This is just my investigation and did not confirmed yet in real life.
I have read that people with Motorola Photon Q 4G LTE tried to find a way to enable additional LTE bands support on their phones. And I decided to elaborate is it possible to enable additional LTE bands on Moto X 2014. That I have found by the moment:
Looked at NV item 6828 [NV_LTE_BC_CONFIG_I] with QPST and found that on Pure with Android 4.4.4 it is equal to 0a000100, however on Android 5.0 it is 5e000100. Only the first 4 bytes are important here, as the bands are encoded in 32bits. If we convert these numbers to binary we will have the following picture
Android 4.4.4:
Band (1st digit)--->0000 0000 1110 1111 2111
number (2nd digit)->4321 8765 2109 6543 0987
0a000100 (binary)-> 1010 0000 0000 0000 0001 0000 0000 0000
Android 5.0:
Band (1st digit)--->0000 0000 1110 1111 2111
number (2nd digit)->4321 8765 2109 6543 0987
5e000100 (binary)-> 1110 0101 0000 0000 0001 0000 0000 0000
You can see that some bits are set, which would correspond to the supported bands.
As we know on 4.4.4 LTE bands are supported: 2,4,17. And we can see that three bits are set.
For 5.0 we have 6 bits set - this corresponds to LTE bands 2,3,4,5,7,17.
It's likely that if we set additional bits in LTE NV item 6828 we can get additional LTE bands supported. If someone wants to experiment with getting the modem to use the other LTE-bands please follow stargo's recommendations:
Start with a fresh modem-config: fastboot erase modemst1 && fastboot erase modemst2 (this resets all NV-items and restores files in EFS)
Use QPST to delete /nv/item_files/modem/mmode/lte_bandpref in EFS (or maybe modify it, seems as it is like nv-item 6828)
Use any method to change nv-item 6828 to enable more bands
If you do this, the modem can crash when trying to switch LTE bands. In this case maybe additional changes to EFS/NV are needed...
And if you want to get a stable working modem back, just run fastboot erase modemst1 && fastboot erase modemst2 again.
Al936 said:
This is just my investigation and did not confirmed yet in real life.
I have read that people with Motorola Photon Q 4G LTE tried to find a way to enable additional LTE bands support on their phones. And I decided to elaborate is it possible to enable additional LTE bands on Moto X 2014. That I have found by the moment:
Looked at NV item 6828 [NV_LTE_BC_CONFIG_I] with QPST and found that on Pure with Android 4.4.4 it is equal to 0a000100, however on Android 5.0 it is 5e000100. Only the first 4 bytes are important here, as the bands are encoded in 32bits. If we convert these numbers to binary we will have the following picture
Android 4.4.4:
Band (1st digit)--->0000 0000 1110 1111 2111
number (2nd digit)->4321 8765 2109 6543 0987
0a000100 (binary)-> 1010 0000 0000 0000 0001 0000 0000 0000
Android 5.0:
Band (1st digit)--->0000 0000 1110 1111 2111
number (2nd digit)->4321 8765 2109 6543 0987
5e000100 (binary)-> 1110 0101 0000 0000 0001 0000 0000 0000
You can see that some bits are set, which would correspond to the supported bands.
As we know on 4.4.4 LTE bands are supported: 2,4,17. And we can see that three bits are set.
For 5.0 we have 6 bits set - this corresponds to LTE bands 2,3,4,5,7,17.
It's likely that if we set additional bits in LTE NV item 6828 we can get additional LTE bands supported. If someone wants to experiment with getting the modem to use the other LTE-bands please follow stargo's recommendations:
Start with a fresh modem-config: fastboot erase modemst1 && fastboot erase modemst2 (this resets all NV-items and restores files in EFS)
Use QPST to delete /nv/item_files/modem/mmode/lte_bandpref in EFS (or maybe modify it, seems as it is like nv-item 6828)
Use any method to change nv-item 6828 to enable more bands
If you do this, the modem can crash when trying to switch LTE bands. In this case maybe additional changes to EFS/NV are needed...
And if you want to get a stable working modem back, just run fastboot erase modemst1 && fastboot erase modemst2 again.
Click to expand...
Click to collapse
Try the app Qualcomm NV Calculator?
Would be cool...
I wasn't sure where to post this. If this is better posted somewhere else, please tell me or move it.
LGUP comes in different variants. Dev, LAB, Store, 3rdParty.
Depending on the variant you're running, different features are exposed by your model.dll.
If you hack LGUP, you can unlock features!
Hacked LGUP:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Store LGUP:
I've tested the 'DUMP' function to see if the unlocked features are actually working, and yes, it works:
Unfortunatly, LG has implemented checks to prevent you from just modifying your LGUP.exe or LGUP_8994.dll to expose these features.
LG uses a temporary file to pass the features from the DLL to the application.
So it's just a matter of pausing LGUP at the right time, changing the file and voila.
I did it this way:
Load LGUP.exe in IDA (Interactive Disassembler),
Wait until it's done analyzing.
Set debugger to windbg. (F9)
Run the application (F9) one-time to fix the memory addresses..
You will get popups about exceptions, pass them to the application and continue running.
Exit LGUP.
Set break-point to loc_6989F. (if you can't find the location, search for string UI_Config.lgl, go to the code-xref where it's used and break there).
Run application.
When application stops at the breakpoint, open "C:\Program Files (x86)\LG Electronics\LGUP\model\8994\UI_Config.lgl" in a text-editor.
Find/replace "LAB" with "Store".
Save the file.
Continue running the application.
Tada, unlocked features!
holy crap, this is actually really helpful!
I've found another way to do this.
LGUP uses signature verification to prevent you from just hex-editing the files.
The LGUP.exe verifies the model.dll and the model.dll verifies the LGUP.exe.
I've patched this out of my model/8994/LGUP_8994.dll and modified LGUP.exe to look for strUser="DEV" instead of strUser="Store".
Now I can just start lgup.exe and get the 'Dev' functions.
I'm not sure how to distribute this.
I don't think I should just distribute modified versions of LGs software. This will make LG unhappy.
But I'm also not sure how to distribute binary patches in a way that's easy to use for others.
Here are my patches:
--- LGUP.exe (1.14.0.3)
Code:
@@ -2227,7 +2227,7 @@
00008b20: 0445 0400 0f84 4201 0000 8b96 5445 0400 .E....B.....TE..
00008b30: 8b3d fcf0 4300 6884 5144 0052 ffd7 8945 .=..C.h.QD.R...E
00008b40: dc85 c074 518b 8e40 0100 00e8 6047 0100 [email protected]`G..
-00008b50: 85c0 751b 8945 e068 f4c5 4400 8d45 e050 ..u..E.h..D..E.P
+00008b50: 85c0 eb1b 8945 e068 f4c5 4400 8d45 e050 .....E.h..D..E.P
00008b60: c786 3001 0000 0100 0000 e82d d602 00ff ..0........-....
00008b70: 55dc 83f8 ff75 1f68 f4c5 4400 8d4d d851 U....u.h..D..M.Q
00008b80: c786 3001 0000 0100 0000 c745 d800 0000 ..0........E....
@@ -7486,7 +7486,7 @@
0001d3d0: 55d8 53c7 45a4 3000 0000 895d a889 5dac U.S.E.0....]..].
0001d3e0: c745 b002 0000 0089 5db4 897d b889 7dc0 .E......]..}..}.
0001d3f0: 895d c489 5dc8 895d d089 55bc c745 cc00 .]..]..]..U..E..
-0001d400: 0100 00ff 1544 f443 003d 0901 0b80 7f69 .....D.C.=.....i
+0001d400: 0100 00ff 1544 f443 00b8 0000 0000 eb69 .....D.C.......i
0001d410: 7460 3d26 2009 8074 523d 0400 0b80 7444 t`=& ..tR=....tD
0001d420: 3d00 010b 8075 5dff 15d8 f043 003d 0001 =....u]....C.=..
0001d430: 0b80 741f 3d03 000b 8074 183d 0100 0b80 ..t.=....t.=....
@@ -18056,7 +18056,7 @@
00046870: 696f 6e00 504f 5349 5449 4f4e 0000 0000 ion.POSITION....
00046880: 6e58 506f 7300 0000 6e59 506f 7300 0000 nXPos...nYPos...
00046890: 6e57 6964 7468 0000 5355 5050 4f52 5400 nWidth..SUPPORT.
-000468a0: 7374 7255 7365 7200 5354 4f52 4500 0000 strUser.STORE...
+000468a0: 7374 7255 7365 7200 4445 5600 0000 0000 strUser.DEV.....
000468b0: 534f 4654 5741 5245 5f53 5441 5449 4300 SOFTWARE_STATIC.
000468c0: 534f 4654 5741 5245 5f43 5452 4c00 0000 SOFTWARE_CTRL...
000468d0: 4649 4c45 5f54 5950 455f 4558 0000 0000 FILE_TYPE_EX....
model/8994/LGUP_8994.dll:
Code:
@@ -6451,7 +6451,7 @@
00019320: 55d8 53c7 45a4 3000 0000 895d a889 5dac U.S.E.0....]..].
00019330: c745 b002 0000 0089 5db4 897d b889 7dc0 .E......]..}..}.
00019340: 895d c489 5dc8 895d d089 55bc c745 cc00 .]..]..]..U..E..
-00019350: 0100 00e8 3439 1a00 3d09 010b 807f 6774 ....49..=.....gt
+00019350: 0100 00e8 3439 1a00 b800 0000 00eb 6774 ....49........gt
00019360: 5e3d 2620 0980 7450 3d04 000b 8074 423d ^=& ..tP=....tB=
00019370: 0001 0b80 755b ff15 0c05 1e10 3d00 010b ....u[......=...
00019380: 8074 1e3d 0300 0b80 7417 3d01 000b 8074 .t.=....t.=....t
This looks very promising
So i can modify it to do all this my self or have u made a moded one we can download
TheMadScientist420 said:
This looks very promising
So i can modify it to do all this my self or have u made a moded one we can download
Click to expand...
Click to collapse
You should do this yourself for now.
I don't think I should distribute modded versions of other peoples copyrighted work.
Thanks for instructions one more time!
As h850 user i had to patch LGUP.exe as per your instructions and /model/Common/LGUP_Common.dll (just searched for "3d 09 01 0b 80 7f" and replaced with "b8 00 00 00 00 eb") .
:good:
RolF2 said:
Thanks for instructions one more time!
As h850 user i had to patch LGUP.exe as per your instructions and /model/Common/LGUP_Common.dll (just searched for "3d 09 01 0b 80 7f" and replaced with "b8 00 00 00 00 eb") .
:good:
Click to expand...
Click to collapse
That's great to hear!
Good idea to just search for those bytes and replace them.
If other people had succes with this I'm curious to hear about it.
Good tool to backup partitons before bootloader unlock and after, to see whats changed
i dont know i cant follow whats going on i got to the point of searching for b8 00 00 00 00 eb but cant edit it
RolF2 said:
Thanks for instructions one more time!
As h850 user i had to patch LGUP.exe as per your instructions and /model/Common/LGUP_Common.dll (just searched for "3d 09 01 0b 80 7f" and replaced with "b8 00 00 00 00 eb") .
:good:
Click to expand...
Click to collapse
so i found this line of hex but cant edit it
You can't save changes in hex editor? Then run hex editor as administrator, or copy files for editing to another disk and try again.
Just curious... Does anybody know what the "boarddownload" option does?? Does that backup the motherboards firmware or bios or something?? Sorry if the question sounds dumb. Im not a developer or anything.
OK, looks like too quiet here. We can dump all partitions from phone by "dump" function, also there's "partition dl" function - so looks like we can flash only one partition to phone... Problem is that program is crashing when i try to flash back dumped partition ... so how to convert dumped partition image to flashable img as simple renaming to img does'n work ?
RolF2 said:
OK, looks like too quiet here. We can dump all partitions from phone by "dump" function, also there's "partition dl" function - so looks like we can flash only one partition to phone... Problem is that program is crashing when i try to flash back dumped partition ... so how to convert dumped partition image to flashable img as simple renaming to img does'n work ?
Click to expand...
Click to collapse
it isn't a problem with the image, it's a problem with the patch... we should really look into how to fix this
@smitel
can you try "partition dl" function in IDA ?
Honestly Annoying said:
it isn't a problem with the image, it's a problem with the patch... we should really look into how to fix this
Click to expand...
Click to collapse
How do you know it's a problem with the patch?
RolF2 said:
@smitel
can you try "partition dl" function in IDA ?
Click to expand...
Click to collapse
What do you mean?
Figure out what it does/wants?
Look at your crash?
FWIW, I get "Error: General exception error in _initializeProcess()" when I try 'PARTITION DL'.
I'm guessing the 'DUMP' function produces a raw dump of the blockdevice, where 'PARTITION DL' requires a particular header (as in .TOT or .MBN) to define what gets flashed where.
FWIW, I find the following functions in my LGUP_8994.dll:
Code:
v5 = sub_1000B4F0(v4, (int)"REFURBISH", v3);
v8 = sub_1000B4F0(v7, (int)"UPGRADE", v6);
v11 = sub_1000B4F0(v10, (int)"CHIPERASE", v9);
v14 = sub_1000B4F0(v13, (int)"BOARDDOWNLOAD", v12);
if ( (v14 || v2 < 0xD || (LOBYTE(v14) = v2 != 13, v14)) && sub_1000C6A0(v1, "PROCESS_FAC_BOARDDOWNLOAD") )
if ( sub_1000C6A0(v1, "PROCESS_CS_WEBDOWNLOAD") )
if ( sub_1000C6A0(v1, "PROCESS_MBNBUILD") && sub_1000C6A0(v1, "TOT BUILD") )
if ( sub_1000C6A0(v1, "RECOVERY") )
if ( sub_1000C6A0(v1, "DOWNGRADE") )
if ( sub_1000C6A0(v1, "SCRIPT") && sub_1000C6A0(v1, "PROCESS_FAC_SCR") )
if ( sub_1000C6A0(v1, "PROCESS_FAC_UPGRADE") )
if ( sub_1000C6A0(v1, "PRL/ERI WRITE") && sub_1000C6A0(v1, "PRL UPDATE") )
if ( sub_1000C6A0(v1, "PRL/ERI READ") && sub_1000C6A0(v1, "PRL READ") )
if ( sub_1000C6A0(v1, "PHONESETTING") )
if ( sub_1000C6A0(v1, "PARTITION DL") )
if ( sub_1000C6A0(v1, "PB BACKUP") )
if ( sub_1000C6A0(v1, "PB RESTORE") )
if ( sub_1000C6A0(v1, "FOTA UPGRADE") )
if ( !sub_1000C6A0(v1, "DUMP") )
I try if I can follow the 'path' to understand what code gets called, but it's not very clear to me.
Every 'if' just results in a
Code:
*(_DWORD *)(v16 + 88) = 48;
}
else
{
*(_DWORD *)(v16 + 88) = 47;
}
}
else
{
*(_DWORD *)(v16 + 88) = 46;
But I haven't been able to follow what happens with it.
Here's a list of what functions are which 'ID'.
Code:
DUMP = 48 / 30h;
FOTA UPGRADE = 47 / 2Fh
PB RESTORE = 46 / 2Eh
PB BACKUP = 45 / 2Dh
PARTITION DL = 44 / 2Ch
PHONESETTING = 8 / 8h
PRL/ERI READ / PRL READ = 43 / 2Bh
PRL/ERI WRITE / PRL WRITE = 42 / 2Ah
PROCESS_FAC_UPGRADE = 0 / 0h
SCRIPT / PROCESS_FAC_SCR = 2 / 2h
DOWNGRADE = 41 / 29h
RECOVERY = 6 / 6h
PROCESS_MBNBUILD / TOT BUILD = 40 / 28h
PROCESS_CS_WEBDOWNLOAD = special
v15 = *(_DWORD *)(v16 + 1364);
if ( v15 == 3 )
*(_DWORD *)(v16 + 88) = 17;
else
*(_DWORD *)(v16 + 88) = 2 * (v15 == 5) + 16;
PROCESS_FAC_BOARDDOWNLOAD / BOARDDOWNLOAD = 7 / 7h
CHIPERASE = 32 / 20h
UPGRADE = 15 / Fh
REFURBISH = 9 / 9h
I was hoping to find a switch/case somewhere that would consume all these possibilities, but only find a partial one.
In sub_10081930() I see:
Code:
switch ( v1 )
{
case 40:
result = sub_10081570(this);
break;
case 45:
result = sub_1007E440(this);
break;
case 46:
result = sub_100807A0();
break;
case 2:
result = (*(int (**)(void))(*(_DWORD *)this + 60))();
break;
default:
result = sub_10083A70(this);
break;
}
And in this sub_1007E440() I see references to 'PB Backup', so this is one switch/case.
FWIW, when I rename my modemst1_COM7 to modemst1_COM7.tot I get error: "Error: TOT file is invalid[1]".
This message gets outputted by sub_1004CD20().
This might help with finding how/where stuff gets processed.
smitel said:
FWIW, when I rename my modemst1_COM7 to modemst1_COM7.tot I get error: "Error: TOT file is invalid[1]".
This message gets outputted by sub_1004CD20().
This might help with finding how/where stuff gets processed.
Click to expand...
Click to collapse
the .tot is a whole list of files i dont think renaming one partition to tot would work
it sucks i look at all ure guys partition and it a twrp heaven fro restore. i still cant get the patch to work.
i wonder if old lg firmware extractor or diagtool could repack these into a .tot format though it between the two of them they made all my hard brick restore images and carp for g2 g3 g4
i couldnt find a updated firehose bin for my g4 but still made a complete debrick image
---------- Post added at 10:22 AM ---------- Previous post was at 10:17 AM ----------
smitel said:
How do you know it's a problem with the patch?
What do you mean?
Figure out what it does/wants?
Look at your crash?
FWIW, I get "Error: General exception error in _initializeProcess()" when I try 'PARTITION DL'.
I'm guessing the 'DUMP' function produces a raw dump of the block device, where 'PARTITION DL' requires a particular header (as in .TOT or .MBN) to define what gets flashed where.
Click to expand...
Click to collapse
man if i can get this patch to work for me. im not so good in this area of Hex edit.
its been a long time. lol old nes roms. i thing with all these dumps I could get them repacked into a tot format that lgflashtool could use. in my case, i don't have a zva firmware released and i think i could put one together here
maybe you could explain to me better how to patch this i try searching can't find it half the time when i do even as adminstrator i cant edit the hex code.
There are more possibilities how to repair Hardbrick Samsung Galaxy Tab 2:
* For those who damaged boot loader can try Running stock U-Boot from SD Card
* For those who have HW fault like eMMC bug can participate on development Running entire system from SD Card
The second one may be solve later with help of some experienced people.
Run stock U-Boot from SD Card
Requirements
* Hardbrick Samsung Galaxy Tab 2 (GT-P5100). This can be recognized that it don't do nothing, charging not working, power button do nothing, recovery not working. More info How To Unbrick Your Galaxy Tab!
* SD Card Support UHS-I UHS104 (SDR104), with is not easy to determine with Card support this format and with not. I tried many cards and label UHS-I is not enough so i asked SanDisk support they recommended SanDisk Extreme. I bought SanDisk Extreme 32GB, and this card is working. I would say that every card 90MB/s+ should work.
step 0 not for Linux
Windows
* Install drivers for OMAP 4430 Guide / Drivers inside OMAPFlash download
* VirtualBox with Linux
* Set VirtualBox to capture OMAP 4430
* Download win iso burner
step 1
Windows & Linux
* Download [omapboot](https://github.com/LukasTomek/omapboot) to Linux
* Download [ Debrick dump imgs](https://forum.xda-developers.com/showpost.php?p=65114419&postcount=2)
step 2
Prepare SD card
Windows
Usewin iso burner to write Debrick dump imgs to Sd Card.
Linux
Write Debrick dump imgs to Sd Card.
Be careful to use right device sdX
Code:
dd if=debrick.img of=/dev/sdX
step 3
In Linux Run
Code:
[email protected]:/home/lukas/SamsungP5100/omapboot# python3 omapboot.py -b
you will see:
Code:
[email protected]:/home/lukas/SamsungP5100/omapboot# python3 omapboot.py -b
Boot from MMC1 interface selected.
Waiting for omap44 device.
* Connect Tablet to PC
* Press Power button for long time approximately 10s
* You should see this in command line:
Code:
Boot from MMC1 interface selected.
Waiting for omap44 device.
Model: 4430
ROM revision: 0x04
CH: enabled
Underdocumented ASIC subblock #18: 00
IDEN: 0xE5FD23CE0F5FDF902D7EDA9B4D848D687F62372A
MPKH: 0xB585ACF1DD15B06A74813BFDDD6ECD64227CE4C90658C65B4C53AC229B4C6DC0
CRC0: 0x9C669AD9
CRC0: 0x682ADCCF
recevied ASIC ID banner:
Model: 4430
ROM revision: 0x04
CH: enabled
Underdocumented ASIC subblock #18: 00
IDEN: 0xE5FD23CE0F5FDF902D7EDA9B4D848D687F62372A
MPKH: 0xB585ACF1DD15B06A74813BFDDD6ECD64227CE4C90658C65B4C53AC229B4C6DC0
CRC0: 0x9C669AD9
CRC0: 0x682ADCCF
Giving x-loader a chance to come up...Probably loaded!
* Tablet should start to some firmware recovery mode see picture
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
* You should be able to use ODIN to repair internal memory, in my case ODIN stop in the half of loading, I probably have eMMC bug.
Running entire system from SD Card
I'm trying to modify U-Boot and Kernel to load entire system from SD Card. Some have done it Say hi to "CyanoBoot" -- a 2nd bootloader/w menu aka "ub2" different device same CPU.
First step of boot is loading x-loader. The x-loader is signed so we have to use original one from Samsung. After some peripheral initialization x-loader copy u-boot to ram checking for magic constant as copied code and execute it. This is the place where we can change u-boot to boot from SD Card, because x-loader load u-boot from the same device as was loaded him.
u-boot source
Do anyone have u-boot source from Samsung?
I used this Guide and copy something from Nook device u-boot source because they made boot from SD Card on same CPU OMAP4430. And lge_p920 from LG Open-source repository. Do anyone have better idea?
How to compile
[u-boot source](https://gogs.lukastomek.info/lukas/u-boot)
[Building U-BOOT #(for Blaze)](http://omappedia.org/wiki/4AJ.2.5_OMAP4_Jelly_Bean_Release_Notes)
Kernel
I'm using Stock boot.img from O2C-P5100XXDMJ2-20131203002840.zip package. Do anyone have kernel booting from SD Card?
Prepare Debrick.img
Rewrite part of Image Files
Write recovery.img to specific address in debrick_changed.img address 0x2C00000 write in hex or dec depend on system (seek=$((0x1800000)) for linux) (seek=46137344 for Windows).
You need to rewrite:
x-loader (MLO) 0x20000
u-boot (Sbl.bin) 0x1800000
boot.img 0x2400000
recovery.img 0x2C00000
Code:
dd if=C:\temp\Tablet\sdCardDebrick\recovery.img of=C:\temp\Tablet\sdCardDebrick\debrick_changed.img seek=$((0x1800000)) oflag=seek_bytes conv=notrunc
UART Debugging
Pin 21 of [Samsung Galaxy Tab 30 Pin Dock Connector Pinout](https://forum.xda-developers.com/showthread.php?t=1118986) is output of debug messages for x-loader and u-boot (port UART4). I would like send Kernel debug output to this port. Anyone know how to do it?[/HTML]I’m using UB232R for conecting to PC.
Output from debugging:
Code:
ŕ<0>
Texas Instruments X-Loader 1.41 (Apr 10 2013 - 20:55:49)
Starting OS Bootloader from MMC/SD1 ...
U-Boot 1.1.4-g01076139-dirty (Jan 8 2019 - 14:49:13)
U-Boot code: 80E80000 -> 80EAA870 BSS: -> 80F2F964
Load address: 0x80e80000
DRAM: 2048 MB
Flash: 0 kB
Using default environment
In: serial
Out: serial
Err: serial
Initializing SD(0) Slot.
ptbl slot: SD:(0).
8192 20M EFS
49152 2M SBL1
53248 2M SBL2
57344 8M PARAM
73728 8M KERNEL
90112 8M RECOVERY
106496 700M CACHE
1540096 20M MODEM
1581056 1400M FACTORYFS
4448256 12343M DATAFS
29728734 512M HIDDEN
efi partition table:
bootcmd booti mmc0ptbl slot: SD:(0).
8192 20M EFS
49152 2M SBL1
53248 2M SBL2
57344 8M PARAM
73728 8M KERNEL
90112 8M RECOVERY
106496 700M CACHE
1540096 20M MODEM
1581056 1400M FACTORYFS
4448256 12343M DATAFS
29728734 512M HIDDEN
Net: KS8851SNL
arch_number = 0x00000870
board rev = 0x00000000
env_t = 0x00000000
boot_params = 0x80000100
DRAM bank = 0x00000000
-> start = 0x80000000
-> size = 0x80000000
ethaddr = 00:00:00:00:00:00
ip_addr = 128.247.77.90
baudrate = 115200 bps
81200000: 52444e41 2144494f 0046add8 80008000 ANDROID!..F.....
81200010: 000b63a5 81000000 00000000 80f00000 .c..............
81200020: 80000100 00000800 00000000 00000000 ................
81200030: 00000000 00000000 00000000 00000000 ................
81200040: 736e6f63 3d656c6f 4f797474 31312c32 console=ttyO2,11
81200050: 30303235 6d20386e 313d6d65 4d343230 5200n8 mem=1024M
81200060: 646e6120 64696f72 746f6f62 6e6f632e androidboot.con
81200070: 656c6f73 7974743d 7620324f 3d6d6172 sole=ttyO2 vram=
kernel @ 80008000 (4632024)
ramdisk @ 81000000 (746405)
timed out in wait_for_bb: I2C_STAT=1000
I2C read: I/O error
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
ŕ<0>
This look like kernel is executed but no more info. I tried set ttyO0 - ttyO4 ttyS0 - 4 but no difference to get output from kernel. Do anyone have some idea how to get kernel output or what is wrong?
I realize I'm four years later with this, but I hope you see my message, because I'm also trying to get u-boot working on the Samsung Galaxy Tab 2 and I saw the repository with your work so far, but for some reason it isn't up anymore, so could you re-upload it maybe if it isn't too much effort?
If anyone is still interested; I managed to patch the stock bootloader from Samsung (Sbl.bin), so that more verbose logging from UART4 is working and booting entirely from the SD card is also working: https://github.com/mspitteler/espresso-sbl
Hi,
I had two Samsung S10+ phones: SM-G975U1 (US Unlocked version) and SM-G9750 (China HK version).
Both are running the same Qualcomm Snapdragon chipset.
I wanted to enable additional bands on SM-G9750 to make it fully in sync with SM-G975U1.
What I did was the following:
1) Installed QXDM tool
2) Read the following NVs: 00441, 00442, 00946, 01877, 02954, 06828.
3) Noticed that the only difference is on the 1877 (CDMA config) and 6828 (LTE config)
4) Updated the 1877 and 6828 to be exactly the same as the values from SM-G975U1.
5) Rebooted phone
Everything was working. After rebooting the phone I connected again and was able to read the values I wrote and they were showing correct (written values).
Then I decided to be "smarter". I noticed that even though my SM-G9750 has now values from SM-G975U1, when I compare the bits from what was on SM-G9750 before and what is now (config I took from SM-G975U1) there is still one bit that was set for SM-G9750 and now was reset by the new configuration from SM-G975U1.
So I decided to make "OR" and set this bit.
After saving the values, everything went well. I was able to save it and read it back.
Then I rebooted the phone.
Phone works after reboot, connects and everything but now there was an interesting issue...
When I connected it to the QXDM I cannot read *ANY* NV values. Even for other slots. I am getting invalid command all the time.
DFS Qualcomm tool that used to work also does not work.
Looks like the USB is listening but not accepting any commands.
What could have happened? And how do I revert it back?
Phone in general is working, just cannot read or modify any NV values via USB, as if the software working there on phone that was serving USB requests got disabled, crashed, or blocked.
Thoughts?
----------------------------
For reference, those are the original values from both phones:
USA/CHINA: 441:
0
0xFFFF
USA/CHINA: 442:
0
0x00FF
USA/CHINA: 946:
0
0xBFFF
USA: 1877: CDMA:
562950069306247
0010 0000 0000 0000 0000 0000 0110 1110 1000 0100 0011 1000 0111
CHINA: 1877: CDMA:
562950069289859
0010 0000 0000 0000 0000 0000 0110 1110 1000 0000 0011 1000 0011
USA/CHINA: 2954:
0
4294967295 (or 0xFFFFFFFF)
USA: 6828: LTE:
288795388680222943
0
0000 0100 0000 0010 0000 0001 1110 0000 0011 1011 0000 1110 0011 1000 1101 1111
CHINA: 6828: LTE:
600196850264287
0
0000 0000 0000 0010 0010 0001 1110 0000 0011 1000 0000 1110 0010 1000 1101 1111
Hello Everyone,
Didn't anybody try making Oppo A37f work with LTE (or at least WCDMA) in the EU?
I have one I bought in Thailand years ago and now I would like to use it in France (because why not (well it has the FM Radio which my newer phone doesn't have, that's why )
The problem is that it doesn't connect to LTE at all, and it connects to WCDMA and the download speed is even decent for the phone (11, 12 mbps) but the connection is unstable (it works, displays H+, then 3G then disconnects and can then stay disconnected for some long time until connects again)
It looks like it should support LTE bands 1, 3. My cell carrier (Free.fr) supports 1, 3, 7, 28 (with the 1 marked as limited coverage), so theoretically, it should connect with the band 3 or 1 (right?) but in practice it never does. My newer phone (Alcatel 3L 2020) connects with the LTE band 7 to the same network.
I though about trying to enable some additional bands (7, perhaps) by editing the NV_LTE_BC_CONFIG_I (still need to figure out how to do that: I can read the NV and see the values with the QPST's QCN Viewer and can also even dump the QCN as XQCN (something like XML) and even find and change that item, just need to figure out how to change it to enable the 7-th band)
Another thing I'm thinking about (even though pretty much everywhere it's said it won't work), is trying to use the baseband (or even just the QCN) from the Moto XT1541 (the europeran version of the Moto G3 which uses the same MSM8916 chipset).
Didn't anybody have such kind of the connectivity problem and maybe a solution for it?
Thank you
Best regards
Well, tried doing what I think should enable bands (7 and 20):
changed the NV_LTE_BC_CONFIG_I from 00000000000010000101 (85 00 00 00 00 00 00 00) (which apparently, means bands 1, 3, 8 enabled)
to 10000000000011000101 (C5 00 08 00 00 00 00 00) (which I guess, should have added 7 and 20):
the phone still didn't connect to LTE: still the same: HSPAP.
Anything else to do? (may the hardware even support the disabled bands?)
P.S.
C:
#include <inttypes.h>
#include <stdio.h>
#include <stdlib.h>
int
main(argc, argv)
int argc;
char *argv[];
{
uint64_t item6828 = 0 ;
for (int i = 1; i < argc; ++i) {
item6828 |= 1<<(atoi(argv[i]) - 1);
}
for (int i = 0; i < sizeof item6828; ++i) {
printf("%02X ", (unsigned)((item6828 >> (8*i)) & 0x000000FF));
}
printf("\n");
return 0;
}
Code:
$ cc -o bands bands.c && ./bands 1 3 7 8 20 28
C5 00 08 08 00 00 00 00
This is how one calculates the value to insert into the XQCN, right?
(sorry for keeping conversation with only myself still )
Why are there many of them? (may I need to change some other one that I did (the one that has the index 0) ?
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}