describes the whole boot process on Qualcomm CPU's:
http://www.anyclub.org/2012/02/android-board-bring-up.html
You'll find a link to the original document in the 2 post.
Please prepare for some boring technical details, but as well for some essential guidelines,
how to proceed with your device. Anyway, consider this as a starter...
Enough talking, let's define some headlines or topics to be discussed.
Bootmodes and Protocols
Just to sum up three known modes residing in different stages of bootcode:
- QDL
(PBL loader, lowest level, entered by powering up without battery and testpoint pulled to GND)
- QHUSB_LOAD
(a.k.a. SEMC USB Flash, a.k.a green LED mode, entered by powering up with back button pressed)
- FASTBOOT
(a.k.a blue LED mode, entered by powering up with menu button pressed)
unlocking security vs. SIM-lock
Description:
Locked/unlocked security of the bootloader and SIM-lock are different tracks,
though there's an important dependency between them.
Your device is SIM-locked if service menu gives "bootloader unlockable: no"
or simply refuses SIM-cards from another carrier.
What we know:
- fastboot is disabled on SIM-locked phones
- without removing the SIM-lock there's no way to unlock these phones for free
- normally you may purchase SIM unlock code from your provider
- removing the SIM-lock seems to give access to the fastboot option (confirmed by gen_scheisskopf, thanks!!)
- some devices seem to have restrictions here, result: no fastboot even after removing SIM-lock (this was pointed out once in another thread)
What we need to know:
Please confirm, if bootloader unlock is working after SIM-lock is removed!
In other words will you get fastboot feature after removing SIM-lock?
See the feedback from gen_scheisskopf:
http://forum.xda-developers.com/showpost.php?p=36783582&postcount=8
Result:
As long as you're able to remove the SIM-lock and your phone is old security you would be able to unlock bootloader as well!
old security vs. new security
Description:
Old/new security is independent of the EROM version (e.g. 1241-3656 R9B031) but relates to certain manufacturing dates,
or better the CPU types.
I got trustworthy reports about R9B031 getting unlocked with s1tool.
This date code may vary between the device models, but it seems to be proven,
that devices manufactured in Q2 2012 and later (~12W11..12W16) are new security.
I found out as well, that the manufacturing date of the device and the mainboard may be different.
This might explain why there are some diverging reports for devices in this period.
From what i got so far, the chain of trust includes the secondary bootloader (SBL) on all devices.
In other words SBL is signed code in any case.
At least the fuse setup for this feature is common on most of the Xperia 2011 series.
On a new security device patching or replacing the SBL (s1boot) will fail because OTP ROM could not be cheated.
If you got the "qcreceivepacket" error, your device is new security or at least not supported by s1tool (e.g. MSM8255T models seem not to work).
Only known method to unlock new security is Sony official method (grey market may work as well...).
What we know:
- testpoint method does not work on new security
- it should be safe to try the testpoint method because it won't break anything (if it is done correctly)
- right now there's only one way to check for new security (try and error)
- breaking new security would take ages or is impossible
What we need to know:
Perhaps someone needs to confirm that official Sony method works without flaws on new security.
Result:
Testpoint method should not result in a bricked device.
Official method should do it in these cases.
SEMC patch (testpoint method) vs. Sony official (oem key method)
Description (need some feedback though):
Sony official method to unlock security in the bootloader is done by flashing a generated key to a certain region of NAND.
The keys are device specific and the IMEI is part of the key generation (maybe serial number as well).
The fastboot command oem with the valid key certifies the unlock process and device specific key gets written in the TA section.
Unpatched SBL (s1boot) will always scan for a valid key in this section of NAND.
If there's a valid key, routine will report success and security checks of kernel code will be overriden.
The testpoint method seemse to make use of a bug inside the chips primary bootloader (OTP PBL).
It had been found out that this bug existed in the early Xperia 2011 series and could be used to rewrite parts of NAND flash.
This opened the door to patch parts of the NAND bootcode (s1boot) or even replace the bootloader code.
As a result, the bootloader leaves further security checks aside and continues booting even with an unsigned kernel.
So how could we apply a patch to the bootloader?
By setting the testpoint to GND (force WE# of NAND to GND) external NAND is blocked and the phone gets started on the bare metal.
Only PBL is running at that point.
Though the procedure is not 100% understood, it is for sure that a tiny loader is transfered to the SoC's IRAM and gets executed.
This loader then allows to overwrite first blocks of external NAND memory and replace or at least patch the bootloader.
What we know:
Sony way:
- Sony official method works well with fastboot enabled devices
- DRM get's lost with Sony official method and could not be reverted (it's gone... and yes: no way back!!!)
- If using Sony official method, bootloaders could be re-locked by deleting the key
S1tool way:
- testpoint method does not work on new security (and will never work!)
- By pressing the restore button in S1tool everything is virgin again
- OS is not aware of the patched bootloader
- FOTA will cause bricks
What we need to know:
Basically we need so more details about bootloaders on Xperia 2011 from the cracks here...
Result:
Better understanding of "black box" procedures.
Debugging features at boot level
Description:
Parts of the boot code could still be dumped from memory with Android up and running.
We could dump the specific memory areas by reading the content with tools, such as viewmem.
The areas of interest are accessible in RAM area at:
Code:
0x00000000 - ~0x000023a0
0x00090300 - ~0x000ab190
By disassembling these dumped areas or simply extracting the strings of that region you may get a clue of the bootloaders secrets.
For the geeks and kernel developers its even more interesting to follow the startup procedure of the bootloader and early kernel inits,
with a console hooked up on a serial interface.
In fact we got this debug UART on most of the Xperia 2011.
This interface is present as dev/ttyMSM2 in the Android base system as well and is attached to UART3 of the MSM8255 SoC.
See this post for details:
http://forum.xda-developers.com/showpost.php?p=37660319&postcount=76
The debug UART was at least identified on the MK16i mainboard.
If you need more details, please ask!
We got the testpoints confirmed to be working on lt18i as well.
See here for the location:
http://forum.xda-developers.com/showpost.php?p=37701777&postcount=82
... and the logs:
http://forum.xda-developers.com/showpost.php?p=37983019&postcount=109
Thanks a lot for contribution!
See this beautiful hack for the X8/10 as well:
http://forum.xda-developers.com/showthread.php?t=2064108
What we know:
- parts of NAND could only be accessed with some "evil" tricks (e.g. kexec method)
- there are extensive debugging features available in our bootcode
What we need to know:
It would be nice to find a way to activate a cmdline interface at bootlevel.
Result:
Get some insights of the implemented functions in bootcode.
O.k. i'll stop writing for now.
If this thread will draw some attention, i'll continue
You're always welcome to correct me or leave a comment here.
If you like more technical reading tell me as well.
Opinions and discussion welcome!!!
P.S:
If anyone could point me to some code to write a NAND mtd mapper for 2.6.32-9 stock kernel, you're welcome!
Background: I'd like to get mtdblock4 & 5 access on rooted but security locked device.
CREDITS (no particular order):
Dilesh Perera (for s1tool logs, which helped a lot to draw some conclusions)
gen_scheisskopf (for very useful discussion all over this thread)
hillbeast (for confirmation of UART3 testpoints on LT18i and logs)
...all others who helped to get a better understanding of the fuse registers!
Hugh thanks!!!
TBC
Cheers,
scholbert

Hi,
in the meantime i was able to identify some of the OTP registers used on MSM8255(T), a.k.a. fuse registers.
There's another interesting factory register which identifies the type of CPU.
Though it seems that of "old" and "new" security chip could not directly identified using these registers, it is a nice journey to the internals.
We need a tool to dump these values from userland.
Check out viewmem:
http://blog.maurus.be/index.php/2011/01/samsung-i9000-irom-dump/
Grab the viewmem tool from http://blog.maurus.be/wp-content/uploads/viewmem
Copy to /data/local on your device and execute the tool as root.
HW_REVISION_NUMBER
I started some investigation again and made some dumps using this tool.
./viewmem 0xabc00270 0x4 | hexdump -C
As an example given my device got this ID:
HW_REVISION_NUMBER 0xabc00270 = 0x205720e1
This equals to the JTAG Core ID of the Qualcomm chip.
The other one used for JTAG is the TAP ID = 0x27B360E1
I found these Core ID values of derivates in the web:
CPU: Qualcomm MSM8255
Core ID: 0x205700E1
and
Core ID: 0x205720E1
There's this one as well:
CPU: Qualcomm MSM8255T
Core ID: 0x2057A0E1
If someone likes to contribute, please run the viewmem command given above and post it here.
This way we might get an idea which chip revisions are floating around.
MSM_TCSR_CONF_FUSE
I stumbled over the MSM_TCSR register set by looking into bootloaders and disassembled parts of s1_boot as well.
These gave the same offset in some code snippets.
So here we go...
Code:
MSM_TCSR_PHYS 0xab600000
TCSR_CONF_FUSE_0 0xab60005c // TCSR_CONF_FUSE_0 register (base security setup)
TCSR_CONF_FUSE_1 0xab600060 // TCSR_CONF_FUSE_1 register (enhanced debug)
TCSR_CONF_FUSE_2 0xab600064 // TCSR_CONF_FUSE_2 register (feature setup)
TCSR_CONF_FUSE_3 0xab600068 // TCSR_CONF_FUSE_3 register (unique serial#)
TCSR_CONF_FUSE_4 0xab60006c // TCSR_CONF_FUSE_4 register (L1&L2 clocking)
TCSR_CONF_FUSE_5 0xab600070 // TCSR_CONF_FUSE_5 register (not used)
These are the values i dumped from my device:
Code:
0xab60005c = 0x00716d4b
0xab600060 = 0xc8041447
0xab600064 = 0x28040815
0xab600068 = 0x695888c0 (unique serial number of CPU)
0xab60006c = 0x200001b0
0xab600070 = 0x00000000
MSM8255 based:
Xperia pro (MK16)
FUSE(0-5): 00716d4b c8041447 28040815 695888c0 200001b0 00000000
Which looks very similar to these (found on the web over various forums):
MSM8255 based:
Xperia arc (LT15)
FUSE(0-5): 00716d4b c8041447 28040815 fe53ed80 200001b0 00000000
MSM8255 based (according to GSM forum this is a new security device):
Sony Walkman (WT19i)
FUSE(0-5): 00714b6d c8041447 28040815 14b248a0 200001b0 00000000
MSM8255 based (security unknown):
Xperia neo V (MT11)
FUSE(0-5): 00714b6d c8041447 28040815 13789bc0 200001b0 00000000
MSM8255T based (security unknown):
Xperia arc S (LT18)
FUSE(0-5): 00714b6d e8041447 28040815 e99f59a0 200001b0 00000000
MSM8255T based (new security):
Xperia arc S (LT18)
FUSE(0-5): 00714b6d c8041447 28040815 c25cf0a0 200001b0 00000000
MSM8655 based (security unknown):
Xperia acro (IS11S)
FUSE(0-5): 00714b6d 08041447 28000816 5244e280 200001b0 00000000
We need to confirm if this is true...
Copy viewmem to /data/local on your device and execute the tool as root.
Read out the value of TCSR_CONF_FUSE_0:
./viewmem 0xab60005c 0x4 | hexdump -C
result: 4b 6d 71 00
which is LSB first so please rearrange to get MSB first...
result: 00 71 6d 4b
This is one of the things that still need some clarification:
value = 0x00716d4b old and newsecurity
value = 0x00714b6d definitely new security
This is not proven and maybe it's not the correct register to look at.
Anyway this will be mostly guessing because i'm missing documents.
It's still unknown at which position the trusted boot bit is located and if it play a role for "old" vs "new" security setup.
I will need some more dumps of these registers. So i really would appreciate any help here...
At least dumping that register of:
one device successfully unlocked with s1tool
and
one from a device giving that packet error.
EDIT:
There's no difference here... as far as we got it right now.
How to participate?
First i need information about your device:
- model
- manufacturing date form the sticker under the battery
Second you need root, busyboy installed (with hexdump feature) viewmem tool (see 2nd post) and Android terminal or working adb.
- grab viewmem from the link in 2nd post
- put the viewmem binary on your device in /data/local
- type:
cd /data/local
chmod 0755 ./viewmem
- post the output of your Hardware ID, type:
./viewmem 0xabc00270 0x4 | hexdump -C
- post the output of your TCSR_CONF_FUSE_0..5
./viewmem 0xab60005c 0x14 | hexdump -C
Additionally you might give some details if you already tried to unlock with s1tool and if you got the paket error.
Thanks for all the fish :laugh: !!
MARM_ANY_MODE_DEBUG_DISABLE
Apart from the location of the trusted boot bit this is another very interesting fuse bit.
More to come on this topic soon!
Any help would be appreciated to shed some light on this!
Please join in :victory:
To get a better idea of all this stuff you might have a brief look into the application note attached to this post.
To the admins:
I know that some confidential data could be found all over in this forum, but please tell me if you see conflicts with the forum rules.
Geek stuff link collection:
If you like engineer stuff, check out this comprehensive thread:
http://forum.xda-developers.com/showthread.php?t=1856327
This as well:
http://www.anyclub.org/2012/05/qpst-emergency-download-support.html
EDIT:
This document will give you a good idea what happens on bootup and how parts interact with each other:
http://dl.dropbox.com/u/69550833/Android_Board_Bringup - 80-VM984-1-B.pdf
Hugh thanks to Antagonist42 for this beautiful document collection!!
I may add some referals to the parts used on the Xperia 2011 series...
I will clean up here from time to time and write down conclusions in the first post.
TBC
Regards,
scholbert

Nice post, would put a few more spaces between sentences to make for easier reading though.
Sent from myushi

i dont understank

Thanks for this. It would be good if you could add info on how device owners can determine whether they have a device with "old security" or "new security".

Kris-lam said:
i dont understank
Click to expand...
Click to collapse
What?
Whole world?
Life?
... or the reason why i wrote this thread?
pelago said:
Thanks for this. It would be good if you could add info on how device owners can determine whether they have a device with "old security" or "new security".
Click to expand...
Click to collapse
That would be on of the goals... see my comment in the first post again:
We need the register offset for the security efuse bank on MSM7x30 (MSM8255 as well) devices!
Click to expand...
Click to collapse
Once we got the offset, we may try to dump this region and look for different bits on same models.
If my conclusions are correct, old & new security hardware differ by a single efuse bit and as a result using different signatures and stuff inside NAND.
EDIT:
As an example, here's a driver implementation for LG device using APQ8064:
https://android.googlesource.com/ke...f6e/arch/arm/mach-msm/lge/lge_qfprom_access.c
These are the values on that platform:
Code:
...
#define QFPROM_HW_KEY_STATUS 0x702050
#define QFPROM_SECURE_BOOT_ENABLE 0x700310
#define QFPROM_OEM_CONFIG 0x700230
#define QFPROM_DEBUG_ENABLE 0x700220
#define QFPROM_SECONDARY_HW_KEY 0x7002A0
#define QFPROM_READ_PERMISSION 0x7000A8
#define QFPROM_WRITE_PERMISSION 0x7000B0
#define QFPROM_OVERRIDE_REG 0x7060C0
#define QFPROM_CHECK_HW_KEY 0x123456
...
Little further in that code...
Code:
...
/* addr LSB MSB */
//{ QFPROM_SECURE_BOOT_ENABLE, 0x00000020, 0x00000000}, /* SECURE ENABLE */
//{ QFPROM_OEM_CONFIG, 0x00000031, 0x00000000}, /* OEM ID */
//{ QFPROM_DEBUG_ENABLE, 0xC1000000, 0x0000006F}, /* JTAG DISABLE */
//{ QFPROM_CHECK_HW_KEY, 0x0, 0x0},
//{ QFPROM_READ_PERMISSION, 0x0C000000, 0x00000000}, /* READ PERMISSION */
//{ QFPROM_WRITE_PERMISSION, 0x54100000, 0x00000000}, /* WRITE PERMISSION */
...
Regards,
scholbert

Hi again,
though this thread is drawing less attention, i'd like to inform you about my process.
In the meantime i reviewed some low level code for the MSM7x30 (e.g. AMSS bootcode, moboot bootloader repository) to get a hint how to identify security level on the Xperia 2011 platforms.
As far as i got it the MSM7x30 is the base for the MSM8255 devices as well and i assume that most register offsets and peripheral I/O maps are equal.
First i found an interesting offset definition in the moboot bootloader:
Code:
#define HW_REVISION_NUMBER 0xABC00270
I compiled a little tool for my Xperia, which could be used to read back the content from memory mapped registers (a.k.a. memdump).
By addressing 0xabc00270 some mechanism got triggered and my device rebooted immediately.
My guess is that this is offset belongs to the security area and accessing this area is simply prevented by causing a reboot.
No output here at Android userland...
Next i had a look into the AMSS sources for the Hisense TS7008 development platform.
This seems to be reference code for the modem bootloader (baseband processor) which is a previous step before we boot the oem bootloader ( application processor) in our phones.
Anyway, the interesting part is, that i found another offset address, which is included in the moboot sources as well:
Code:
#define MSM_CRYPTO_BASE 0xA8400000
There are many references to this address and the related registers inside the routines for the crypto stuff (e.g. validate hash values).
I'm gonna try to read some content in this area this afternoon.
EDIT:
O.K. just tried to access these areas... seems like a no go from userland.
My phone freezes, after a while something like a watchdog timeout comes in and resets the device.
This is different to accessing the HW_REVISION_NUMBER, which caused an immediate reset.
Anyway, i guess i give up on this issue...
No discusssion, less interest, no comments from the cracks... the_laser is far away as well...
Cheers,
scholbert

scholbert said:
What we need to know:
Please confirm, if bootloader unlock is working after SIM-lock is removed!
In other words will you get fastboot feature after removing SIM-lock?
Click to expand...
Click to collapse
Yes, bootloader unlock is working after removing SIM-lock.
My ArcS was SIM-locked and I had to remove the lock in order to use the phone. Unlock was done using a code generator. I didn't touch the bootloader in case phone is somehow damaged (bought it as "unused second-hand")
Later I unlocked the bootloader using Wotan server (testpoint method)- no problems during the process, phone works fine.
One question regarding s1boot comes to my mind- how it manages partitioning (and would it be possible co create custom partition layout)?
Flashing official ICS using flashtool changed default (Gingerbread) partition sizes

Hey gen_scheisskopf,
it's a pleasure to meet you again over here :highfive:
How are things rollin' ?
gen_scheisskopf said:
Yes, bootloader unlock is working after removing SIM-lock.
Click to expand...
Click to collapse
Thanks for the feedback.
Just to make it clearer, after applying removing the SIM-lock, the fastboot feature got available... is this right?
gen_scheisskopf said:
My ArcS was SIM-locked and I had to remove the lock in order to use the phone. Unlock was done using a code generator. I didn't touch the bootloader in case phone is somehow damaged (bought it as "unused second-hand")
Later I unlocked the bootloader using Wotan server (testpoint method)- no problems during the process, phone works fine.
Click to expand...
Click to collapse
Mmmh, do you know what's behind this Wotan server method?
Is the bootloader patched as well (real bypass like s1tool) or is there a key generated and flashed to the phone (like official method)?
Just for the statistics... could you please tell me the date code of your phone?
gen_scheisskopf said:
One question regarding s1boot comes to my mind- how it manages partitioning (and would it be possible co create custom partition layout)?
Flashing official ICS using flashtool changed default (Gingerbread) partition sizes
Click to expand...
Click to collapse
This is very interesting indeed and i guess it's possible... someone should spend some time on investigating.
Will require to tweak TA sections or something. BTW i'm not sure if the TA parts are covered by certificates or something.
Anyway it would be required to get a good understanding of this process, otherwise this would cause bricks
Best regards,
scholbert

scholbert said:
Hey gen_scheisskopf,
it's a pleasure to meet you again over here :highfive:
How are things rollin' ?
Click to expand...
Click to collapse
Thanks, everything is OK. Still messing around with my devices (tweaking Toshiba ac100 Froyo now, got usb gamepad+GamepadIME working without any need for chmod-ing )
scholbert said:
Thanks for the feedback.
Just to make it clearer, after applying removing the SIM-lock, the fastboot feature got available... is this right?
Click to expand...
Click to collapse
Honestly I didn't check fastboot availability before removing SIM-lock. For sure it worked after removing the lock
scholbert said:
Mmmh, do you know what's behind this Wotan server method?
Is the bootloader patched as well (real bypass like s1tool) or is there a key generated and flashed to the phone (like official method)?
Click to expand...
Click to collapse
I'm not sure but it's possible that it flashed a patched bootloader- some files were downloaded in order to make the unlock but I didn't investigate what's inside. Client software was "unpack when executed then clean up" exe.
scholbert said:
Just for the statistics... could you please tell me the date code of your phone?
Click to expand...
Click to collapse
11W51 (December 2011?)
scholbert said:
This is very interesting indeed and i guess it's possible... someone should spend some time on investigating.
Will require to tweak TA sections or something. BTW i'm not sure if the TA parts are covered by certificates or something.
Click to expand...
Click to collapse
For sure we can investigate tft files themselves (GB vs ICS). Maybe for repartitioning it would be enough to prepare and flash custom .sin images? Official update seems to work this way, it was reported to work also for Arc using ArcS files
EDIT:
Correction- loader.sin flashing is also required for partition layout modification- original topic
However loader.sin provided in the mod is the same file as the one found in ArcS's baseband 70 and 72

gen_scheisskopf said:
Thanks, everything is OK. Still messing around with my devices (tweaking Toshiba ac100 Froyo now, got usb gamepad+GamepadIME working without any need for chmod-ing )
Click to expand...
Click to collapse
Cool!!
Once thought to buy one, there are many cool hacks floating around.
... off-topic though
gen_scheisskopf said:
Honestly I didn't check fastboot availability before removing SIM-lock. For sure it worked after removing the lock
Click to expand...
Click to collapse
Again thanks for this feedback, will add it to the first post soon...
gen_scheisskopf said:
I'm not sure but it's possible that it flashed a patched bootloader- some files were downloaded in order to make the unlock but I didn't investigate what's inside. Client software was "unpack when executed then clean up" exe.
Click to expand...
Click to collapse
O.k. it's not that important... i'd really like to know a little more about this low level stuff of the unlocking procedure on Xperia 2011, that's why i asked.
gen_scheisskopf said:
11W51 (December 2011?)
Click to expand...
Click to collapse
So s1tool would have worked as well...
gen_scheisskopf said:
For sure we can investigate tft files themselves (GB vs ICS). Maybe for repartitioning it would be enough to prepare and flash custom .sin images? Official update seems to work this way, it was reported to work also for Arc using ArcS files
EDIT:
Correction- loader.sin flashing is also required for partition layout modification- original topic
However loader.sin provided in the mod is the same file as the one found in ArcS's baseband 70 and 72
Click to expand...
Click to collapse
Great, thanks a lot for the link... i'll have a look what's up with it.
Regards,
scholbert

fuse register dump
Hey geeks,
still not giving up... i have a clue now
Just to remember...
I am looking for a way to identify "old" and "new" security chipsets on the Xperia 2011 series.
Few days ago i posted that i could not read the some parts of the internal
register space.
Seemed to be an issue with the tool i used (perhaps wrong flags) which caused system resets.
EDIT:
Updated second post http://forum.xda-developers.com/showpost.php?p=36264032&postcount=2
I'd really find some indication for security level...
If you need some explanation, please ask...
Cheers,
scholbert

My result: 0x00716d4b
Arc S 11w51, unlocked using Wotan server (tespoint method, most likely s1tool-like)
I'll check other registers tomorrow

scholbert said:
Please i need some help here...
At least dumping that register of:
one device successfully unlocked with s1tool
and
one from a device giving that packet error.
Would be very helpful to shed some light on this!
Please join in :victory:
If you need some explanation, please ask...
Cheers,
scholbert
Click to expand...
Click to collapse
Sadly, I have an Arc S 12W16 (edit: Sorry, I was mistaken: it was 12W14 and I'm unlocked via testpoint today), so S1 doesn't work AFAIK (and I read that people that can unlock with SETool doesn't touch any 12W16, so I didn't checked the unlock possibilities/prices). Anyway, I dunno if I did it right but, here's a screen: http://s1.postimage.org/wujbqrs5r/2013_01_25_14_50_41.png - looks like the result is 4b 6d 71 00
Amazing work, btw. I always asked to myself if there was a way to check the type of security (old X new).

Hi,
just to make it clear again... right now i'm still trying to sort things out, that's why i need little help :fingers-crossed:
gen_scheisskopf said:
My result: 0x00716d4b
Arc S 11w51, unlocked using Wotan server (tespoint method, most likely s1tool-like)
I'll check other registers tomorrow
Click to expand...
Click to collapse
Thanks!
So i guess we could definitely mark this as old security fuse setting.
The other values should be similar to the ones i already listed (apart form your unique serial of course).
panda0 said:
Sadly, I have an Arc S 12W16, so S1 doesn't work AFAIK (and I read that people that can unlock with SETool doesn't touch any 12W16, so I didn't checked the unlock possibilities/prices). Anyway, I dunno if I did it right but, here's a screen: http://s1.postimage.org/wujbqrs5r/2013_01_25_14_50_41.png - looks like the result is 4b 6d 71 00
Amazing work, btw. I always asked to myself if there was a way to check the type of security (old X new).
Click to expand...
Click to collapse
Thanks as well... looks O.K. for me. So this is the same value.
Did you try the testpoint method already?
If my assumption is correct, then you might be lucky and got old security as well. BTW, i don't want to be responsible for bricked devices
At least this was my intention to get a real indicator for old security and give a clear statement:
Yes, it's safe to try the testpoint method.
So maybe you just be a little patient...
Some words on the production date:
I found out that the sticker on the back gives the production date of your phone.
There's another one on the processor under the shield on the mainboard.
This one is more related to the series of processors used for your mainboard.
My device is marked as 12W11 (sticker under the battery), while the sticker on the processor states 11W44.
See the pic attached.
In other words, they produced an amount of mainboards back in 2011, but the phone itself got assembled in 2012.
Thanks a lot for helping out, i really appreciate this!
Regards,
scholbert

hi i have a arc s 12w28 i i tryed to execute the viewmem but got nothing
Code:
[email protected]:/data/local # ./viewmem 0xab60005c 0x4 | hexdump -C
sh: hexdump: not found
[INFO] Reading 4 bytes at 0xab60005c...
am i doing something wrong ??

scholbert said:
Hi,
just to make it clear again... right now i'm still trying to sort things out, that's why i need little help :fingers-crossed:
Click to expand...
Click to collapse
:fingers-crossed:
scholbert said:
Thanks as well... looks O.K. for me. So this is the same value.
Did you try the testpoint method already?
If my assumption is correct, then you might be lucky and got old security as well. BTW, i don't want to be responsible for bricked devices
Click to expand...
Click to collapse
Not yet. But if everything works as we're expecting, indeed, I might be a lucky one. I'll see this question ASAP to give some feedback.

Re: [REF]Booting/Unlocking Xperia 2011 series: What's under the hood?
danielgek said:
hi i have a arc s 12w28 i i tryed to execute the viewmem but got nothing
Code:
[email protected]:/data/local # ./viewmem 0xab60005c 0x4 | hexdump -C
sh: hexdump: not found
[INFO] Reading 4 bytes at 0xab60005c...
am i doing something wrong ??
Click to expand...
Click to collapse
Partly... the tool hexdump is used to get a formatted output for console.
You'll need at least a version of busybox with the hexdump feature installed.
Maybe your missing some symbolic links.
Try again with this command:
./viewmem 0xab60005c 0x4 | busybox hexdump -C
If the error persists, your version of busybox is missing that feature.
Would be very interesting to get your output though...
Good luck,
scholbert

scholbert said:
Partly... the tool hexdump is used to get a formatted output for console.
You'll need at least a version of busybox with the hexdump feature installed.
Maybe your missing some symbolic links.
Try again with this command:
./viewmem 0xab60005c 0x4 | busybox hexdump -C
If the error persists, your version of busybox is missing that feature.
Would be very interesting to get your output though...
Good luck,
scholbert
Click to expand...
Click to collapse
Code:
[email protected]:/data/local # ./viewmem 0xab60005c 0x4 | busybox hexdump -C
[INFO] Reading 4 bytes at 0xab60005c...
00000000 4b 6d 71 00 |Kmq.|
00000004
its an arc s 12w18 loked bootloader and sim loked

Re: [REF]Booting/Unlocking Xperia 2011 series: What's under the hood?
danielgek said:
Code:
[email protected]:/data/local # ./viewmem 0xab60005c 0x4 | busybox hexdump -C
[INFO] Reading 4 bytes at 0xab60005c...
00000000 4b 6d 71 00 |Kmq.|
00000004
its an arc s 12w18 loked bootloader and sim loked
Click to expand...
Click to collapse
Mmmh, still the same value... if we trust the statements about date code i would say that this should be new security...
but as i tried to point out already, this could not be taken for granted.
Anyway, locked or unlocked doesn't matter, because i'm looking for security bit in fuse registers.
Did you ever try testpoint method on your device?
Guess we need someone, who already tried the s1tool procedure and got the paket error with his device.
If this phone would give different value on FUSE0 register, it would prove that i'm on the right way.
Thanks for contributing!
Regards,
scholbert

Root+Xposed+Busybox for Bootloader Locked Moto X ATT/VZW

Only fresh flashed bootloader locked XT1058 AT&T - ROM LPAS23.12-21.7-1, and XT1060 VZW - ROM LPAS23.12-39.7-1 are supported!
See archive content for instructions. Time to install ~20 min. If you experience problems after Android boot, like not working buttons or quick settings, wipe cache + data partitions. Don't update SuperSU (disable auto updates), it won't work. Later I'll post complete debloated ROMs with fresh SuperSU version, and simplify instructions. Be informed also, that this method doesn't give you read-write rights like unlocked bootloader. You may read and write having root-rights, but only till a restart or shutdown occurs, and every change will be undo by the Qualcomm protection (like HTC' s=on).
At the moment patch includes:
SuperSU 2.65 Free
Xposed Framework v86 (installer, modules)
Busybox 1.25.0.YDS, path /system/xbin/busybox
Download
P.S. Install only on indicated above ROM versions, and it's obvious that you must have enough theory knowledge and practical experience to make use of 9008 patch, so I'm not responsible for any consequences, etc. Greets go to: CrashXXL (method inventor), Sabissimo (our former OP), and serg_gangubas (ROM guru).
==============================================================================================
31.07.2017 - Full ROM Patch for Bootloader Locked Moto X ATT/VZW/etc
Based on the same principle, and not depend on system partition content, so it suits any bootloader locked Moto X Gen1 ATT/VZW (possibly any model, besides 1049 RepW / 1055 US Cell), but takes about 4 hours to be done - prepare for that, 100% battery level only!
This full ROM patch includes:
SuperSU 2.82 Free
Xposed Framework v87 (installer, modules)
Busybox 1.26.2, path /system/xbin/busybox
ViperFX 2.5.0.5 - sorry needs polishing, removed now (
Gallery and Camera not depend on Moto services
Gboard instead AOSP Keyboard. If it eats too much RAM, see Simple Keyboard
GAPPSes updated. Use command like adb shell pm uninstall --user 0 com.blahblah.blah to block any unwanted app or service
ES File Explorer Free Edition (a clone, you can disable and install yours )
"Jedy" gesture
AdBlock support (effect lasts till the 1st reboot yet, I'll think about make it constant). Please, choose /data/hosts instead of /system/etc/hosts
ROM debloated, but not deodexed.
Download
Instruction
Be careful, phone will be WIPED then flashed in 9008 "brick" mode (CrashXXL idea). Before you start install Moto drivers, latest RSD Lite, and fully charge the battery.
1) Download and unpack zip on С: (or any), open Python27, launch RUN_path.bat (needs to be launched only single time), install driver QHSUSB_driver.exe, and launch file _Moto.X.BootLocked.*.exe (where * - is desired ROM).
2) Go into fastboot mode, execute RUN_blbroke.bat. Screen gets black, Device Manager in Windows finds "QHSUSB_DLOAD", and installs it as "Qualcomm HS-USB QDLoader 9008 (COM*)". If it doesn't install, google for Windows driver digital signature disable.
3) Now launch RUN_root.bat, and see that patching process took start.
4) A small patch *SPEAKERS.BOOST.exe (if exists) boosts both speakers' volume.
P.S. Please, don't flash anything extra into the phone. In case of trouble, all you need is inside this folder. Just make it work.
To make "Battery OK" in fastboot use fastboot_cyclecharge.bat
Completely drained out battery causing "USB input device" needs disassembly of the phone to charge externally.
In case Titanium Backup shows error "Batch backup interrupted: insufficient free storage space", delete default backup folder, and make a new:
Titanium Backup > Menu > Preferences > Backup folder location > Storage Provider > DocumentProvider storage > Show Internal Storage > Internal Storage > Select Internal Storage > Create the folder > Use the current folder. Done!
Notes for myself: Viper, force wipe, readme.txt, volume patch, Adblock, advanced debloat

Debloated, rooted, lightweight ROM - soon! )
PUBLISHED. Sorry, took long time.

As soon as I can actually get 5.1 flashed I'll try this.
Though I'm afraid I'll have to try to go to stock and use sunshine first, still have a locked BL.
But this is great, I didn't expect root so soon.

DownTheCross said:
As soon as I can actually get 5.1 flashed I'll try this.
Though I'm afraid I'll have to try to go to stock and use sunshine first, still have a locked BL.
But this is great, I didn't expect root so soon.
Click to expand...
Click to collapse
This method is working on locked BL.

DownTheCross said:
As soon as I can actually get 5.1 flashed I'll try this.
Though I'm afraid I'll have to try to go to stock and use sunshine first, still have a locked BL.
But this is great, I didn't expect root so soon.
Click to expand...
Click to collapse
Wait wait... If you can have now possibility to unlock bootloader - go for it immediately! You will have normal FULL root-rights (SuperSU 2.49). Don't install 5.1, if you plan to unlock, because Sunshine app (25$) works only on 4.4.2 Android.
This topic is to help those AT&T users that are boot locked forever (who missed out possibility to unlock on 4.4.2 by proceed to 5.1) to give them READ-ONLY root. Yes, it's limited, but anything at least.

s5610 said:
If you can have now possibility to unlock bootloader...
Click to expand...
Click to collapse
I guess anyone on 4.4.4 today. There is no possibility to use Sunshine anymore.
Anyway spasibo za method

Ahh, if I don't have to be BL unlocked that's great lol.
I haven't read too much into the 5.1 updates or sunshine for that matter.
I've been on krypton 1.4.1 since it was released, and I haven't been able to successfully upgrade to any 5.1 roms yet.

Works great!
Works great for me on Windows 10 RTM 64-bit! Thanks a ton, I was waiting for a post like this.
I only had 3 minor hiccups:
1. RSD Lite gave me an error about "getvar", so I had to go into flashfile.xml in the ROM zip and remove the line that said getvar
2. I had to reboot to disable driver signature enforcement twice for some reason because Windows Update
3. The run-root.bat got stuck on "Executing..." because I installed the wrong driver (the correct file is qcusb.inf when installed from device manager -> browse my computer for driver software -> let me pick from a list -> all devices -> have disk)
Otherwise, everything runs just as well as KitKat, including Xposed.

Hehe got to love step 9

System Write
How can we help in getting the system write to zero using the same method,because I have xt1058 model bootloader unlocked and I provide any file needed to disable the pesky system write...

How can we help in getting the system write to zero using the same method,because I have xt1058 model bootloader unlocked and I provide any file needed to disable the pesky system write...
Click to expand...
Click to collapse
First, never quote op. It takes way to much space and is redundant.
Second, to get write off we would need to some how either start a custom kernel some magical way or disable it via a kernel mod like htc guys did. Another way, which was done before was to burn the efuse but kernel has been patched since then.

Need some help, I did all steps until step 9. I installed the QHSUSB_DLOAD driver manually, and I can see 'Qualcomm HS-USB QDLoader 9008 (COM4)' showed in my Device Manager, but when I run 'RUN_Root.bat', I got this
c:\Python27>python qdloadRoot.py MPRG8960.bin -ptf root/partitions.txt
QDLoad utility version 1.2 (c) VBlack 2014
Found TTY port: com4
Sending MAGIC ...
QCOM fast download protocol targ:
Version: 7
Compatible version 2
Maximum block size 1024 (0x00000400)
Base address of Flash 0x00000000
Flash: eMMC
Window size: 30
Number of sectors: 128
First sector size: 2097152 (0x00200000)
Feature bits: 09
Sending SBL Reset...
Done
c:\Python27>pause
Press any key to continue . . .
Then I tried to run 'RUN_Root.bat' again, then I got
c:\Python27>python qdloadRoot.py MPRG8960.bin -ptf root/partitions.txt
QDLoad utility version 1.2 (c) VBlack 2014
Found TTY port: com4
Requesting Params...
Params:
Version: 8
Min version: 1
Max write size: 1536 (0x00000600)
Model: 144
Device size: Invalid or unrecognized Flash device, or Flash device progr
amming not supported by this implementation
Device type: Intel 28F400BX-TL or Intel 28F400BV-TL
Requesting SoftwareVersion...
Version: PBL_DloadVER2.0
Requesting SerialNumber...
Serial number: 00,00,48,03
Requesting HW Id...
HW Id: 00,00,48,03,e1,10,7e,00
Requesting PublicKey...
PublicKey: 39,c4,ee,3e,b5,be,eb,87,8e,2f,e3,b8,53,4d,14,6f,91,ca,fd,bb,94,2a,0d
,aa,d0,1e,b0,87,62,d4,b9,b8
Uploading file 'MPRG8960.bin' to addr 0x2a000000...
Executing...
Could not find Qualcomm device in Emergency download mode
Done, with errors!!!
c:\Python27>pause
Press any key to continue . . .
any suggestions? Thanks

jahrule said:
First, never quote op. It takes way to much space and is redundant.
Second, to get write off we would need to some how either start a custom kernel some magical way or disable it via a kernel mod like htc guys did. Another way, which was done before was to burn the efuse but kernel has been patched since then.
Click to expand...
Click to collapse
Ill put the files here

Fantastic!!! I was looking this. All the last week I was sleeping about 3 hours per day trying to root my phone.
----
I scream "Victory" before the process finish.
Damn! My phone reboot and stay in the android doll fallen screen.

DejanPet said:
Ill put the files here
Click to expand...
Click to collapse
What to do with these files?

Those files are needed by Jahrule

Sabissimo
Hello.
I did everything as instructed, but eventually got the screen "no command".
The only thing I did not flash rom - a month ago updated by an OTA to 5.1, thought it was not necessary.
Factory reset does not help.
Advise something.
In the end, everything worked, thank you))

It works
It works great! Thank you very much! ATT xt1058.

eze_cba17 said:
Damn! My phone reboot and stay in the android doll fallen screen.
Click to expand...
Click to collapse
Follow the OP instruction EXACTLY, no exceptions!
If you got your current 5.1 through AT&T OTA, it's not enough for root patching procedure. A full RSD 5.1 official SBF flash over is required.

Could someone please do a video on this. I'm having a little trouble.

[ROM] Droid Mini/Maxx/Ultra L!te FW 4-21 ML

All developments are carried out thanks to donations on Purchase of these or other devices
thank
Please do not copy files to other file shares
the project is under constant development and refinement
Project name ROM Droid Mini/Maxx/Ultra L!te FW 4-21 ML
Tagline Faster Lighter Economical
SYSTEM Firmware SU4-21 Multilingual
- firmware Deodex - allowing resources using modifiers such GravityBox apply all when firmware odex, it sometimes limited customization or going awry
- tzdata 2015e
- icudt51l last
- return "the gesture of the Jedi" (after installing the firmware of the old sensor /*** it does not threaten the phone)
- delete more apps VZW & MOTO
- replaced by sound WirelessChargingStarted
- old gapps for long work phone
- uppdate apps Chrome, LatinIME, Skip, TouchLess, MotCamera, MotGallery, Migrate
- tetering work
- removed a lot of the background services collect and send data on the type of phone DropBox, MotoCare, MotoConntect, Drive, FaceLock ... etc.
- added Russian, Ukrainian language
for Unloked Device
Install for Custom Recovery
Root not PreInstalled
Download there https://yadi.sk/d/jp8ykQqFindY8/Droid
for Loked Device
Install for QDLoad9008
Root, Xposed, BusyBox is PreInstalled
- Root SuperSU v2.46
- XPosed 2.6.1
- BusyBox v30
DISCLAIMER
Author is not responsible for totally bricked devices, broken arms, legs, plane crashes and your wife's cheating.
All actions taken is your own risk.
Instructions to install
You:
- shouldn't be afraid of Qualcomm HS-USB QDLoader 9008;
- do not change any files, pathes;
- can install drivers manually;
- need to install python-2.7.9 and pyserial-2.7.win32;
- unzipp _Rus_4_4_4_VZW_SU6-7_BL_V30.BA_Stock.rar to Cython27;
Method is dangerous, however gives results.
you must have firmware SU6-7 receiving is not in the form of an update (OTA) and stitched through the RSD Lite.
00 Flash CFC-obakem_verizon-user-4.4.4-SU6-7-release-keys.xml firmware
01 Unzipp everything to Cython27.
02 Run BLBROKE.bat.
03 After you got Qualcomm HS-USB QDLoader 9008, install drivers manually
04 Run RUN_Rus_Part1.bat. Parts XX of system.
*** You can also run a file if you are sure that your phone can work 4-5 hours with the screen RUN_Rus_VZW_Full.bat
then repeat this step X times (the number of times equal to 6)
while (found next part) do
***
>> fastboot to hold 10 minutes that would have been charged a little phone
>> Run BLBROKE.bat.
>> Run RUN_Rus_Part**.bat. Parts XX of system.
***
end
99 Turn device on. Now you have SU DEODEX PreRooted
installed application Xposed 2.6.1
Xposed launched clicked install, reboot your phone
I see that the application is launched is set app_process 58 (pre-installed in the system) and XPosedBridge.jar 54 version (made with the application)
then uploaded GravityBox [KK], a check mark, the next reboot, and everything works
Drivers, Soft there -> https://yadi.sk/d/p458Cy0XineRC
Scripts, ROM there -> https://yadi.sk/d/kxbxpTnziSg35/Droid/4.4.4 SU4-21
Please do not copy files to other file shares
the project is under constant development and refinement
XDA:DevDB Information
[ROM] Droid Mini/Maxx/Ultra L!te FW 4-21 ML, ROM for the Motorola Droid Ultra
Contributors
CrashXXL
ROM OS Version: 4.4.x KitKat
ROM Kernel: Linux 3.4.x
ROM Firmware Required: Android 4.4.4 SU6-7 (Flash on RSDLite)
Version Information
Status: Stable
Current Stable Version: 1.02
Stable Release Date: 2015-09-01
Current Beta Version: 0.01
Beta Release Date: 2015-08-15
Created 2015-10-08
Last Updated 2015-10-08

Reserved
Reserved
Update Available
Log
- Launcher with a mesh 4 * 5 with no search string
- Smart Action Moto return ... The assistant working all options
for blocked Patch_SmartAction_Launcher.4x5.NoBar.rar https://yadi.sk/d/kxbxpTnziSg35/Droid
for unlocked MotLauncher.4x5.NoBar.zip https://yadi.sk/d/jp8ykQqFindY8/Droid and SmartActions.zip https://yadi.sk/d/jp8ykQqFindY8/SmartActions

Reserved

I'm a bit confused here. A few months ago I used your set of steps to upgrade to SU6-7 with permanent root (even though I still have locked bootloader). Does this new set of steps allow downgrading to SU4-21 and then the ability to use Sunshine to unlock bootloader? Thanks!

Can I do Write Protection with this ROM?

OscarBrito16 said:
Can I do Write Protection with this ROM?
Click to expand...
Click to collapse
Write protection is still enabled so the root is limited as far as what you can do with it.

classic757 said:
Write protection is still enabled so the root is limited as far as what you can do with it.
Click to expand...
Click to collapse
I mean to install a custom recovery or flash a custom rom!

No, you would not be able to install a custom recovery with method. Unless you have su4-21 or lower your bootloader is locked and at this time there isn't a method to unlock it.
Also you can't downgrade to an older su version, once you have su5-24 or above the qfuse is blown.
As said above you can achieve root, but since the system is still write protected root access is limited. The other option is to perm root your device, and try safestrap, I hope I'm allowed to post that in the thread, sorry if I'm not.
Sent from my XT1080 using XDA mobile app

OscarBrito16 said:
I mean to install a custom recovery or flash a custom rom!
Click to expand...
Click to collapse
Without write protection disabled you cannot install custom recovery or flash custom roms.
Also, if you are on 4.4.4 there is no full root available at this time.

any chance to implement/add Czech language on this ROM?

dcoaster said:
I'm a bit confused here. A few months ago I used your set of steps to upgrade to SU6-7 with permanent root (even though I still have locked bootloader). Does this new set of steps allow downgrading to SU4-21 and then the ability to use Sunshine to unlock bootloader? Thanks!
Click to expand...
Click to collapse
I have the same concerns. Are we supposed to downgrade to the SU4-21???Will this grant us the ability to use Sunshine and unlock our bootloaders?? I thought it wasn't possible to downgrade??? Please I'm lost here I want to do this but I'm am unsure of the outcome?

You can add any language, but it takes a lot of time.

can you tell me how to do it?

- unpack apk
- transtale xml value-en to value-cz
- pack
- install on update from twrp
- check work

@CrashXXL
how can I add the gesture of jedi to my phone? what files do I need to take from your rom?
I do not want to take the whole rom, would be great if i could only take a few files and push the diff to my phone

Can i use this to flash it right over my rooted SU6-7 (rooted with your method months ago, Crash) or do i need to re-flash original stock (without root)?

will my phone be still rooted if i factory reset it..?

I guess this contains only Russian and/or English language, am i right?

Einheit-101 said:
I guess this contains only Russian and/or English language, am i right?
Click to expand...
Click to collapse
no, localization saved and added 2 more Russian and Ukrainian

Yeah, so no German

H901 T-Mobile Nougat v30c Full flashable upgrade

H901 T-Mobile Nougat v30c TWRP flashable upgrade.zip [The original v30c KDZ was released on 2017-10-04]
With some assistance and alot of patience from @runningnak3d I've managed to extract and package the H901 v30c KDZ into a flashable zip that will not overwrite the recovery. This is an unmodified factory rom that already comes with gapps. Later I may look at producing a version with some changes although alot of what a user might want can now be done through magisk such as debloating or adding app x to the Rom. Adding xposed adds even more options.
This is for the H901. Make SURE you have an ACTUAL H901, and not one of the half / half H901 / F600 phones.
I personally tested this by upgrading from the v30b nougat released by @runningnak3d. It may or may not work for marshmallow users. If you are on marshmallow you should take a full device backup using a script like these: https://forum.xda-developers.com/showpost.php?p=75155430&postcount=39
That post is for windows users but I posted some linux scripts I used right after that one. If you are on marshmallow and you flash this then try to go back to marshmallow without restoring a full device backup (NOT a TWRP Backup) you are going to be spending alot of time in the "how do I unbrick my phone" thread that's in Q&A. I believe a method has been found but why not just save yourself the hassle and make a backup? 30b users, a full image backup wouldn't hurt you either although you also have the option to flash the 30b update + full nougat zip to put you back at where you were.
When you flash this, all the carrier bloat / LG bloat / crap / garbage, will come back. You will also lose root until you flash the su method of your choice. That is the point of this, you WON'T lose TWRP, so you can still root...
Download v30c_upgrade.zip here: https://www.androidfilehost.com/?fid=673956719939821713
md5sum: b2abb8b3ccd0576c9c47768e26b64a85
On a bright note I've personally tested Magisk v15.3 (the latest version at the time of this post) with this rom and it works fine. Magisk also has many very nice addon modules which add some interesting features.
The official magisk thread is here: https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445
A partial list of modules can be found here: https://forum.xda-developers.com/apps/magisk/collection-magisk-modules-v2-t3575758
A full list can be found in "magisk manager" which will be installed if you flash the magisk zip.
I'll throw out a few things that may grab your attention....dolby atmos.....viper4android.....google camera.......the ability to debloat the rom systemlessly...make apps system apps easily..change the dpi...all without actually changing the system partition. Oh yeah..xposed can be installed via magisk and works fine although you will have to disable it and reboot if you want to be able to use android pay or pokemon go as the device fails "safetynet" when xposed is enabled.
Any questions, don't hesitate to ask. (and yes I shamelessly swiped alot of this post from @runningnak3d's full nougat post)
By the way... @kawaii.beans was nice enough to make a magisk compatible boot animation zip..uninstalling the module puts you back to the factory boot animation. It's taken from this thread: https://forum.xda-developers.com/tmobile-lg-v10/themes-apps/theme-feb-8-2016-t3311282
and is available here: https://forum.xda-developers.com/showpost.php?p=75412717&postcount=98
You can easily use this same zip to add custom ringtones, sounds, boot animations etc. Basically ANY file in the system folder can be added or replaced. Uninstalling the module removes all of it. Changes can be made to the build.prop the same way. I highly suggest you install the command line magisk manager you can run while in twrp that will allow you to uninstall modules you've implemented that might be preventing you from booting up.
Pic 1 = software screen showing H90130c software revision.
Pic 2-5 are magisk modules I personally have enabled. You might find them of interest.
Debloating:
The apps below I personally used the debloat feature to "uninstall". The nice thing about doing this through magisk is if they do cause you problems you can easily re-run debloat and add them back since this is all done systemlessly(the actual system partition is never really touched). Choices made will also re-apply through rom upgrades.
(Update 02/14/2018) The most recent version of the magisk debloat module allows the config to be both imported and exported. I've attached a copy of an importable list at the bottom of the post. This file needs to be in /cache/ under the same name to be importable.
Code:
1 - Drive
2 - Google Drive Promotion
3 - DRM Service
4 - Android Easter Egg
5 - Docs
6 - Sheets
7 - Slides
8 - GNSS Air Test
9 - gnsslogcat
10 - LG GNSS 2.1
11 - GnssTest 1.2
12 - HTML Viewer
13 - Hangouts
14 - Hidden Menu
15 - LG Account
16 - LGAirDrive
17 - LG Backup Launcher
18 - LGDrm
19 - FOTA Update
20 - Audio share
21 - LGSmartcardService
22 - Smart cleaning
23 - LGWernickeManager
24 - LatinIME
25 - PacProcessor
26 - Print Spooler
27 - SmartShareProvider
28 - Visual Voicemail
29 - Upsell
30 - Wfd Service
31 - atfwd
32 - ELTest
33 - Facebook
34 - Facebook App Manager
35 - ServiceMenu
36 - TalkBack
37 - com.tmobile.pr.adapt
38 - BackupRestoreConfirmation
39 - LG Health Agent
40 - Cloud
41 - Battery drain info
42 - GCUV
43 - Game battery saver
44 - Market Feedback Agent
45 - IceContacts
46 - InCalAgent
47 - LG AirDrive
48 - Clock
49 - App Updates
50 - LG Mobile Switch
51 - Calendar
52 - Smart Notice
53 - Contacts
54 - LG Keyboard
55 - EasyHome
56 - Email
57 - Exchange
58 - File Manager
59 - FormManager
60 - Answer me
61 - Home(UX 4.0)
62 - LGInstallService
63 - LDB
64 - LGMapUI
65 - Music
66 - Music
67 - LG P2p Service
68 - LG Bridge Service
69 - LGPartnerBookmarksProvider
70 - EULA
71 - About Second screen
72 - SnapPage
73 - Tasks storage
74 - Update Center
75 - Voice care
76 - Voice Command
77 - LG VoiceCommand SpeechPack
78 - Voice Recorder
79 - LG WFDS Services
80 - Mobile HotSpot
81 - LIA Informant
82 - LIA S4URecommender
83 - LG Connectivity Service
84 - Lookout
85 - Mobile Hotspot
86 - My Places Engine
87 - My Place
88 - T-Mobile Name ID
89 - RCSProvider
90 - SmartSetting
91 - T-Mobile
92 - Device Unlock
93 - Tags
94 - Terms of Use for LG apps
95 - LG VPN
96 - T-Mobile TV
97 - Facebook App Installer
98 - qcrilmsgtunnel
Feel free to suggest removal of additional bloatware that you've personally tested.

Reserved

Reserved #2

This one too....

famewolf said:
H901 T-Mobile Nougat v30c TWRP flashable upgrade.zip [The original v30c KDZ was released on 2017-10-04].
Click to expand...
Click to collapse
:good:
Nice job, Kemo sahbee!
Keep up the good work!
Sent from my LG-H901 using XDA Labs

NYLimited said:
:good:
Nice job, Kemo sahbee!
Keep up the good work!
Sent from my LG-H901 using XDA Labs
Click to expand...
Click to collapse
Great job.
At the moment working without failures.
Thank you very much.
Enviado desde mi LG-H901 mediante Tapatalk

Tested 24 hours and everything perfect.
Except Adaway I can not download the host files.
Any solution?

epicuros said:
Tested 24 hours and everything perfect.
Except Adaway I can not download the host files.
Any solution?
Click to expand...
Click to collapse
It's a factory rom with 0 changes. I'm using adaway from f-droid.org with no issues including downloading of host files. Check your settings and see if you have them set to only download on wifi etc.
If you are using magisk for root you do realize you have to enable the systemless hosts option in magisk?

I have a tmo h901 with a vs990 motherboard. In the other nougat thread other people with vs990 boards in their h901 claimed they bricked with the nougat updates. I did update from lp to mm with @Eliminater74's flashable full updates (his actually TWRP flashed all partitions from the kdz except recovery, currently on 20l) before I found out tmo was given hybrid stock from lg. So I wonder if anyone is still around with one of these "factory hybrids" that is willing to be a guinea pig?
Sent from my Moto Z (2) using XDA Labs

skywalker-live said:
I have a tmo h901 with a vs990 motherboard. In the other nougat thread other people with vs990 boards in their h901 claimed they bricked with the nougat updates. I did update from lp to mm with @Eliminater74's flashable full updates (his actually TWRP flashed all partitions from the kdz except recovery, currently on 20l) before I found out tmo was given hybrid stock from lg. So I wonder if anyone is still around with one of these "factory hybrids" that is willing to be a guinea pig?
Sent from my Moto Z (2) using XDA Labs
Click to expand...
Click to collapse
I don't think anyone should risk bricking their phone to be a guinea pig for you. If you make a full device backup and keep twrp you should be able to do a full device restore (all partitions not just the ones twrp does or the ones in the zip because while booted up under nougat it updates more partitions) and be back where you started.

epicuros said:
Tested 24 hours and everything perfect.
Except Adaway I can not download the host files.
Any solution?
Click to expand...
Click to collapse
Firewall? Were you running SuperSU systemless?
Try uninstalling and reinstalling adaway and see what happens...
Sent from my LG-H901 using XDA Labs

NYLimited said:
Firewall? Were you running SuperSU systemless?
Try uninstalling and reinstalling adaway and see what happens...
Sent from my LG-H901 using XDA Labs
Click to expand...
Click to collapse
OKAY. Yes now.
After long desists Adaway and reinstall works properly. :good:
At the moment all ok with the Rom.:bueno:

I can't get Arise Sound Systems to install. It flashes but the Arise system and features do not appear on the phone. SU is flashed on the rom so it is rooted.

alotmoore said:
I can't get Arise Sound Systems to install. It flashes but the Arise system and features do not appear on the phone. SU is flashed on the rom so it is rooted.
Click to expand...
Click to collapse
I know nothing about Arise. If you are using systemless root whether it's magisk or supersu the sound package you flash has to have support for THAT method of systemless root ie if you are using magisk you install the magisk sound modules available inside the app. If I had to guess I'd day if it's not showing up then it's not getting flashed. I stopped using supersu when chainfire sold it to a company that may be nothing but a chinese shell corporation. You might try Arise sound threads. I had no issues with dolby atmos and viper4android in my limited testing of them (via magisk modules).
https://www.reddit.com/r/Android/comments/54xdmp/ccmt_who_exactly_are_the_owners_of_supersu/
Standard disclaimer: Again, it's a factory rom with 0 changes. I extracted the kdz to the individual partition image files then put all those img files minus the recovery one into a zip with instructions to flash to the appropriate partition.

Flashing LG V10 h90a to h901 T-Mobile
Hello friends, I'm new here and I need help with something if possible.
I have a lg v10 h900a att, and I want to know if I can flash my lg v10 to the h901 version of T-Mobile.
preferably with android 7 (nougat)

andrioris19 said:
Hello friends, I'm new here and I need help with something if possible.
I have a lg v10 h900a att, and I want to know if I can flash my lg v10 to the h901 version of T-Mobile.
preferably with android 7 (nougat)
Click to expand...
Click to collapse
The AT&T V10(H900) is a totally different model than the T-mobile V10(H901) and nothing is compatible between them rom wise. You'll have to check in the AT&T v10 section. I would not rush anything because for the t-mobile v10 it's a known fact that nougat has NO root method/twrp unless you can root it while it's on marshmallow or lollipop.

Thanks for doing this. Testing it out right now.

@famewolf, what app do you use in place of Contacts?

prabs99 said:
@famewolf, what app do you use in place of Contacts?
Click to expand...
Click to collapse
I use truecaller for callerid, dialer, contacts and sms however you could always use something like "simple contacts" from f-droid.org (they have a whole line of apps called simple x..simple calendar, simple contacts etc....)
You also always have the option of going into debloat and restoring the app if you are importing my list and want to keep some I removed.
and for others wondering:
I use aacalendar (google play) for my calendar app.
I use the magisk youtube with no ads.

Will try it. Just got it installed. Any word on the battery life? My battery life on v30b was like 5 hours.
famewolf said:
I use truecaller for callerid, dialer, contacts and sms however you could always use something like "simple contacts" from f-droid.org (they have a whole line of apps called simple x..simple calendar, simple contacts etc....)
You also always have the option of going into debloat and restoring the app if you are importing my list and want to keep some I removed.
Click to expand...
Click to collapse