Related
I wrote this guide because i got frustrated at the seeming impossibility of downgrading a 2.21+ SPL ROM on my Wizard to CID unlock it, and the fact that lokiwiz did not work either.
After a day of research it became apparent that this was far from the truth, and that it was easily unlockable. All the tools were out there, just there wasn't a guide to help direct someone through all the steps.
Well this is that guide.
I've tried to make it newbie friendly, and although this has only been tested on my wizard, i see no reason why this wouldn't work on the Typhoon(infact most of the tools used are originally for the Typhoon) and Tornado seeing as they have almost identical boot loaders.
The guide comes with the usual warning:
“If you manage to brick your phone, it wasn't my fault ”
I cant stress this point enough though, get a few numbers wrong in some of the commands in the guide, and you could break your phone, tripple check everything you type in!!
Attached is the guide in a zipped version in html and .doc format (html for those of you that cant be arsed with MS Word files)
Enjoy
This guide works on G3 phones only, regardless of ROM version, but i see little point in going through all these steps when for 90% of you, lokiwiz should work fine. So i suggest you only use this guide if you are having trouble with lokiwiz, and/or you a 2.21+ SPL G3 Wizard.
**EDIT**Guide back up and updated
Looks good Craptree,
Unfortunately I don't own a G4 device to try it on.
Would love to hear some feedback from users that have a G4 CID Locked Wizard and used this how-to to succesfully CID unlock their G4 Wizard.
Regards,
Molski
Thankyou
keep up the good work Molski
Firstly good work, that was some reading and collating you did , I ive worked my way through but when i come to write the unlocked.nb file back using " pdocwrite -n 1 unlocked.nb" i get this error
CopyFileToTFFS(unlocked.nb:0, 0, 00010000)
ERROR: ITWriteDisk - A device attached to the system is not functioning.
can you shed some light.
Ok ive done some snooping around should the last command be something like
pdocwrite -n 1 0 0x10000 unlocked.nb ??
I have tried this method. And got cid.bin file from the device. How can I convert the cid.bin to cid.nf file? Will this command "perl typhooncidedit.pl cid.bin" will generate the cid.nf file? I don't get it. Please help me. Thanks!
Hi im by no means anywahere near an expert (as you can see from my posting above) but from my limited experience i can say no, perl typhooncidedit.pl cid.bin will read the current file , though note you need to reboot after installing Active Perl and there seems to be a spelling mistake in the commands in the howto its typhooncidedit_pl note the underscore not a full stop.
Its the command "perl typhooncidedit_pl cid.bin -c 11111111 -w unlocked.bin" that creates the file to be written back to the phone. However this is where it ends for me as i cant get the next stage to work just yet and am a little weary of playing around without mor einformed guidence in case i brick the device.
problem with soulcage
when I try to download the package with the crypt-des i got this message:
soulcage.net
This domain name expired on 10/09/2006 and is pending renewal or deletion.
is there any other place to get this package?!?
weird i did it last night and it worked, i even just reopened activeperl and it rececked with no errors, you are downloading the package through activeperl arent you ?
I'm also getting the ITWriteDisk errror and the problem with the Crypt-DES repository. Found Crypt-DES at http://theory.uwinnipeg.ca/ppms/ in the end.
wblqx - oops, looks like i got muddled up with my file name extensions. it doesnt matter if the files a .nb or .bin, theyre both identical. just reference the file you have. so if you have a cid.bin, the command would be
perl typhooncidedit.pl cid.bin -c 11111111 -w unlocked.nb
flipside101 - hmmm im not quiet sure why it wont let you write the file back...all i can sugest is to make sure that cert_spcs.cab and enablerapi.cab have been loaded onto your phone. have you tried copying the files onto your phone and running them manualy?
PS - ive chaged the orignal guides to avoid this confusion in the future wblqx
Ok, I got the crypt-des from here: http://theoryx5.uwinnipeg.ca/ppms/package.xml
and it's version 2.05 from Dave Parishere and this is what I have here:
I got the cid.bin file and this is what I read "inside" it:
D:\qtek\cid>perl typhooncidedit.pl cid.bin
0x0000 - version : 00000001
0xfff8 - checksum: keyix=48: f75b0704 - f2c82199ed8f7449
0x01a0 - keyindex: 000000e600000000 -> 230
0x1930 - cid key : 'MODULESN'
0x0160 - cid : 0008:'WIZQTK01' 0e0f101112131415161718191a1b1c1d1e1f20212223
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563840009225810
0x1d00 - lock 0 : 7bea42ec25ae4b6eac30b47d9691fdac
0x1d10 - lock 1 : 4a02f79b693fe782ad1cf1a9133fc981
0x1d20 - lock 2 : 5afd85493fd413c46b2a28d3ead12c0e
0x1d30 - lock 3 : c82b3203be8574b85f141684499d1d85
0x1d40 - lock 4 : ea60e2bc84f2f60fc730cea22b3147ab
0x4000 - mncmcc : f5a235190000000000000000875f796f5cd3ce3ed6b1a16fc7cef324eed501e8
(the locks codes appears to be crypted, is that correct?)
then I did the perl typhooncidedit.pl cid.bin -c 11111111 -w unlocked.nb and got it:
D:\qtek\cid>perl typhooncidedit.pl cid.bin -c 11111111 -w unlocked.nb
0x0000 - version : 00000001
0xfff8 - checksum: keyix=48: f75b0704 - f2c82199ed8f7449
0x01a0 - keyindex: 000000e600000000 -> 230
0x1930 - cid key : 'MODULESN'
0x0160 - cid : 0008:'WIZQTK01' 0e0f101112131415161718191a1b1c1d1e1f20212223
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563840009225810
0x1d00 - lock 0 : 7bea42ec25ae4b6eac30b47d9691fdac
0x1d10 - lock 1 : 4a02f79b693fe782ad1cf1a9133fc981
0x1d20 - lock 2 : 5afd85493fd413c46b2a28d3ead12c0e
0x1d30 - lock 3 : c82b3203be8574b85f141684499d1d85
0x1d40 - lock 4 : ea60e2bc84f2f60fc730cea22b3147ab
0x4000 - mncmcc : f5a235190000000000000000875f796f5cd3ce3ed6b1a16fc7cef324eed501e8
olddata: 6d18c04e8ed463a6460f100469464259621e8365aeb43277cf2858b925828379
newdata: 95ea23df0bf16432cf7be60912a5cbdedee342037c9d3bd3dee342037c9d3bd3
newsum=3c8b458b encsum=4e3630065084dd42
and at least the: pdocwrite -n 1 unlocked.nb gave me this:
D:\qtek\cid>pdocwrite -n 1 unlocked.nb
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 96 10 01 04 13 1d 11 2c 15 03 06 c5
CopyFileToTFFS(unlocked.nb:0, 0, 00010000)
ERROR: ITWriteDisk - An internal error occurred.
captree, do you have any clue about what is wrong?
here is the unlocked.nb:
D:\qtek\cid>perl typhooncidedit.pl unlocked.nb
0x0000 - version : 00000001
0xfff8 - checksum: keyix=48: 3c8b458b - 4e3630065084dd42
0x01a0 - keyindex: 000000e600000000 -> 230
0x1930 - cid key : 'MODULESN'
0x0160 - cid : 0008:'11111111' 00000000000000000000000000000000000000000000
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563840009225810
0x1d00 - lock 0 : 7bea42ec25ae4b6eac30b47d9691fdac
0x1d10 - lock 1 : 4a02f79b693fe782ad1cf1a9133fc981
0x1d20 - lock 2 : 5afd85493fd413c46b2a28d3ead12c0e
0x1d30 - lock 3 : c82b3203be8574b85f141684499d1d85
0x1d40 - lock 4 : ea60e2bc84f2f60fc730cea22b3147ab
0x4000 - mncmcc : f5a235190000000000000000875f796f5cd3ce3ed6b1a16fc7cef324eed501e8
Hi Craptree, no i tried the manual running of rapi but i still get the same error
D:\XDA\CID>pdocwrite -n 1 unlocked.bin
CopyFileToTFFS(unlocked.bin:0, 0, 00010000)
ERROR: ITWriteDisk - A device attached to the system is not functioning.
In case its any help heres some info on the locked and unlocked files
LOCKED
D:\XDA\CID>perl typhooncidedit_pl cid.bin
0x0000 - version : 00000001
0xfff8 - checksum: keyix=55: 431ca7b6 - fa9d45e5b52e53c3
0x01a0 - keyindex: 0000004a00000000 -> 74
0x1450 - cid key : 32421a0edf4fa9d6
0x0160 - cid : 0008:'WIZO2B01' 0e0f101112131415161718191a1b1c1d1e1f20212223
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563830004598750
0x1d00 - lock 0 : a2a9faccbbfbc0d94497e96264896558
0x1d10 - lock 1 : 58ff98fb2af1350f7fca4f890f358808
0x1d20 - lock 2 : 7b53c3aa8c9d522e46e73b558d75f287
0x1d30 - lock 3 : 0e92d1ddbc64b8e5f8c9950a0bf33284
0x1d40 - lock 4 : 92895c989f8ac37c77b97eadef53e5dc
0x4000 - mncmcc : 095ce2420000000000000000c7c8aba45e2c4b0f8d5e300ab86152430094117c
UNLOCKED
D:\XDA\CID>perl typhooncidedit_pl unlocked.bin
0x0000 - version : 00000001
0xfff8 - checksum: keyix=55: 7d3a21f5 - fdee2cb45bfc5c18
0x01a0 - keyindex: 0000004a00000000 -> 74
0x1450 - cid key : 32421a0edf4fa9d6
0x0160 - cid : 0008:'11111111' 00000000000000000000000000000000000000000000
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563830004598750
0x1d00 - lock 0 : a2a9faccbbfbc0d94497e96264896558
0x1d10 - lock 1 : 58ff98fb2af1350f7fca4f890f358808
0x1d20 - lock 2 : 7b53c3aa8c9d522e46e73b558d75f287
0x1d30 - lock 3 : 0e92d1ddbc64b8e5f8c9950a0bf33284
0x1d40 - lock 4 : 92895c989f8ac37c77b97eadef53e5dc
0x4000 - mncmcc : 095ce2420000000000000000c7c8aba45e2c4b0f8d5e300ab86152430094117c
Hello,
First I have to say this initiative for a CID unlock guide is GREAT !
Unfortunately, I went to the same process and also got write error in the end.
Here's for me :
- Had to use Crypt-DES from http://theoryx5.uwinnipeg.ca/ppms/package.xml while Soulcage.net access is off (or so it seems)
- Installed Cert_SPCS.cab and EnableRapi.cab both using .bat and manual installation
- Was able to get the CID.bin & modify without problem
- Last operation results in following error:
"3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 3a 20 01 02 23 2a 12 8d 01 09 05 40
CopyFileToTFFS(cid_unlocked.nb:0, 0, 00010000)
ERROR: ITWriteDisk - Internal error" (translated from French).
My CID binaries :
## perl typhooncidedit.pl cid_original.bin
0x0000 - version : 00000001
0xfff8 - checksum: keyix=40: 1cab1674 - 37f31b4a27fe4616
0x01a0 - keyindex: 000000d900000000 -> 217
0x18c8 - cid key : 'MODULESN'
0x0160 - cid : 0008:'WIZQTK24' 0e0f101112131415161718191a1b1c1d1e1f20212223
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563840001521300
0x1d00 - lock 0 : 76a905824418f065eefd32cbfb611d28
0x1d10 - lock 1 : 91450180424a15f000bdd1851e5fbb51
0x1d20 - lock 2 : c14cc13d337415f59b71512adfb0319d
0x1d30 - lock 3 : 8b62365380a7f3436e43a4299ce97c0d
0x1d40 - lock 4 : 867bbb89c9d3593a72621810278c89db
0x4000 - mncmcc : 762173b9000000000000000091bcf2bbcf1921a206e6fd057e61d6c08f467a95
## perl typhooncidedit.pl cid_unlocked.nb
0x0000 - version : 00000001
0xfff8 - checksum: keyix=40: 500ec10b - c44c8893515dcabf
0x01a0 - keyindex: 000000d900000000 -> 217
0x18c8 - cid key : 'MODULESN'
0x0160 - cid : 0008:'11111111' 00000000000000000000000000000000000000000000
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563840001521300
0x1d00 - lock 0 : 76a905824418f065eefd32cbfb611d28
0x1d10 - lock 1 : 91450180424a15f000bdd1851e5fbb51
0x1d20 - lock 2 : c14cc13d337415f59b71512adfb0319d
0x1d30 - lock 3 : 8b62365380a7f3436e43a4299ce97c0d
0x1d40 - lock 4 : 867bbb89c9d3593a72621810278c89db
0x4000 - mncmcc : 762173b9000000000000000091bcf2bbcf1921a206e6fd057e61d6c08f467a95
Could this be because we had to use a different Crypt-DES package ? Or shall we look some other reason ?
Thanks and good luck
Sylvain
This is weird, it looks like its worked no one except me
sorry...
my wizard was a G3, but it was locked into 2.26 spl, and refused to be
unlocked with lokiwiz (as G3's with 2.21+ roms seem to have the same problem with cid unlocking that G4's do), or any thing else, and this manual way was the
only thing that did the job for me...
I have two reasons, and i fear its the first one...
1)G3 2.21+ CID locked phones don't have the same problem with CID unlocking that G4's do. So this solution may only work on G3 2.21+ phones
2)I semi downgraded the phone with ftp://xda:[email protected]__RUU_Wizard_1050412_WWE_101_11210_WWE.exe first (it downgraded everything except the spl), then did all the steps layed out in the guide.
riz
jubanet - yea, it appears the lock code is encrypted. if someone with the crypted lock code cid.bin files could send me one, i can see if it appears unencrypted on my version of crypt-des
craptree said:
jubanet - yea, it appears the lock code is encrypted. if someone with the crypted lock code cid.bin files could send me one, i can see if it appears unencrypted on my version of crypt-des
Click to expand...
Click to collapse
here it is!
craptree said:
This is weird, it looks like its worked no one except me
sorry...
my wizard was a G3, but it was locked into 2.26 spl, and refused to be
unlocked with lokiwiz (as G3's with 2.21+ roms seem to have the same problem with cid unlocking that G4's do), or any thing else, and this manual way was the
only thing that did the job for me...
I have two reasons, and i fear its the first one...
1)G3 2.21+ CID locked phones don't have the same problem with CID unlocking that G4's do. So this solution may only work on G3 2.21+ phones
2)I semi downgraded the phone with ftp://xda:[email protected]__RUU_Wizard_1050412_WWE_101_11210_WWE.exe first (it downgraded everything except the spl), then did all the steps layed out in the guide.
riz
Click to expand...
Click to collapse
hummm...
everyboody says that's impossible to CID unlock the G4...
I'll try downgrading to that rom (without touching the ipl/spl)
@ craptree
Im on a g3 2.21.4.1 o2 wizard, so similar to yours, ill try the partial downgrade
Might be a stupid question but the subject says that it's a CID and SIM unlock. The doc only meantions SIM unlock.
LordPhong said:
Might be a stupid question but the subject says that it's a CID and SIM unlock. The doc only meantions SIM unlock.
Click to expand...
Click to collapse
The only bit in the doc thats about SIM unlocking is
"**The number at 0x1d00 is your sim unlock code. Write it down somewhere and use it to sim unlock your phone (i.e. when you insert a different providers sim card, it will ask you for a code)"
The rest is purely about the cid
Hi..
I have been instalaling some BTroute and Jetaware aplications in my touch Dual- so now my \HKEY_LOCAL_MACHINE\software\microsoft\Bluetooth\audioGateway does not have the factory settins
Can someone send me the default settins?
Just check on the registry and write down here the Keys and Values
Thank you
Default setting from my Touch Dual 20keys
\HKEY_LOCAL_MACHINE\software\microsoft\Bluetooth\AudioGateway
BTAGExtModule = OEMAGW.dll
BTAGPBModule = \Windows\BthAGPhonebook.dll
Capability = 0x65(101)
ConnectHFOnCall = 0x0(0)
NoRoleSwitch = 0x1(1)
SupportCLI = 0x0(0)
Hope this can help you.
My was
BTAGextmodule=BthagPhoneBook.dll
BTAGPBModule=OEMAGW.DLL
Capability 0x65
ConnectHFOnCall 0x0
MicVolume 0x8
NoRoleSwitch 0x1
PowerSave 0x0
SpkVolume 0x8
SupportCli 0x0
I'm going to try yours
Thanks!
It seems that there is about 100 MB Missing... I just guess is EXTROM
It could very easy to test that - different EXTROM but same Flash.bin.
The total free ROM space unchanged, even your EXTROM just used a few MB
If the EXTROM could be used, then it could be great help for cooking
The files may relate to FLASH.Header and partition.mbn. could anyone have a good try?
But...
pdocread.exe -l
411.25M (0x19b40000) DSK1:
| 1.87M (0x1df000) Part00 BOOT SECTION image
| 5.00M (0x500000) Part01 XIP RAM Image
| 84.25M (0x5440000) Part02 IMGFS file system
| 320.13M (0x14020000) Part03 legit DOS partition
handle#1 ef638fc6 320.13M (0x14020000)
handle#2 ef6adea6 84.25M (0x5440000)
handle#3 2f6ade82 5.00M (0x500000)
handle#4 4f6ade3a 1.87M (0x1df000)
Total is just 411.25, about 100MB (0x064C0000) seems missing....
For Part02, I could know is imgfs, and Part00 seems EXTROM, but where is disappear 100M?
partition table:
Code:
Partition-Info :
------------------
MIBIB
---------------------------------------------------------
Page: 0x6
Size: 0x4
Address: 0x000C0000 - 0x00140000
Block: 0x00000180 - 0x00000280
Flash: 0xFEFFFFFF
SIM_SECURE
---------------------------------------------------------
Page: 0x4
Size: 0x2
Address: 0x00080000 - 0x000C0000
Block: 0x00000100 - 0x00000180
Flash: 0xFEFFFFFF
FSBL
---------------------------------------------------------
Page: 0x180
Size: 0x1E
Address: 0x03000000 - 0x033C0000
Block: 0x00006000 - 0x00006780
Flash: 0xFFFFFFFF
OSBL
---------------------------------------------------------
Page: 0x180
Size: 0x1E
Address: 0x03000000 - 0x033C0000
Block: 0x00006000 - 0x00006780
Flash: 0xFFFFFFFF
AMSS
---------------------------------------------------------
Page: 0x4650
Size: 0x708
Address: 0x8CA00000 - 0x9AB00000
Block: 0x00119400 - 0x00135600
Flash: 0xFFFFFFFF
EFS2
---------------------------------------------------------
Page: 0x1F40
Size: 0xC8
Address: 0x3E800000 - 0x40100000
Block: 0x0007D000 - 0x00080200
Flash: 0xFFFFFF01
DSP1
---------------------------------------------------------
Page: 0x3E80
Size: 0x258
Address: 0x7D000000 - 0x81B00000
Block: 0x000FA000 - 0x00103600
Flash: 0xFFFFFFFF
FOTA
---------------------------------------------------------
Page: 0x80
Size: 0x64
Address: 0x01000000 - 0x01C80000
Block: 0x00002000 - 0x00003900
Flash: 0xFFFFFFFF
EXTROM
---------------------------------------------------------
Page: 0xC350
Size: 0x7D0
Address: 0x86A00000 - 0x96400000
Block: 0x0010D400 - 0x0012C800
Flash: 0xFFFFFFFF
APPSBL
---------------------------------------------------------
Page: 0x300
Size: 0x32
Address: 0x06000000 - 0x06640000
Block: 0x0000C000 - 0x0000CC80
Flash: 0xFFFFFFFF
APPS
---------------------------------------------------------
Page: 0x80
Size: 0xC
Address: 0x01000000 - 0x01180000
Block: 0x00002000 - 0x00002300
Flash: 0xFFFFFFFF
EFS2APPS
---------------------------------------------------------
Page: 0xFFFFFFFF
Size: 0xFFFF
Address: 0xFFFE0000 - 0xFFFC0000
Block: 0x001FFFC0 - 0x001FFF80
Flash: 0xFFFF02FF
good investigation ! I hope you can find a Way to reduce the allocated space, sadly I can't help you with this...keep the research !
Arto said:
good investigation ! I hope you can find a Way to reduce the allocated space, sadly I can't help you with this...keep the research !
Click to expand...
Click to collapse
Thank you also
The difficult problem is that, I'm not much understanding NAND Flash...
But, it seems that, after flashing ROM with new partition.mbn, the size of ExtRom could be changed.
At this moment, I'm not sure that the Hex files should be also changed or not ...
Code:
EXTROM
---------------------------------------------------------
[COLOR="Red"] Page: 0xC350
Size: 0x7D0[/COLOR]
Address: 0x86A00000 - 0x96400000
Block: 0x0010D400 - 0x0012C800
[COLOR="Red"] Flash: 0xFFFFFFFF[/COLOR]
Form Page (seems like format pagepool), the maximum ExtROM could be 50MB, that's the limit for a cook to modify ExtROM.
Of cause, if we could modify ExtROM size, then we could include more module in to Image
Moreover, including ExtROM, the boot system could used up to 93.674MB
my extrom take 7mb...so if the extrom allocated space can be changed it would be reallocated to application space? Qazer found a way to change page pool size, maybe it can help you on this !
edit, what is NAND flash?
Arto said:
my extrom take 7mb...so if the extrom allocated space can be changed it would be reallocated to application space? Qazer found a way to change page pool size, maybe it can help you on this !
edit, what is NAND flash?
Click to expand...
Click to collapse
After rearranged the partition table, it could be like this:
Code:
offset size
SIM_SECURE 0x4 0x2
MIBIB 0x6 0x4
FOTA 0x80 0x64
APPS 0x80 0xC
FSBL 0x180 0x1E
OSBL 0x180 0x1E
APPSBL 0x300 0x32
EFS2 0x1F40 0xC8
DSP1 0x3E80 0x258
AMSS 0x4650 0x708
EXTROM 0xC350 0x7D0
EFS2APPS 0xFFFFFFFF 0xFFFF
It could be much strange that some 'partitions' are overlapping!
Emmm, I forgot the order flashing these programs (.mbn), however, the ExtROM could be the last one to flash in the phone...
If somebody could tell me the order, then it could be much clear the process
Seems changed size could be OK, but I just wonder that what about ImageFS...
BTW, for term 'NAND flash', just wikipedia it
the best thing we can do is to reallocate this space in a virtual ram driver, and dont use the extrom space anymore. I noticed that the extrom files (cabs,tsk..) are in the windows folder of the device when you explore the windows folder.
So Is there a virtual ram driver or is there a way to do that, we don't need space, we need ram alternative.
anyway, don't know if it is possible to do such a thing on winmo devices...
( a kind of swap space....)
ocman said:
the best thing we can do is to reallocate this space in a virtual ram driver, and dont use the extrom space anymore. I noticed that the extrom files (cabs,tsk..) are in the windows folder of the device when you explore the windows folder.
So Is there a virtual ram driver or is there a way to do that, we don't need space, we need ram alternative.
anyway, don't know if it is possible to do such a thing on winmo devices...
( a kind of swap space....)
Click to expand...
Click to collapse
I think we should hardmod to add more RAM instead of using NAND flash, to avoid damaging it faster
Emmm, at this time I could not be sooooooo brave to flash my only phone
I just only change 0x7D0 (D0 07 00 00) to 0x3E8 (E8 03 00 00)....
If I try to flash with new partition.mbn,the phone turn into FTM Mode
But I just put partition.mbn, extrom.bin and two hex files only to the flash tool...
It sounds like I should put all files in that...
Then, finally these two hex files ENPRG8650.hex and NPRG8650.hex should be also modified.
source: https://code.google.com/p/android/issues/detail?id=81140#c695 post n° #695
all credits to the author (noltejer.. @gmail.com)
For users that have a device with root privileges, you can do it by yourself :
Method #1:
With a file explorer like ES explorer, go to "/system/etc"
open the file named "gps.conf"
You should find a variable named "CAPABILITIES"
Edit the file
If this variable is set at 0x37 or 0x35 or 0x33, change the value at 0x31
If this variable is set at 0x36, change the value at 0x30
If this variable is set at 0x27 or 0x25 or 0x23, change the value at 0x21
If this variable is set at 0x26, change the value at 0x20
If this variable is set at 0x17 or 0x15 or 0x13, change the value at 0x11
If this variable is set at 0x16, change the value at 0x10
Save the file and be sure that the permissions of the file are rw-r--r-- , restart the device and enjoy!
Method #2:
- Download and install FasterGPS from playstore
- Open the app and go to Advanced Settings / capabilities and change the value as described above ( for example I had and I changed to 0x31 0x33 )
- Set its own continent and nation
- Restart the phone and enjoy!
Thanks
Gesendet von meinem LG-D855 mit Tapatalk
Xxc
The only thing that made me get GPS signal has been to change the back of my G3, on wich the GPS antenna is glued.
Steps:
A. Unlock bootloader and install TWRP 3.0.3-1.
B. Run TWRP and connect usb cable.
C. Download HWDev_2017042201.zip
D. Run "hwdev.bat" and it will use keyword search kernel log for Flash and DDR info
I got my mate 9 info
Flash: TOSHIBA THGBF7T0L8LBATAC
DDR: lpddr4
What kind of DDR info do you expect from the kernel ?
The most obvious one:
Code:
HWMHA:/data/data # cat /proc/ddr_rod
lpddr3
HWMHA:/data/data # cat /proc/ddr_info
ddr_info:
0x401
And your method will report
Code:
ddr: current logic version is lpddr4 verison !!!
The lowlevel flash specs (SAMSUNG KLUCG4J1EB-B0B1):
Code:
HWMHA:/data/data # cat /sys/kernel/debug/ufs/dump_device_desc
Device Descriptor[Byte offset 0x0]: bLength = 0x40
Device Descriptor[Byte offset 0x1]: bDescriptorType = 0x0
Device Descriptor[Byte offset 0x2]: bDevice = 0x0
Device Descriptor[Byte offset 0x3]: bDeviceClass = 0x0
Device Descriptor[Byte offset 0x4]: bDeviceSubClass = 0x0
Device Descriptor[Byte offset 0x5]: bProtocol = 0x0
Device Descriptor[Byte offset 0x6]: bNumberLU = 0x4
Device Descriptor[Byte offset 0x7]: bNumberWLU = 0x4
Device Descriptor[Byte offset 0x8]: bBootEnable = 0x1
Device Descriptor[Byte offset 0x9]: bDescrAccessEn = 0x0
Device Descriptor[Byte offset 0xa]: bInitPowerMode = 0x1
Device Descriptor[Byte offset 0xb]: bHighPriorityLUN = 0x7f
Device Descriptor[Byte offset 0xc]: bSecureRemovalType = 0x0
Device Descriptor[Byte offset 0xd]: bSecurityLU = 0x1
Device Descriptor[Byte offset 0xe]: Reserved = 0x4
Device Descriptor[Byte offset 0xf]: bInitActiveICCLevel = 0x0
Device Descriptor[Byte offset 0x10]: wSpecVersion = 0x2
Device Descriptor[Byte offset 0x12]: wManufactureDate = 0x1610
Device Descriptor[Byte offset 0x14]: iManufactureName = 0x0
Device Descriptor[Byte offset 0x15]: iProductName = 0x1
Device Descriptor[Byte offset 0x16]: iSerialNumber = 0x2
Device Descriptor[Byte offset 0x17]: iOemID = 0x3
Device Descriptor[Byte offset 0x18]: wManufactureID = 0xce01
Device Descriptor[Byte offset 0x1a]: bUD0BaseOffset = 0x10
Device Descriptor[Byte offset 0x1b]: bUDConfigPLength = 0x10
Device Descriptor[Byte offset 0x1c]: bDeviceRTTCap = 0x2
Device Descriptor[Byte offset 0x1d]: wPeriodicRTCUpdate = 0x0
user4774 said:
What kind of DDR info do you expect from the kernel ?
The most obvious one:
Code:
HWMHA:/data/data # cat /proc/ddr_rod
lpddr3
Click to expand...
Click to collapse
No, it's incorrect.
Someone post source code, if it don't specify ddr type and it return default value "lpddr3".
DDR source code
mankindtw said:
No, it's incorrect.
Someone post source code, if it don't specify ddr type and it return default value "lpddr3".
Click to expand...
Click to collapse
OK. So this 'lpddr3' is printed based on the /proc/ddr_info value (DDR_TYPE_ADDR&0x00000FFF)
which is the "real" one. Do you have the same 0x401 value ? Our flash chips are obviously from different manufacturers.
Code:
current_bootloader_log: ddr info 0x00000401
While we are at the possible hardware variations: there are 5 LCD panels supported by the kernel:
Code:
JDI_R63452_6P0
JDI_NT35695_CUT3_1
LG_TD4322_6P0
LG_ER69006A
SHARP_TD4322_6P0
I have LG_TD4322_6P0.
This info is also visible on the kernel commandline
Code:
boardid=0x00001585 productid=0x3a001414 ufs_product_name=KLUCG4J1EB-B0B1 LCD_ID=0
user4774 said:
OK. So this 'lpddr3' is printed based on the /proc/ddr_info value (DDR_TYPE_ADDR&0x00000FFF)
which is the "real" one. Do you have the same 0x401 value ? Our flash chips are obviously from different manufacturers.
Click to expand...
Click to collapse
I have same lpddr3 from /proc/ddr_rod, but couple of kernel log message show lpddr4.
1. Can you post command to get info about ROM type? Ufs and version or eMMC and version. I want stop hysteria about memory types and don't trust benchmarks.
2. It would be great if somebody will post command to get info about display. 5 different displays is interesting fact
5[Strogino] said:
1. Can you post command to get info about ROM type? Ufs and version or eMMC and version.
Click to expand...
Click to collapse
The lsscsi command is not included in busybox, so you need to peek yourself in /sys/bus/scsi
Code:
HWMHA:/data/data # cat /sys/bus/scsi/devices/0:0:0:0/vendor
SAMSUNG
HWMHA:/data/data # cat /sys/bus/scsi/devices/0:0:0:0/model
KLUCG4J1EB-B0B1
HWMHA:/data/data # cat /proc/ddr_info
ddr_info:
0x401
2. It would be great if somebody will post command to get info about display. 5 different displays is interesting fact
Click to expand...
Click to collapse
This is more tricky. The grep panel_probe /splash2/kmsg_log provides such output:
Code:
display: [display]mipi_lg_panel_probe_TD4322: hisilicon,mipi_lg_TD4322_6P0
display: [display]mipi_lg_panel_probe_TD4322: lcd_bl_type=4!
display: [display]mipi_lg_panel_probe_TD4322: pxl_clk_rate=146 M
display: [display]mipi_lg_panel_probe_TD4322: lcd_bl_ic_name=LM36923YFFR!
display: [display]mipi_lg_panel_probe_TD4322: v_back_porch=28
display: [display]mipi_lg_panel_probe_TD4322: v_pulse_width=8
display: [display]mipi_lg_panel_probe_TD4322: lcd-vddio-type=1
display: [display]mipi_lg_panel_probe_TD4322: gpio_lcd_vddio = 67
display: [display]mipi_lg_panel_probe_TD4322: lcd_support_dynamic_gamma = 1
display: [display]mipi_lg_panel_probe_TD4322: hisifb_write_gm_to_reserved_mem has some problem!
The framebuffer driver is buggy too, and needs some patching :crying: RGB565 and geometry are ok.
Code:
HWMHA:/data/data # fbset -fb /dev/graphics/fb0
mode "1080x1920-0"
# D: 0.007 MHz, H: 0.006 kHz, V: 0.003 Hz
geometry 1080 1920 1080 5760 16
timings 146000000 23 50 28 14 20 8
accel false
rgba 5/11,6/5,5/0,0/0
endmode
user4774 said:
The lsscsi command is not included in busybox, so you need to peek yourself in /sys/bus/scsi
This is more tricky. The grep panel_probe /splash2/kmsg_log provides such output:
Click to expand...
Click to collapse
Thanks. I have same chip Samsung KLUCG4J1EB-B0B1
But display is different:
Code:
[display]mipi_jdi_panel_probe_R63452: hisilicon,mipi_jdi_R63452_6P0
[display]mipi_jdi_panel_probe_R63452: lcd_bl_type=4!
[display]mipi_jdi_panel_probe_R63452: lcd_bl_ic_name=LM36923YFFR!
[display]mipi_jdi_panel_probe_R63452: pxl_clk_rate=146 M
[display]mipi_jdi_panel_probe_R63452: v_back_porch=28
[display]mipi_jdi_panel_probe_R63452: v_pulse_width=8
[display]mipi_jdi_panel_probe_R63452: lcd-vddio-type=1
[display]mipi_jdi_panel_probe_R63452: gpio_lcd_vddio = 67
[display]mipi_jdi_panel_probe_R63452: lcd_support_dynamic_gamma = 1
Flash: SAMSUNG KLUCG4J1EB-B0B1
DDR: lpddr4
sashimiyarou said:
Flash: SAMSUNG KLUCG4J1EB-B0B1
DDR: lpddr4
Click to expand...
Click to collapse
What's about display?
mankindtw said:
I got my mate 9 info
Flash: TOSHIBA THGBF7T0L8LBATAC
DDR: lpddr4
Click to expand...
Click to collapse
I have a Toshiba also different model THGBF7G9L4LBATRC but can't find any information on it. How do we know if it's UFS 2.1 or 2.0?
EDIT: There a chart here https://www.gizmochina.com/2017/04/...-ufs-2-1-description-official-mate-9-website/
The Samgsung model at least has an info page on it. It's UFS 2.0.
http://www.samsung.com/semiconductor/products/flash-storage/ufs/KLUDG8J1CB-B0B1?ia=2413
So, is it already evidence that we were cheated and that Mate 9 exists with UFS 2.0? That's why they erased that specification from their website.
Enviado desde mi MHA-L09 mediante Tapatalk
XoanCarlos said:
So, is it already evidence that we were cheated and that Mate 9 exists with UFS 2.0? That's why they erased that specification from their website.
Enviado desde mi MHA-L09 mediante Tapatalk
Click to expand...
Click to collapse
Yes. My Mate 9 has UFS 2.0 Toshiba flash.
Tikerz said:
Yes. My Mate 9 has UFS 2.0 Toshiba flash.
Click to expand...
Click to collapse
One word: deception. Now I understand erasing this specification of your website, at least here, in Spain.
Enviado desde mi MHA-L09 mediante Tapatalk
Tikerz said:
I have a Toshiba also different model THGBF7G9L4LBATRC but can't find any information on it. How do we know if it's UFS 2.1 or 2.0?
EDIT: There a chart here https://www.gizmochina.com/2017/04/...-ufs-2-1-description-official-mate-9-website/
The Samgsung model at least has an info page on it. It's UFS 2.0.
http://www.samsung.com/semiconductor/products/flash-storage/ufs/KLUDG8J1CB-B0B1?ia=2413
Click to expand...
Click to collapse
Maybe you didn't realize, but the Samsung model the other user posted is: KLUCG4J1EB-B0B1, and the one in your link is KLUDG8J1CB-B0B1. I tried to google the model number and google just automatically redirected to this different number.
mankindtw said:
Steps:
A. Unlock bootloader and install TWRP 3.0.3-1.
B. Run TWRP and connect usb cable.
C. Download HWDev_2017042201.zip
D. Run "hwdev.bat" and it will use keyword search kernel log for Flash and DDR info
Click to expand...
Click to collapse
toshiba UFS2.0
THGBF7....
KLU?G......
H28U.......
5[Strogino said:
;72030020]What's about display?
Click to expand...
Click to collapse
panel_lcd_lg_TD4322_6P0
They fit different ufs on our mate-thats a fact i have ifs 2.0 but i understand that other hardware like lcd is also different on some phones my lcd is JDI_R63452_6P0_LCD
I searched over other forums that many peoples have various touch screen isues regarding to model, so is that ufs big deal if we couldnt compare all phones with all hardware combinations? Better ufs, but worse lcd, worse lcd but better ufs or all things best/worst ;p
sashimiyarou said:
panel_lcd_lg_TD4322_6P0
Click to expand...
Click to collapse
Is it enough to run?
Code:
find /sys/devices/platform -type d -name "panel_lcd*"