Database Users

[Q] Commands for Hardware controll

Hello,
i just starting with C# dev. and now i search the "commands" or the "way" to controll the Mobile phone.
i use a HTC Leo WinMo 6.5.3 and VB2010 or VB2008. the first little "hello world" app runs great, bit i want to controll the Hardware, like enable or disable the Camera LED or something link that.
other phones like the Sonim xp3 have a "Developer Readme" and list the complet commands for hardware access.
i search for the HTC Leo the same, but i found only the "Microsoft WinMo Dev." side with the standart commands.
give it a "Dev HowTo" from HTC for Leo or something like that?
thank you

I'd go with a bit of IDA (or PE Explorer, if it can show DLL entrypoints) and try disassembling the camera.dll or HTCCameraUtility.dll files from OEMDrivers/camera packages. I bet there will be one entrypoint named something like EnableLight and DisableLight.

As OndraSter said, disassembling files is the only way to learn how to control hardware.
CreateFileW + DeviceIoControl are typically used to control leds (excluding camera's led (at least on X1, TP2, etc)).
All leds can be controlled directly using "I2C1:" device or manufacter's wrapper (on SE X1 there is "LED1:" device).

Kay, i installed the PE Explorer, i open the HTCCameraUtility.dll and the Camera.exe from the windows dir, but in both cases the PE Explorer disable the disassembling function. i try a other exe file and this works fine with pe explorer...
and now? what means "IDA" ?

IDA stands for Interactive Disassembler, which is ... disassembler of dll/exe/... for many platforms (win32, wince arm etc supported in demo version).
When I get home (tomorrow, on saturday, or the day after on sunday), I will help you with that, but I dont own any LED-flash integrated device, so I'll have to do a lot more work .
@ultrashot
I didn't realize it might be on I2C, thanks for pointing that out
- Andrew

Attention, as usual: All code below is rather device-specific. If you don't know what you do, don't use it!
Probably i2c_ functions are the same on all htc devices (at least I hope so).
On Kovsky I use these functions to control i2c devices directly:
*.h:
Code:
#define I2CMgr_WriteMultiBytes_Ioctl 0x80100024
#define I2CMgr_WriteByte_Ioctl 0x8010000C
#define I2CMgr_ReadMultiBytes_Ioctl 0x80100028
#pragma pack(1)
typedef struct
{
unsigned char device_id;
unsigned char smth1;
unsigned short address;
unsigned int inBufLength;
unsigned char *inBuf;
}I2C;
typedef struct
{
unsigned char device_id;
unsigned char address;
unsigned short data;
}I2C2;
#pragma pack()
.cpp:
Code:
int i2c_write(int device_id, int address, unsigned char *buf, int buf_size)
{
HANDLE device=CreateFileW(L"I2C1:",0xC0000000,0,0,3,0,0);
I2C i2c;
i2c.device_id=device_id;
i2c.address=address;
i2c.smth1=1;
i2c.inBufLength=buf_size;
i2c.inBuf=buf;
for (int x=0;x<3;x++)
{
if (DeviceIoControl(device,I2CMgr_WriteMultiBytes_Ioctl,&i2c,sizeof(I2C),NULL,NULL,NULL,NULL))
{
CloseHandle(device);
return S_OK;
}
DeviceIoControl(device,0x80100014,&i2c,sizeof(I2C),NULL,NULL,NULL,NULL);
Sleep(0xA);
}
CloseHandle(device);
return -1;
};
int i2c_writewbyte(int device_id, int address, unsigned short data)
{
HANDLE device=CreateFileW(L"I2C1:",0xC0000000,0,0,3,0,0);
I2C2 i2c;
i2c.device_id=device_id;
i2c.address=address;
i2c.data=data;
for (int x=0;x<3;x++)
{
if (DeviceIoControl(device,I2CMgr_WriteByte_Ioctl,&i2c,sizeof(I2C2),NULL,NULL,NULL,NULL))
{
CloseHandle(device);
return S_OK;
}
DeviceIoControl(device,0x80100014,&i2c,sizeof(I2C2),NULL,NULL,NULL,NULL);
Sleep(0xA);
}
CloseHandle(device);
return -1;
};
int i2c_read(int device_id, int address, unsigned char *outBuf, int outBufLength)
{
HANDLE device=CreateFileW(L"I2C1:",0xC0000000,0,0,3,0,0);
I2C i2c;
i2c.device_id=device_id;
i2c.address=address;
i2c.smth1=1;
i2c.inBufLength=outBufLength;
i2c.inBuf=outBuf;
for (int x=0;x<3;x++)
{
if (DeviceIoControl(device,I2CMgr_ReadMultiBytes_Ioctl,&i2c,sizeof(I2C),outBuf,outBufLength,NULL,NULL))
{
CloseHandle(device);
return S_OK;
}
DeviceIoControl(device,0x80100014,&i2c,sizeof(I2C),NULL,NULL,NULL,NULL);
Sleep(0xA);
}
CloseHandle(device);
return -1;
};
For example, I get info from Kovsky's lightsensor this way. You shouldn't use this code on other devices.
Code:
int lightsensor_read()
{
unsigned char buf[2]={0,0};
int res=i2c_read(MICROP_KLT, MICROP_KLT_ID_LIGHT_SENSOR_KOVS, buf, sizeof(buf));
if (res!=S_OK)
return -1;
int r3=buf[0];
int r2=buf[1];
r3=r3&3;
r2=r2|(r3<<8);
return r2;
};
Full code here: http://forum.xda-developers.com/showpost.php?p=7121525&postcount=231

Debugging on PPC and...
Stress test your application with UAEDT = Unrecoverable Application Error Debugging Tool.
UAE Debugging Tool (UAEDT) is a debug monitor, stress tester etc. for developers of Windows Mobile software. A great free alternative to IDA Pro: assembler/disassembler though of course not as advanced
Ultimate device/radio commander AT Commander :: use only if you know what you are doing it can brick your phone easily!!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
[PC] ATCommander;
http://atcommander.com
The above link does not provide us with much information / links
Thus I searched some more and came up with;
http://atcommander.com/download/
Same page though not reachable via the first link. Anyway here you can download the latest .zip or .exe
Also do not forget to check this link;
http://atcommander.com/public/
Here some AT Commands reference links provided in a pdf file;
http://atcommander.com/download/AT_Command_Specification/
[PPC] ATCommander;
http://forum.xda-developers.com/showthread.php?t=375395
ChARMeD is a Windows Mobile / Pocket PC / Win CE (for ARM CPUs) Disassembler and Assembler
The name ChARMeD stands for:
Carolo's Hexadecimal ARM Editor and Disassembler
ARM Classic Processors
ARM Infocenter
Use all these applications with caution!!
o/~

[Q] empty fields crast my app

Hello everyone,
I have start my first app, with this app, can you count your small change. And It works fine.
But, the fields must have a number, otherwise will my app cras.
Is there a solution to fix this? I mean if the user no number set on a row, that the app see this as a zero?
This looks my app:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
this is the code what i use, it is maby not perfect but I am a beginner.
Code:
Button btn_optellen = (Button) findViewById(R.id.btn_optellen);
btn_optellen.setOnClickListener(new OnClickListener() {
@Override
public void onClick(View v) {
double een = Double.valueOf(txt_001.getText().toString());
double twee = Double.valueOf(txt_002.getText().toString());
double total_een = een * 0.01 ;
double total_twee = twee * 0.02 ;
double totaal = total_een + total_twee;
tt_001.setText(String.format("= €%.2f", total_een ));
tt_002.setText(String.format("= €%.2f", total_twee ));
tt_totaal.setText(String.format("= €%.2f", totaal));

After you write the values to een and twee, you should do a check if they are null. And if that check is true, then set the value to 0.
So to be precise: do this check just before the line
double total_een = een * 0.01;
Click to expand...
Click to collapse
--------------------
Phone: Nexus 4
OS: rooted Lollipop LRX21T
Bootloader: unlocked
Recovery: TWRP 2.8.2.0

Thanxs for your answer.
I hope I don't ask to muts. But I am ana beginner. Can your show how I must write it?

Ok so i just researched a bit and found out that if the string to parse is invalid, then there is an exception thrown immediately. I thought that just null would be returned, so we need a different approach. But here os how to do it:
Code:
Button btn_optellen = (Button) findViewById(R.id.btn_optellen);
btn_optellen.setOnClickListener(new OnClickListener() {
@Override
public void onClick(View v) {
//we should initialize the two doubles to 0, so that we can just leave it like this in case of an error
double een = 0;
double twee = 0;
try {
een = Double.valueOf(txt_001.getText()); //btw, you dont need to call toString() after getText(). That method already returns a string so doing this would be redundant
} catch (Exception e) {} //nothing has to be done here, because the double has already been initialised to be 0
//same here
try {
twee = Double.valueOf(txt_002.getText());
} catch (Exception e) {}
//so now the two doubles are either set to 0 or to the value entered by the user, if it was a correct number
double total_een = een * 0.01 ;
double total_twee = twee * 0.02 ;
double totaal = total_een + total_twee;
tt_001.setText(String.format("= €%.2f", total_een ));
tt_002.setText(String.format("= €%.2f", total_twee ));
tt_totaal.setText(String.format("= €%.2f", totaal));
--------------------
Phone: Nexus 4
OS: rooted Lollipop LRX21T
Bootloader: unlocked
Recovery: TWRP 2.8.2.0

Very muth thanx, I am going try it out.

Unlocking LGUP features for fun and profit

I wasn't sure where to post this. If this is better posted somewhere else, please tell me or move it.
LGUP comes in different variants. Dev, LAB, Store, 3rdParty.
Depending on the variant you're running, different features are exposed by your model.dll.
If you hack LGUP, you can unlock features!
Hacked LGUP:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Store LGUP:
I've tested the 'DUMP' function to see if the unlocked features are actually working, and yes, it works:
Unfortunatly, LG has implemented checks to prevent you from just modifying your LGUP.exe or LGUP_8994.dll to expose these features.
LG uses a temporary file to pass the features from the DLL to the application.
So it's just a matter of pausing LGUP at the right time, changing the file and voila.
I did it this way:
Load LGUP.exe in IDA (Interactive Disassembler),
Wait until it's done analyzing.
Set debugger to windbg. (F9)
Run the application (F9) one-time to fix the memory addresses..
You will get popups about exceptions, pass them to the application and continue running.
Exit LGUP.
Set break-point to loc_6989F. (if you can't find the location, search for string UI_Config.lgl, go to the code-xref where it's used and break there).
Run application.
When application stops at the breakpoint, open "C:\Program Files (x86)\LG Electronics\LGUP\model\8994\UI_Config.lgl" in a text-editor.
Find/replace "LAB" with "Store".
Save the file.
Continue running the application.
Tada, unlocked features!

holy crap, this is actually really helpful!

I've found another way to do this.
LGUP uses signature verification to prevent you from just hex-editing the files.
The LGUP.exe verifies the model.dll and the model.dll verifies the LGUP.exe.
I've patched this out of my model/8994/LGUP_8994.dll and modified LGUP.exe to look for strUser="DEV" instead of strUser="Store".
Now I can just start lgup.exe and get the 'Dev' functions.
I'm not sure how to distribute this.
I don't think I should just distribute modified versions of LGs software. This will make LG unhappy.
But I'm also not sure how to distribute binary patches in a way that's easy to use for others.
Here are my patches:
--- LGUP.exe (1.14.0.3)
Code:
@@ -2227,7 +2227,7 @@
00008b20: 0445 0400 0f84 4201 0000 8b96 5445 0400 .E....B.....TE..
00008b30: 8b3d fcf0 4300 6884 5144 0052 ffd7 8945 .=..C.h.QD.R...E
00008b40: dc85 c074 518b 8e40 0100 00e8 6047 0100 [email protected]`G..
-00008b50: 85c0 751b 8945 e068 f4c5 4400 8d45 e050 ..u..E.h..D..E.P
+00008b50: 85c0 eb1b 8945 e068 f4c5 4400 8d45 e050 .....E.h..D..E.P
00008b60: c786 3001 0000 0100 0000 e82d d602 00ff ..0........-....
00008b70: 55dc 83f8 ff75 1f68 f4c5 4400 8d4d d851 U....u.h..D..M.Q
00008b80: c786 3001 0000 0100 0000 c745 d800 0000 ..0........E....
@@ -7486,7 +7486,7 @@
0001d3d0: 55d8 53c7 45a4 3000 0000 895d a889 5dac U.S.E.0....]..].
0001d3e0: c745 b002 0000 0089 5db4 897d b889 7dc0 .E......]..}..}.
0001d3f0: 895d c489 5dc8 895d d089 55bc c745 cc00 .]..]..]..U..E..
-0001d400: 0100 00ff 1544 f443 003d 0901 0b80 7f69 .....D.C.=.....i
+0001d400: 0100 00ff 1544 f443 00b8 0000 0000 eb69 .....D.C.......i
0001d410: 7460 3d26 2009 8074 523d 0400 0b80 7444 t`=& ..tR=....tD
0001d420: 3d00 010b 8075 5dff 15d8 f043 003d 0001 =....u]....C.=..
0001d430: 0b80 741f 3d03 000b 8074 183d 0100 0b80 ..t.=....t.=....
@@ -18056,7 +18056,7 @@
00046870: 696f 6e00 504f 5349 5449 4f4e 0000 0000 ion.POSITION....
00046880: 6e58 506f 7300 0000 6e59 506f 7300 0000 nXPos...nYPos...
00046890: 6e57 6964 7468 0000 5355 5050 4f52 5400 nWidth..SUPPORT.
-000468a0: 7374 7255 7365 7200 5354 4f52 4500 0000 strUser.STORE...
+000468a0: 7374 7255 7365 7200 4445 5600 0000 0000 strUser.DEV.....
000468b0: 534f 4654 5741 5245 5f53 5441 5449 4300 SOFTWARE_STATIC.
000468c0: 534f 4654 5741 5245 5f43 5452 4c00 0000 SOFTWARE_CTRL...
000468d0: 4649 4c45 5f54 5950 455f 4558 0000 0000 FILE_TYPE_EX....
model/8994/LGUP_8994.dll:
Code:
@@ -6451,7 +6451,7 @@
00019320: 55d8 53c7 45a4 3000 0000 895d a889 5dac U.S.E.0....]..].
00019330: c745 b002 0000 0089 5db4 897d b889 7dc0 .E......]..}..}.
00019340: 895d c489 5dc8 895d d089 55bc c745 cc00 .]..]..]..U..E..
-00019350: 0100 00e8 3439 1a00 3d09 010b 807f 6774 ....49..=.....gt
+00019350: 0100 00e8 3439 1a00 b800 0000 00eb 6774 ....49........gt
00019360: 5e3d 2620 0980 7450 3d04 000b 8074 423d ^=& ..tP=....tB=
00019370: 0001 0b80 755b ff15 0c05 1e10 3d00 010b ....u[......=...
00019380: 8074 1e3d 0300 0b80 7417 3d01 000b 8074 .t.=....t.=....t

This looks very promising
So i can modify it to do all this my self or have u made a moded one we can download

TheMadScientist420 said:
This looks very promising
So i can modify it to do all this my self or have u made a moded one we can download
Click to expand...
Click to collapse
You should do this yourself for now.
I don't think I should distribute modded versions of other peoples copyrighted work.

Thanks for instructions one more time!
As h850 user i had to patch LGUP.exe as per your instructions and /model/Common/LGUP_Common.dll (just searched for "3d 09 01 0b 80 7f" and replaced with "b8 00 00 00 00 eb") .
:good:

RolF2 said:
Thanks for instructions one more time!
As h850 user i had to patch LGUP.exe as per your instructions and /model/Common/LGUP_Common.dll (just searched for "3d 09 01 0b 80 7f" and replaced with "b8 00 00 00 00 eb") .
:good:
Click to expand...
Click to collapse
That's great to hear!
Good idea to just search for those bytes and replace them.
If other people had succes with this I'm curious to hear about it.

Good tool to backup partitons before bootloader unlock and after, to see whats changed

i dont know i cant follow whats going on i got to the point of searching for b8 00 00 00 00 eb but cant edit it

RolF2 said:
Thanks for instructions one more time!
As h850 user i had to patch LGUP.exe as per your instructions and /model/Common/LGUP_Common.dll (just searched for "3d 09 01 0b 80 7f" and replaced with "b8 00 00 00 00 eb") .
:good:
Click to expand...
Click to collapse
so i found this line of hex but cant edit it

You can't save changes in hex editor? Then run hex editor as administrator, or copy files for editing to another disk and try again.

Just curious... Does anybody know what the "boarddownload" option does?? Does that backup the motherboards firmware or bios or something?? Sorry if the question sounds dumb. Im not a developer or anything.

OK, looks like too quiet here. We can dump all partitions from phone by "dump" function, also there's "partition dl" function - so looks like we can flash only one partition to phone... Problem is that program is crashing when i try to flash back dumped partition ... so how to convert dumped partition image to flashable img as simple renaming to img does'n work ?

RolF2 said:
OK, looks like too quiet here. We can dump all partitions from phone by "dump" function, also there's "partition dl" function - so looks like we can flash only one partition to phone... Problem is that program is crashing when i try to flash back dumped partition ... so how to convert dumped partition image to flashable img as simple renaming to img does'n work ?
Click to expand...
Click to collapse
it isn't a problem with the image, it's a problem with the patch... we should really look into how to fix this

@smitel
can you try "partition dl" function in IDA ?

Honestly Annoying said:
it isn't a problem with the image, it's a problem with the patch... we should really look into how to fix this
Click to expand...
Click to collapse
How do you know it's a problem with the patch?
RolF2 said:
@smitel
can you try "partition dl" function in IDA ?
Click to expand...
Click to collapse
What do you mean?
Figure out what it does/wants?
Look at your crash?
FWIW, I get "Error: General exception error in _initializeProcess()" when I try 'PARTITION DL'.
I'm guessing the 'DUMP' function produces a raw dump of the blockdevice, where 'PARTITION DL' requires a particular header (as in .TOT or .MBN) to define what gets flashed where.

FWIW, I find the following functions in my LGUP_8994.dll:
Code:
v5 = sub_1000B4F0(v4, (int)"REFURBISH", v3);
v8 = sub_1000B4F0(v7, (int)"UPGRADE", v6);
v11 = sub_1000B4F0(v10, (int)"CHIPERASE", v9);
v14 = sub_1000B4F0(v13, (int)"BOARDDOWNLOAD", v12);
if ( (v14 || v2 < 0xD || (LOBYTE(v14) = v2 != 13, v14)) && sub_1000C6A0(v1, "PROCESS_FAC_BOARDDOWNLOAD") )
if ( sub_1000C6A0(v1, "PROCESS_CS_WEBDOWNLOAD") )
if ( sub_1000C6A0(v1, "PROCESS_MBNBUILD") && sub_1000C6A0(v1, "TOT BUILD") )
if ( sub_1000C6A0(v1, "RECOVERY") )
if ( sub_1000C6A0(v1, "DOWNGRADE") )
if ( sub_1000C6A0(v1, "SCRIPT") && sub_1000C6A0(v1, "PROCESS_FAC_SCR") )
if ( sub_1000C6A0(v1, "PROCESS_FAC_UPGRADE") )
if ( sub_1000C6A0(v1, "PRL/ERI WRITE") && sub_1000C6A0(v1, "PRL UPDATE") )
if ( sub_1000C6A0(v1, "PRL/ERI READ") && sub_1000C6A0(v1, "PRL READ") )
if ( sub_1000C6A0(v1, "PHONESETTING") )
if ( sub_1000C6A0(v1, "PARTITION DL") )
if ( sub_1000C6A0(v1, "PB BACKUP") )
if ( sub_1000C6A0(v1, "PB RESTORE") )
if ( sub_1000C6A0(v1, "FOTA UPGRADE") )
if ( !sub_1000C6A0(v1, "DUMP") )
I try if I can follow the 'path' to understand what code gets called, but it's not very clear to me.
Every 'if' just results in a
Code:
*(_DWORD *)(v16 + 88) = 48;
}
else
{
*(_DWORD *)(v16 + 88) = 47;
}
}
else
{
*(_DWORD *)(v16 + 88) = 46;
But I haven't been able to follow what happens with it.

Here's a list of what functions are which 'ID'.
Code:
DUMP = 48 / 30h;
FOTA UPGRADE = 47 / 2Fh
PB RESTORE = 46 / 2Eh
PB BACKUP = 45 / 2Dh
PARTITION DL = 44 / 2Ch
PHONESETTING = 8 / 8h
PRL/ERI READ / PRL READ = 43 / 2Bh
PRL/ERI WRITE / PRL WRITE = 42 / 2Ah
PROCESS_FAC_UPGRADE = 0 / 0h
SCRIPT / PROCESS_FAC_SCR = 2 / 2h
DOWNGRADE = 41 / 29h
RECOVERY = 6 / 6h
PROCESS_MBNBUILD / TOT BUILD = 40 / 28h
PROCESS_CS_WEBDOWNLOAD = special
v15 = *(_DWORD *)(v16 + 1364);
if ( v15 == 3 )
*(_DWORD *)(v16 + 88) = 17;
else
*(_DWORD *)(v16 + 88) = 2 * (v15 == 5) + 16;
PROCESS_FAC_BOARDDOWNLOAD / BOARDDOWNLOAD = 7 / 7h
CHIPERASE = 32 / 20h
UPGRADE = 15 / Fh
REFURBISH = 9 / 9h
I was hoping to find a switch/case somewhere that would consume all these possibilities, but only find a partial one.
In sub_10081930() I see:
Code:
switch ( v1 )
{
case 40:
result = sub_10081570(this);
break;
case 45:
result = sub_1007E440(this);
break;
case 46:
result = sub_100807A0();
break;
case 2:
result = (*(int (**)(void))(*(_DWORD *)this + 60))();
break;
default:
result = sub_10083A70(this);
break;
}
And in this sub_1007E440() I see references to 'PB Backup', so this is one switch/case.

FWIW, when I rename my modemst1_COM7 to modemst1_COM7.tot I get error: "Error: TOT file is invalid[1]".
This message gets outputted by sub_1004CD20().
This might help with finding how/where stuff gets processed.

smitel said:
FWIW, when I rename my modemst1_COM7 to modemst1_COM7.tot I get error: "Error: TOT file is invalid[1]".
This message gets outputted by sub_1004CD20().
This might help with finding how/where stuff gets processed.
Click to expand...
Click to collapse
the .tot is a whole list of files i dont think renaming one partition to tot would work
it sucks i look at all ure guys partition and it a twrp heaven fro restore. i still cant get the patch to work.
i wonder if old lg firmware extractor or diagtool could repack these into a .tot format though it between the two of them they made all my hard brick restore images and carp for g2 g3 g4
i couldnt find a updated firehose bin for my g4 but still made a complete debrick image
---------- Post added at 10:22 AM ---------- Previous post was at 10:17 AM ----------
smitel said:
How do you know it's a problem with the patch?
What do you mean?
Figure out what it does/wants?
Look at your crash?
FWIW, I get "Error: General exception error in _initializeProcess()" when I try 'PARTITION DL'.
I'm guessing the 'DUMP' function produces a raw dump of the block device, where 'PARTITION DL' requires a particular header (as in .TOT or .MBN) to define what gets flashed where.
Click to expand...
Click to collapse
man if i can get this patch to work for me. im not so good in this area of Hex edit.
its been a long time. lol old nes roms. i thing with all these dumps I could get them repacked into a tot format that lgflashtool could use. in my case, i don't have a zva firmware released and i think i could put one together here
maybe you could explain to me better how to patch this i try searching can't find it half the time when i do even as adminstrator i cant edit the hex code.

Doze config settings instead of Forcedoze

I was wondering if someone could help me with settings to use in the Dose Config Settings in the OmniGears menu to replace the Forcedoze app.
Is it possible to force Omni to doze by using some more agressive settings in the Dose Config, so Omni would go into deep sleep after switching the screen off and not looking to the sensors?
And when the answer is yes, what settings are preferabele then?

You have to use another kernel then default for this because you have to block the wakelock sensor_SMD for this with EX kernel manager (or another kernel manager ofcourse).
Unfortunately it is not possible to block wakelocks with the default Omnirom kernel so I am using Mady's Xtended Kernel for this in combination with the following doze settings in the OmniGears doze menu:
light_after_inactive_to = 0
light_pre_idle_to = 0
light_idle_to = 0
inactive_to = 10
sensing_to = 0
locating_to = 0
motion_inactive_to = 0
idle_after_inactive_to = 0
idle_pending_to = 30
idle_to = 1800
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

Jan_L said:
You have to use another kernel then default for this because you have to block the wakelock sensor_SMD for this with EX kernel manager (or another kernel manager ofcourse).
Unfortunately it is not possible to block wakelocks with the default Omnirom kernel so I am using Mady's Xtended Kernel for this in combination with the following doze settings in the OmniGears doze menu:
light_after_inactive_to = 0
light_pre_idle_to = 0
light_idle_to = 0
inactive_to = 10
sensing_to = 0
locating_to = 0
motion_inactive_to = 0
idle_after_inactive_to = 0
idle_pending_to = 30
idle_to = 1800
Click to expand...
Click to collapse
so I can change the values, but it has no effect, if i use the offical omni with his own kernel?

Master_TC said:
so I can change the values, but it has no effect, if i use the offical omni with his own kernel?
Click to expand...
Click to collapse
When the motion sensor is active, the device will come out of deep sleep.
Because in the mean time I have switched a lot in ROM's and kernels, I am using Forcedoze now again, but indeed, another kernel with wakelock blocking would do the job.
I would suggest HolyDragon kernel or Luiskernel, both are very good. Drain of Luiskernel is the lowest I could find until now (even better then Mady's).

Adding LTE / 4G bands on gt-i9295

Hi guys!
Does anybody know if it's possible to add bands 2,4,7,28 on the gt-i9295 phone?
I've reading about the NV calculator, putting the phone in modem debug mode, the *#011# codes, etc, but I was hopping to find someone who did this successfully on this phone and who could assist me on the process.
Thanks!

I've successfully followed some mixed tutorials and got a .QCN dump of the NV memory of my gt-i9295.
· Went back from Lineage 16 to stock rom using ODIN, following these tutorials for S4 (normal one) and Tab 4
· Since I couldn't find the firmware for i9295 on sammobile web, I looked for it on youtube (don't remember exactly which video, but something like https://www.youtube.com/watch?v=SW_QF0ZdhEU that took me to mega.nz). The firmware was in Russian and had to change it on the first startup.
· Once in the stock rom, I've followed this tutorial, with the recommendations from "mrrocketdog" on page 146 for adding "cp logging" from recovery and "*#9090# into option 2 with * around it. reboots automatically". Also reviewed these:
- https://galaxys4root.com/galaxy-s4-...aws-bands-on-att-galaxy-s4-sgh-i337sgh-i337m/
- https://forum.xda-developers.com/galaxy-s5/general/guide-enable-unlock-edit-add-gsm-lte-t2948822
- https://forum.xda-developers.com/galaxy-s5/general/how-to-add-rf-lte-frequency-bands-to-t2886059
- https://forum.xda-developers.com/android/general/3g-lte-frequency-nv-items-qualcomm-t2950491
- https://forum.xda-developers.com/android/apps-games/app-qualcomm-nv-calculator-adding-2g-3g-t2915649
- https://forum.xda-developers.com/hardware-hacking/hardware/how-to-correct-edit-qcn-files-t3850464
Now I have my QCN file using QPST but I cannot find NV 06828 and NV 06829 registres in my file and I'm stuck on that part.
These are the files:
i9295.qcn and i9295.txt version
I need to add 4G bands for Argentina (https://www.kimovil.com/es/frequency-checker/AR)
B2 – 1900 MHz
B4 – 1700 MHz AWS (most important)
B7 – 2600 MHz
B8 – 900 MHz
B28 – 700 MHz APT (important too) (B17 on same freq does not work)
Does anyone know how to edit my QCN file to add those bands?
Thanks!

hello
you have not a full backup of qcn ( maybe you don't us the right QPST version for this device )
original QCN for I9295 :
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
so : D5 00 08 flipped = B 1,3,5,7,8,and 20
i need some free time to calculate and look all NV that you must add for trying
regards

yakapa40 said:
original QCN for I9295 :
Click to expand...
Click to collapse
Do you have this file for download?
"GT-I9295_M9615A-CEFWTAZM-4.0.17083_28-9-2014_16-37-34.qcn"
Thanks!
Ignacio

I9295 qcn link :
https://mega.nz/#!zPwx2QaT!ZF9TBl06POoD8hja9WUBgVKGEq2xLE9wE4eSIP0GBsk
take care only for control , you must not flash it on your device
your qcn is unique
there is always one qcn file for each device ( IMEI S/N product date product code original CSC .... efs ....)

Thanks! I've installed QPST build 411 and got the full QCN file (there are too many diffs with the file you've linked, I can upload a .patch file if needed to review them)
So, in order to add these bands:
B2 – 1900 MHz
B4 – 1700 MHz AWS (most important)
B28 – 700 MHz APT (important too) (B17 on same freq does not work)
i need to change the "D5 00 08 00" part like this:
Code:
1101 0101 0000 0000 0000 1000 0000 0000‬ = D5 00 08 00 (original)
0000 0000 0000 1000 0000 0000 1101 0101 = 00 08 00 D5 (flipped)
3332 2222 2222 2111 1111 1100 0000 0000 (tens)
2109 8765 4321 0987 6543 2109 8765 4321 (units)
· ·· · · · (original: 1,3,5,7,8,20)
* · ·· · *·*· (| bands 2,4,28)
0000 1000 0000 1000 0000 0000 1101 1111 (final: 1,2,3,4,5,7,8,20,28)
0 8 0 8 0 0 D F = 08 08 00 DF
flipped: DF 00 08 08
Is this calculation right?
Should I take some extra backup steps (other than having the .qcn file for restore)?
Thanks!

exact for NV6828 :
i think you also need to add configuration for these bands
exemple for B4 :
https://drive.google.com/file/d/1MsPBiHRIw9l_8W66BVPJlfwV36sQGU9X/view?usp=sharing

<duplicated>

@yakapa40
So, I did run "Restore" with the QCN file edited using "DF 00 08 08" instead of "D5 00 08 00" which was exactly located in address "0100AC1A" as described in this video (using a hex editor):
(jump to minute 4:10)
https://youtu.be/jPouF3bzoDI?t=250
The QCN file was restored successfully and the phone restarted automatically (as described in here)
But I'm still unable to join 4G networks in any of the 3 provider networks.
I don't know how to set those configurations for B4 that you shared. Can you point me with a procedure?
Thanks!