Hi everyone
I am using my X10i in India and was on stock R1FA016 GENERIC
I wanted to get it updated to the R1FA020 version so what i did was that i flashed it to generic UK version R1FA016 and then did a OTA and got the R1FA020 GENERIC UK version, however now i want to go back to india version but i am not sure what shall I do.
please could someone help me out
Regards
sandeep
use omnius
visit omnius-server.com and download omnius tool and download R1FA016 indian firmware named as X10i_CUST_IN_GENERIC_1237_0692 from there and flash it..........u will get ur indian R1FA016 FW and u can update to R2BA023 indian FW
kannanX10 said:
use omnius
visit omnius-server.com and download omnius tool and download R1FA016 indian firmware named as X10i_CUST_IN_GENERIC_1237_0692 from there and flash it..........u will get ur indian R1FA016 FW and u can update to R2BA023 indian FW
Click to expand...
Click to collapse
thanks for helping me out however when i try to do so I am getting following error
Code:
Action journal
13:21:53 Flash
13:21:53 Allows to change languages supported by the phone and upgrade its firmware.
13:21:53 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
13:21:53 Application version: 0.06.2254 (beta)
13:21:53 . The action name is 'Flash'
13:21:53 Selected phone type: Xperia™ X10
13:21:53 i Instructions
13:21:53 i 1. Make sure the phone battery is charged to at least 50%.
13:21:53 i 2. Switch off the phone!
13:21:53 i 3. Remove the phone battery and wait at least 5 seconds before reinserting it!
13:21:53 i 4. Press and hold the return back button, then connect the cable to the phone!
13:21:53 . The action started waiting for the user
13:23:17 . The action finished waiting for the user
13:23:17 Connecting via SEMC USB Flash Device (USB1)...
13:23:17 Device driver version: 2.2.0.5
13:23:17 Detected chipset: QSD8250
13:23:17 Boot mode: EROM
13:23:18 IMEI: 35941903678577
13:23:18 Sending loader...
13:23:20 Establishing connection to the server...
13:23:41 e Unable to connect to the server
13:23:41 e Failed!
13:23:41 . The action entered shutdown phase
13:23:41 . The action reported failure
Error code
# 3B553D15D90D0060
Error details
---
64 30 A1 54 F5 07 23 50 8F C4 F1 41 83 99 3B F1
04 B5 F7 A5 55 56 AD AA 06 52 DA D1 7D 23 95 E8
87 50 D7 39 05 F1 83 59 E2 6C C1 CD DD AE 65 F2
BB 5F 57 87 1B 97 B3 80 7F 8C 3B 37 CD EE 9B C9
D9 C2 37 1A 9B 06 E3 70 CF 0A CF F4 6D 9F FB 18
89 5C 67 FD EB 96 ED 60 E9 A8 51 50 ED A2 2B D6
C7 1E 69 F0 F3 71 D0 63
---
Is there any other way through which i can roll back using flash tool ?
i think that tool works without any error.
@ sandeep
simple step...........in ur omnius tool u will find settings in top right,pls enter ur username and password in server settings.............now u wont get that error
kannanX10 said:
simple step...........in ur omnius tool u will find settings in top right,pls enter ur username and password in server settings.............now u wont get that error
Click to expand...
Click to collapse
Hi I did that moreover i am also able to see the web page using the in built browser of the application but i am still getting the error, i also disabled my antyvirus and created a application login as well but still the same
also one more question is it required to take the battery out each time i try to flash ?
from where u downloaded indian firmware.. i also need that..
and also ur error is bcoz u not enter user name and password in settings..
register for web in omnius website and then fill that user name and password in software.
mine error was same nd it works well by proper username pass..
do it man.. its easy..
guys go to dis site http://gadgets.apnafundaz.com/ good site for x10 all da info help u will get der
meetmenow007 said:
from where u downloaded indian firmware.. i also need that..
and also ur error is bcoz u not enter user name and password in settings..
register for web in omnius website and then fill that user name and password in software.
mine error was same nd it works well by proper username pass..
do it man.. its easy..
Click to expand...
Click to collapse
i guess dis will help u http://gadgets.apnafundaz.com/2010/...ic-firmware-using-seus-new-debranding-method/
and u can download indian firmware version from der too
vickysud said:
i guess dis will help u http://gadgets.apnafundaz.com/2010/...ic-firmware-using-seus-new-debranding-method/
and u can download indian firmware version from der too
Click to expand...
Click to collapse
Ok everyone I have been able to get this done if someone is also facing the same issue like me here is what i did
1.google for omnius tool and download the tool along with R1FA016 indian firmware named as X10i_CUST_IN_GENERIC_1237_0692 from there and flash it
2. to flash it you will need to login to the tool now when you go to the website for omnius tool there you can create two login one is web and another one is application i guess the web login is for the downloading the file and the application login u need to use to login through the actual application
3. his will flash the stock the R1FA016 indian firmware and the u can do OTA to get the latest that is R2ba023
Related
here http://www.xs4all.nl/~itsme/download/bootloaderfix.zip a tool to fix
a broken bootloader.
use with extreme care, only as a last resort.
This tool depends on specific memory locations for certain roms.
It does verify that it is talking to a known rom. It also does a very
minimalisitc check if the file presented to it resembles a bootloader.
I tested it with 3.16.52, 4.00.10 and 3.04.00 ( the very old ppc2003 rom ).
It should also work with 3.17.03, 3.19.01, 4.00.01 and 4.00.05.
unpack the archive, from the command prompt, in the 'build' directory
run 'pnewbootloader bl515.nb0'.
it should take about 10 seconds.
output should be something like this:
Code:
C:\fix\build>pnewbootloader.exe bl515.nb0
protection found at 8c0d62d8
result: 00000000 00000000
if you get my ce utilities ( http://www.xs4all.nl/~itsme/projects/xda/tools.html )
you can check the current bootloader version with
Code:
C:\>pmemdump 0x80001880 0x40
80001880: 20 00 00 00 20 72 30 00 ff ff 00 f1 e0 07 1f 00 ... r0.........
80001890: 00 00 00 00 20 20 20 20 56 35 2e 31 35 20 20 20 .... V5.15
800018a0: 20 00 00 00 20 20 42 6f 6f 74 6c 6f 61 64 65 72 ... Bootloader
800018b0: 20 00 00 00 20 57 41 4c 4c 41 42 59 20 00 00 00 ... WALLABY ...
hi,
thanks for taking the time to make this utility. I am about to try it but i'm not sure if i should run it on my xda or on my desktop pc.
Could you please elaborate on how to use it?
Rico
Developer-#X2PL
Thanks for the new tool.
Unless I'm mistaken this requires an Active Sync connection ?
I am stuck on Wallaby 5.17 and a corrupted Rom image (My fault) and so can't establish an active sync connection. The only way to recover is to run an SD card restore but I have had no joy with the Wallaby patch to overcome the bootloader's security (Loads to SD card o.k but does not patch the bootloader on startup)
Is there any way of running your bootloader tool from a serial connection using the load and go command ?
Thanks
Richard
this tool runs on your desktop pc,
it requires a working activesync connection.
and also a working windows ce.
it is most useful for people who accidentally selected the same file for bootloader and osimage in xdarit. and are now stuck without a bootloader.
and it provides an easy way to change bootloader for people with a working xda and bootloader 5.17.
richard, sounds like the only way to fix your xda would be to get the patchloader working. does it say something about loading diagnostics, and bootloader detected, patching .... etc?
K2pl
Thanks for reply.
I get no messages at all when entering bootloader with patched SD card. I am wondering if XDArit is actualy writing to the SD card. I have been recieving the succesful write message and had assumed that it had done so but after asking it to write a CE image it confirmed this in about 2 seconds which I'm sure it couldn't have acheived. I have presumed that I wouldn't be able to see this file under windows file explorer even if it had written it is this correct ? I have also tried the 1.4 MB version but this just crashes (Win XP) at the write stage. I have a unix box as well if this program is available for this platform I could try that.
It sounds like sods law to me just two hours after corrupting my image a tool is released that would have allowed me to get out of it if only I had applied it first Oh well such is life.
Any help much appreicated.
Richard
XDA developer Itsme said:
this tool runs on your desktop pc,
it requires a working activesync connection.
and also a working windows ce.
it is most useful for people who accidentally selected the same file for bootloader and osimage in xdarit. and are now stuck without a bootloader.
and it provides an easy way to change bootloader for people with a working xda and bootloader 5.17.
Click to expand...
Click to collapse
Hi Itsme. Is there any link to download the bootloader 5.15.
Appreciate if U can post a link. :wink:
Thks.
OCMAX
It is included in the zip file just follow the instructions above. Don't forget if this goes wrong you will have a paper weight so don't do it unless you feel you really need to.
Richard
I think there are many more uses for a romless xda besides weighing on paper. you could also use it as a beercoaster. or it being a nice shine surface might invite you to deposit thin lines of certain powders on it.
xdarit being done writing way to quick is possibly not a good sign, maybe it is writing to the wrong disk?
I guess I'm going to get a chance to try them all whilst I wait for my old laptop to re-load XP (currently Red Hat) in the hope that its simplistic setup might allow the XDArit to function.
Happy sniffing
Richard
YEP 8)
That was the problem although it reported to be writing to the SD card it was actualy writing to my backup drive (No harm done) Once it was on my old laptop there is so little on it that I could quickly see what was going wrong. Anyway thanks for help.
Richard
Richjn said:
OCMAX
It is included in the zip file just follow the instructions above. Don't forget if this goes wrong you will have a paper weight so don't do it unless you feel you really need to.
Richard
Click to expand...
Click to collapse
Ge.. guys thks :lol: .
I just try it with XDA
Cooked ROM 4.00.05 from Jeff, Wallaby 5.17, xdarit 1.02, 256 MB SD Panasonic, time of bootloader -overwrite ROM less than 4 min.
It looks as work well
Thanks for hard working
Waiting for ROM 4.00.10 :roll:
Hi,
This sound like good news. :lol: This tools can re-build my bootloader ? because last time i errased my bootloader (its my fault), untill now i stuck on ROM : 3.04.00 ENG / PW10B1 and can't upgrade ROM for my device anymore. Please show me how to use this tools because i m not expert on computer programer. Sorry for this stupid question and i hope you can help me for this problem.
Many Thanks & nice work for XDA Develeper Team
Regards
Sandy[/quote]
for those who ran into a missing pput.exe.
the http://www.xs4all.nl/~itsme/download/bootloaderfix.zip is now updated,
and contains pput.exe.
pput.exe is also part of http://www.xs4all.nl/~itsme/download/itsutils.zip
Well it worked!!!
Thanks so much. My XDA is once again fully operational. I did run into the missing pput.exe error. But once i downloaded this file it worked like a charm.
Only thing is the result line did not show. So i waited quite some time before i just assumed it was done. And it was. :lol:
Thanks again XDA-developers.
Rico
My Bootloader Back
Hi XDA DEVELOPER Itsme,
I LOVE YOU MAN...hahahahahah i m so happy you help me to solve this problem....many many thanks..and great job. From now i can upgrade my device again...THANKS WILLEM....GOD BLESS YOU.
Regards
Sandy
XDA Developers you a Hero
Hi Guys,
Nice work....2 thumbs up for willem and another XDA Developer guys. You make me happy today.......btw good work. almost 1 month i waitting for help to solve this problem finally you did it...
Many thanks
Itsme
Thanks for help yesterday. As I live in Australia by the time you helped me figure out what was going wrong it was gone Midnight here so having recovered my XDA I went to bed. Got up first thing took a deep breath and ran your bootloaderfix tool and it worked flawlessly
I now have a SD card backup waiting for the next time I mess up
Only problem left is I seem to have one of the units that randomley hard resets itself when you enter the bootloader but thats a small price to pay.
Thanks again to all the Developers this is really great stuff.
Richard
Richjn,
u need turn the phone off before entering the bootloader. if u power it off and enter bootloader, it doesn't hard reset.
alex
Hi
Other Affected Users with OEM P3450 Bricks:
Orange UK (x2) - Both Fixed by Olipro
Orange FR (x3) - One Fixed by Olipro
T-Mobile UK (x1) - Fixed by Olipro
T-Mobile Italy? (x1)
Vodafone Spain (x1)
Click to expand...
Click to collapse
I stupidly risked loading a new ROM without seeing anyone else's feedback first! (last time I will do that!)
This was the ROM:
http://forum.xda-developers.com/showthread.php?t=378704
I ran
http://forum.xda-developers.com/showthread.php?t=320155
then I loaded the ROM
It loaded to 1% then the device reset then continued to 2% and reset again then came up with error 297 "invalid vender id"
and reset again.
I now have
IPL 2.20.0002
SPL 2.28.0000
tri colour display which I have tried to fix using the MTTY program
http://forum.xda-developers.com/showthread.php?t=347700
and when I type "ResetDevice" I wind up back at the tricolour
When I plug in the USB it shows in the white/grey strip at the bottom of the screen but I now get errors like
"corrupted image" if I try to load my original ROM
or
"Invalid vender id" from other images
I dont recall the IPL being 2.20.0002 before!
I have tried the rename of the .nbh file on a freshly formatted (FAT32) memory card and boot and saw a "Checking SD" then "certificate not valid" message then back to the tri-colour screen TSoD (tri-color Screen Of Death).
Can anyone help me?
Yours
Leon
I've done some tinkering - I figured, the thing is dead, dead, dead. So... what the h.
Some interesting commands are available at the MTTY screen but I cannot find a reference anywhere to them and the onboard OS help is not helpful.
Cmd>password BsaD5SeoA
Pass.
<snip usual initialisation messages>
Interesting:
Cmd>set g_cKeyCardSecurityLevel = 0
Cmd>ResetDevice
This makes the RUU indicator turn on in the top right of the tri-color screen
And this
Cmd>password BsaD5SeoA
Pass.
<snip usual initialisation messages>
Cmd>set MTTYDownloadImage = 1
Makes the screen go dark like when the Penguin Boot Loader file is transferred
Does anyone have any info on the commands that can be issued to the firmware?
Yours
Leon
Cmd>ruurun 1
Cmd>ResetDevice
Will give RUU in top right corner of Tri-Color
g_cKeyCardSecurityLevel = FF ------- MEANS NOT CID UNLOCKED
g_cKeyCardSecurityLevel = 0 --------- MEANS CID UNLOCKED
Go here, may be u will find this thread useful.
Elf/Elfin Original Roms Model Id & Cid Id List
Have a nice day.
exactly the same thing happened to me. and i have IPL 1.14.0002 and SPL 2.28.0000. what the f...k
CyZeeK said:
g_cKeyCardSecurityLevel = FF ------- MEANS NOT CID UNLOCKED
g_cKeyCardSecurityLevel = 0 --------- MEANS CID UNLOCKED
Go here, may be u will find this thread useful.
Elf/Elfin Original Roms Model Id & Cid Id List
Have a nice day.
Click to expand...
Click to collapse
Hi CyZeeK
Sadly, I had already read this and tried each of the ROMs listed in turn.
Incidentally your link is how I determined the command:
"set g_cKeyCardSecurityLevel = 0" - kudos to you mate.
Thanks for responding though
Yours
Leon
dimushor said:
exactly the same thing happened to me. and i have IPL 1.14.0002 and SPL 2.28.0000. what the f...k
Click to expand...
Click to collapse
You'll be the 5th person I have heard of with the same problem which seems to be limited to OEM versions of the P3450, a false-positive from the CID unlocker and a "new" p3450 ROM.
Can you tell me what the branding of your mobile is?
The others have
Orange UK (x2)
T-Mobile UK (x1)
T-Mobile Italy? (x1)
Yours
Leon
leondaphillips said:
You'll be the 5th person I have heard of with the same problem which seems to be limited to OEM versions of the P3450, a false-positive from the CID unlocker and a "new" p3450 ROM.
Can you tell me what the branding of your mobile is?
The others have
Orange UK (x2)
T-Mobile UK (x1)
T-Mobile Italy? (x1)
Yours
Leon
Click to expand...
Click to collapse
My device was from Orange France
dimushor said:
My device was from Orange France
Click to expand...
Click to collapse
Which version of the CID unlocker did you use before trying to flash the ROM?
leondaphillips said:
Which version of the CID unlocker did you use before trying to flash the ROM?
Click to expand...
Click to collapse
I used USPL v 1.0
Okay that's two for two.
1. Which ROM file did you load?
2. Did it fail at 2% reset annd continue to 3% before failing giving a "Image corrupted" error some other error message?
i tried to load the same rom as you did. in general, i had exactly the same situation as you did. too bad that i did not read what you wrote before in the thread about thi rom
leondaphillips said:
Can you tell me what the branding of your mobile is?
The others have
Orange UK (x2)
T-Mobile UK (x1)
T-Mobile Italy? (x1)
Click to expand...
Click to collapse
Also I broke my device, it is from Orange France:
45 4C 46 30 31 30 30 30 30 00 00 00 00 00 00 00 ELF010000.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
4F 52 41 4E 47 32 30 32 00 00 00 00 00 00 00 00 ORANG202........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
Hi VoyajMD
I am really sorry to hear you are in the same boat. We'll work together to cash our paper-weights in to working phones again if at all possible.
I just need to locate an original code signed RUU ROM from Orange and I believe that will get us all back on line. (I say *just* but you know how hard that might be!)
Any chance you could locate your original signed ROM image or get one from Orange Support In France? Are Orange support in France as bad as they are in the UK? (i.e. forget it they wont be helpful)
Yours
Leon
I have also done the same mistake...
But some how recovered using my original rom Asia HK version..
( My actual rom is India Airtel locked version 1.11.720.**)
and my device got recoverd...
u too try friends....
Hi.
If you're CID locked and still up **** creek, I can sort you out.
Of course, time is money, I'm a busy bloke, PM me
I have the original Orange France ROM, but it does not help. my device is also from orange france
U can try with other roms tooo.. Hard Reset your device,, Then flash it from memory card...
Olipro said:
Hi.
If you're CID locked and still up **** creek, I can sort you out.
Of course, time is money, I'm a busy bloke, PM me
Click to expand...
Click to collapse
Will do - thanks for the offer
my device always gives me "searching for SDcard" when it enters the bootloader
Before, with the original ROM, I had problems connecting to a secure network (WPA), but was able to connect to unsecured networks, after installing mon's 5.3, I can't connect to ANY wireless network at all
When I press connect, it says connecting, screen freezes for a sec, than the words go blank, after another sec, it goes back to the original screen (selection)
I been searching around, but can't find any answers, the "closest" I got was this link: which I apparently can't post yet lol
Problem
"I now know the problem why the both devices couldn't connect to any wifi accesspoint.
samsung settings -> system -> version -> device -> WIFI.
the MAC address was: FF FF FF FF FF FF
that's the broadcast address for ethernet ...
So If you check Erase NV PDA & Erase CSC you get this problem.
after downgrade to your old 6.1 ROM... we have BACK a normal MAC address.. BUT !!!!
now we have the SAME mac address and probabely the same mac as you: 00 00 00 FF FF 58
We upgrades again to 6.5. and stil the same mac 00 00 00 FF FF 58
( so we can't connect simultanious to the same access point )
Is there anyway to solve the MAC problem ?
thank you."
SOLUTION:
I try change register HKEY_LOCAL_MACHINE\Software\Samsung\WiFi "MACADDRESS" to 60D0A9........ but after soft reset is FF FF FF FF FF FF back :-(
tired via Admin menu?
1. type: *#1546792*#
2. choose "Internal"
3. Type as pwd: *#0807#
4. choose WiFi MAC address
5. type pwd: 1234
6. Set MacAdress
7. Execute
Of course you do it at your own risk!"
I don't think it applies to me though....
Does anyone have any advice?
(I tried a hard reset, still didn't help)
Thank you for your time and help!
after upgrading my spl 1 in htc hermes (i mate jasjam) to spl 2.1 then install wm 6.1 the wifi is not working.
I can't turn on wifi. When I touch in switch it do not on. I already made several hard resets and this does not result.
some one solve that problem in this Thread:
http://forum.xda-developers.com/show...490681&page=34
****ok finaly it's all ok
i have read an eeprom good
so here the solution
load in your trinity olipro1.30
open trin100.nb with an hex editor
at 1b810 and 1b820 replace htxxxx.. with your s/n (htxxyyxxxxx)
at 1f850 replace aa with your mac address remember is on revers (real mac : 00-01-02-03-04-05-06 write on 6d 54 06 05 04 03 02 01 00
save file
now into bootloader
task 32
password BsaD5SeoA
lnb trin100.nb 500a0000 40000
reset
and enjoy****
but the problem that this thread for htc trinity and i have imate jasjam
i have maked the same step and when want to convert the "nb" file in mtty i write this command:
lnb trin100.nb 500a0000 400
mtty told me:
unkonwn cmd command!!
some one asked the same qusition and they told him:"you have had olipro1.30 in your mobile" and i can not find olipro1.30 for jasjam
pleas i need your help!!!!!
I wanted cellular service but wanted it separate from my router with wired and WiFi.
There were some OEM modems available but I ended up with a NetGear LM1200 LTE modem (USD 150).
I plugged it in using the SIM from my old MiFi 8800L and it booted and connected fine.
I was surprised that I could tracert to something VZW even without any service plan.
Screws are hidden under the rubber mat. I marked the position, pulled up a corner, used an office hole punch.
The UART is accessible. It uses 1.8V logic levels, 115.2 kbps, 8-n-1.
I mounted a JST XH-3 connector on the back panel and glued it in.
It works fine, but I need the UART login password.
Code:
mdm-perf 202108182013 mdm9607 /dev/ttyHSL0
mdm9607 login:
I loaded a software update on my usual connection and uploaded it to the modem.
The biggest difference is that the WAN input for fallback is now supported.
One thing that is nice is that the modem has a fixed IP (192.168.5.1) even when in bridge mode and having a network granted IP.
The web way to get status is through http://192.168.5.1/model.json?internalapi=1
You can add bogus query parameters if you are worried about something caching, &x=1234
Still, it only has one version of this JSON that is 12 kB and takes over 300 mS to deliver!
OTOH, it gives out information that my old 8800L didn't have, like Local Area code.
Many tower DBs won't give you anything with just the tower ID.
I really want to get into this to add my own CGI to get a terse and useful status.
I like to be able to easily see signal quality when driving around and considering where to park.
I have not had this device before, what protocol are you using, I assume telnet.
on those older devices alot of them dont have a root password, just user is root and blank password, I see I have an spk for this one but nothing I made and I have no notes for this one so it tells me I have not had it before. if I need to get into a device and cant get past the root password in sierra devices there is usually a port open for AT commands as I am sure you know on newer devices it is 5510 and on a few others (mostly non us models) 5511 so try 192.168.5.1:5510
use nmap or other ports scanner to check for open ports. you may have to use one of those ethernet ports if that usb-C has no endpoints, I would check the C port first it should work after enabling the ports .
if you can get in you can prob enable adb after you pass the security challenge, I can help you with passing that if you need it. here are some known root passwords you can try for sierra
GENERIC: "A710"
AC815s: "fallow"
MR1100: “lindeman”
AC790-Telstra: "sunflower"
LB1111: "granville"
AC810-100EUS: "whistler"
AC810S-1P1PLS: "seymour"
AC810S-1TLAUS: "grouse"
AC810S-1RDQAS: "cypress"
AC790-100EUS: "lavender"
AC790S-1SPSUS : "bluebell"
if all else fails I will give you the firm for it and you can pull the shadow file from it, it holds the root pass and ill show you how to reverse it and get the root pass from it
rich hathaway said:
What protocol are you using, I assume telnet.
Click to expand...
Click to collapse
No, I'm directly on the debug UART (shown in those photos).
I can see a normal Qualcomm sbl/abl boot over the UART.
I've tried to interrupt it here but haven't been successful:
Code:
CTRL+C: enter instruction mode
RECOVERY,PINTEST OR FASTBOOT
aboot_init char:
I've not seen a peep out of the USB.
Looking at the PCB I can see that they are using a "chopped down" Type C connector.
That is a connector that has no USB 3 pairs on it.
I can see that there are D+/D- traces for USB 2.
5510 & 5511 refuse a connection.
Code:
$ nmap -p- 192.168.5.1
Starting Nmap 7.80 ( https://nmap.org ) at 2023-04-10 15:00 BST
Nmap scan report for 192.168.5.1
Host is up (0.0025s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
I tried all the passwords.
I have the .spk and I've even updated with it successfully.
I don't know the format of it, but it is statistically "noise".
It's encrypted and/or compressed.
Try password – oelinux123
login: root
dwa_e said:
Try password – oelinux123
login: root
Click to expand...
Click to collapse
Thanks for the tip. I did try that and a few variations.
@rich hathaway anything new on this?
I'd love to get a CGI (or SNMP) module going on this.
Yesterday, out of the blue, I went from full bars to none and level dropped 40 dB (on all devices)! It stayed that way for hours with barely any intermittent connectivity. Then it finally came back.
I'm liking my LM1200. It's got a big stupid plastic case with vents. Without display or battery it stays nice and cool. Also the internal antennas get lots of space and separation. They are funky sheet metal three sided boxes with weird cutouts.
I also have a LM1200-100NAS, along with a Netgear 6000450 external antenna - both of which I bought almost a year ago. It was already updated to the latest firmware. I'll be interested if there are any new findings, and thanks for what you've already shared.
This is a good read about NetGear "spk" files:
https://www.pentestpartners.com/sec...ption-case-study-on-the-netgear-nighthawk-m1/
I'm going to look into this.
Edit: There's no repeating 16 bytes in the file that I have...
Edit^2: Have I mentioned lately how much I hate Python?
Code:
C:\>whatever.py
... you don't have blah-blah installed ...
C:\>pip install blah-blah
blah-blah installed successfully!
C:\>whatever.py
... you don't have blah-blah installed ...
Edit^3: Well, I patched past the stupid colored text stuff but the AES stuff is still unhappy:
Code:
aes = AES.new(aes_key, AES.MODE_ECB, "")
Nope, not accetable.
I'm in a really sketchy cell coverage zone and the LM1200 is disconnecting from my router occasionally.
I can see the little "3 box" network LED going out and pinging doesn't answer.
It could be my router but that is happily answering and connecting to local wired and WiFi stuff.
Part of the whole reason for separating router and modem was to get away from the MiFi 8800L disconnecting everything when it was flailing on a bad cell signal.
Renate said:
@rich hathaway anything new on this?
I'd love to get a CGI (or SNMP) module going on this.
Click to expand...
Click to collapse
HI sorry I saw that msg when you posted it and meant to respond that day but got sidetracked and just saw it again today.
I do not have this device and have not worked with it before so most of what I would say is speculation based on other Sierra devices.
it likely has a port open, nmap is a good tool but misses on occasion, the port tool from dfs is a much more thorough tool but hard to get ahold of, it was in some of the older builds of the Qualcomm tool and I think it may still be in the current suite tool.
The sierra source file for that device is a large file almost 3 gigs it is source for several legato platforms including MDM9X07
It is not suppose to be distributed so I wont link it here but you can hollar at me away from here and ill get it to you to look thru.
I just glanced over it I see port 4711 may be open
or at least is before final values are written to this device, try it.
the source shows the root pass is blank, that does not mean it is so as many of these type of values are written last and after the source/generic is built
those .spk's used to be handled by the swi tool from Sierra but it cannot handle newer spk's, they are base64 files and crypted & compressed at many different levels and many times, the reason you cannot get it decrypted is they have some proprietary zippers with custom algos as well as old crypt algos such as beecrypt and such, if you cant get into it by any port what I would do is find the testpoint on the board that should get you to an open 9008 port, you would at that point need a working patched ENPRG loader for MDM9x07 then you would be able to dump the device from 0 to 7FF and have all of what you need, if you have an extra one send it to me and Ill dump it and send you back the firmware in human-readable form.
I forgot to add the default password file in the source is below but like I said it may be overwritten by a proprietary value during the final programming
also, the nfsroot file for Linux if you have something running linux may be useful to you it is below
hope that helps
rich hathaway said:
hope that helps
Click to expand...
Click to collapse
Thanks. I tried "gazonk" and 4711 and neither worked.
I did find the EC25 manual with pinout: https://forums.quectel.com/uploads/short-url/yVwhmS9iLDp8K24V93xJw3L6zmS.pdf
The "USB_BOOT" is the EDL mode pin, pull to 1.8V for EDL.
I haven't checked this yet, but I will try to trace out if the test point appears on the main PCB (vs directly on the module).
I'll also try to see if it works.
Ok. We have luck. The test points are reasonably accessible.
There is a loader that works: https://github.com/bkerler/Loaders/...480e100000000_cc3153a80293939b_fhprg_9x07.mbn
I put in a little magnetic reed switch. Jeez, I'm running out of these, I put them everywhere.
The storage is NAND. It probably works with bkerler stuff. I've only half-baked for NAND on my EDL client. I have to work on it.
Code:
Found EDL 9008
HWID: 000480e100000000, QC: 000480e1, OEM: 0000, Model: 0000
Hash: cc3153a80293939b-90d02d3bf8b23e02-92e452fef662c749-98421adad42a380f
Sending loaders\qualcomm\factory\mdm9x07\000480e100000000_cc3153a80293939b_fhprg_9x07.mbn 100% Ok
Waiting for Firehose... Ok
<log value="[FLASH_INFO]"/>
<log value=";This section provides flash info"/>
<log value="FLASH_NAME=NM14F2KSLAXCL-3B"/>
<log value="SECTOR_SIZE_IN_BYTES = 4096"/>
<log value="NUM_PARTITION_SECTORS = 131072"/>
<log value="num_physical_partitions = 1"/>
<log value="TOTAL_SECTOR_SIZE_IN_BYTES= 4352"/>
<log value="PAGES_IN_BLOCK = 64"/>
<log value="CONFIGURATION SELECTION FOR THIS DEVICE: BLOCKSIZE:256KB and PAGESIZE:4KB"/>
<log value=""/>
<log value="[BAD_BLOCK_LIST]"/>
<log value=";This section provides bad block list"/>
<log value="BAD_BLOCK=1536"/>
<log value="BAD_BLOCK=1537"/>
<log value="BAD_BLOCK=1822"/>
<log value="BAD_BLOCK=1992"/>
<log value="TOTAL_BAD_BLOCK=4"/>
<log value="{"storage_info": {"total_blocks":2048, "block_size":262144, "page_size":4096, "mem_type":"NAND", "prod_name":"NM14F2KSLAXCL-3B"}}"/>
<response value="ACK" />
Ok, so who's good with this stuff? root:$1$uH6tuGYf$bjaX370zwmzgNHP/YhrAQ/:0
Online Password Hash Crack - MD5 NTLM Wordpress Joomla WPA PMKID, Office, iTunes, Archive, ..
OnlineHashCrack is a powerful hash cracking and recovery online service for MD5 NTLM Wordpress Joomla SHA1 MySQL OSX WPA, PMKID, Office Docs, Archives, PDF, iTunes and more!
www.onlinehashcrack.com
you can try them, I have used it before with success, it is a slow service though, I did a md5crypt on there it was successfully reversed but took 4 days.
or try john the ripper program, but really you don't need it you sent the loader so just send hello now then you can dump the firm and from there it should be fairly easy to enable the ports so u can just use adb with no need for a root pass.
rich hathaway said:
... but really you don't need it you sent the loader so just send hello now then you can dump the firm and from there it should be fairly easy to enable the ports so u can just use adb with no need for a root pass.
Click to expand...
Click to collapse
Um, I've got 500 MB of raw dump, not directories and files.
It's easy enough to find the password file in there but I'm not really sure what I'm looking at/for.
I fixed a bit of a bug in my edl.exe for NAND devices. Get the May 5th one in the sig.
I ran about 2 hours of cracker with no success yet.
I'll run some more today.
Edit: I'm still working on this, >4 days so far...
That works out to about 250 billion passwords tried.
Also: Power consumption isn't bad, average of 150 mA or so and peak of 450 mA.
Erm, hits a solid 500 mA when transmitting.
OMG, I've been running this JtR for almost 5 solid days now (I only run it when it's sunny).
I was beginning to doubt that JtR could crack a walnut.
For some reasons the LM1200 regenerates a password file each boot and if I modify it it doesn't generate it.
I've been using my (recently updated) EDL client to try to overwrite the password file.
I put in the password "$1$abcdefgh$rV6RhG4no19bGJfmub3Ui1".
I tried JtR on that and it came up in a fraction of a second that the password was "root".
Just to be clear, I didn't crack anything, yet.
thats good, does it work, thats usually the user lol
what is the filesystem do you know
yaffs2 or ubi ?
rich hathaway said:
what is the filesystem do you know
yaffs2 or ubi ?
Click to expand...
Click to collapse
It's UBI, because I've seen this:
Code:
000000 55 42 49 23 01 00 00 00 00 00 00 00 00 00 00 00 UBI#............
000010 00 00 10 00 00 00 20 00 25 a5 06 c3 00 00 00 00 ...... .%.......
000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000030 00 00 00 00 00 00 00 00 00 00 00 00 94 9e c8 d8 ................
000040 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
000050 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
000060 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
000070 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
The Python EDL client can print out partitions, but the support for NAND doesn't seem finished/working.
I don't know anything at all about UBI, but I did update my EDL client to correctly erase and write NAND.
There are 6 occurences of the $1$salt$hash in a complete dump.
The first two are in a different position each time you boot.
The middle two and the last two are identical, that is: A/B, A/B.
The last two you can change without any noticeable effect.
If you modify the middle two (overwriting the same number of chars) when you do a dump after rebooting there are only four $1$salt$hash and it's the first two that are missing.
So, I don't know if there is some checksum on files that I'm changing or what.
Who ever heard of passwd and shadow getting generated at each boot?
Is there some sort of secure repository that is sourcing this data and is my editing invalidating it?