Hi, I created simple tool that will be used for permanently wifi mac changes. Before you use this tool you must to understand that I will not be responsible for any damage you done by using this tool !!! You must agre that you using this tool on your own risk!
How to use this tool:
- you must be s-off and you need to have installed revolutionary hboot! If you do not have installed revolutionary, skip this tool!!!
- open command prompt and type hboot_mac ... you will get instructions!
- when you sucesfully generate patched hboot, reboot phone to fastboot mode
fastboot commands:
- fastboot oem eraseWifiFlash
- fastboot flash hboot hboot_mac_patched.img
- fastboot reboot-bootloader
verify if mac is changed:
- fastboot oem emapiWlanMac
Warning! This patched hboot have disabled hboot overwriting security so you need after next reboot to install hboot from attachment!!!
- fastboot flash hboot revolutionary_hboot.bin
- fastboot reboot
Done! Enjoy!
EDIT:
And do not install hboot 1.03.0000, its locked bull**** and you will not be able to back to hboot 1.02.0000 or any other!!!
Good contrib, however i have got htcdev.com hboot 1.03. Is possible come back to hboot 1.02?
Thanks
Hi, please give me hboot 1.03, I will test it and will report here!
hboot zip file contains nb0, not img file.
munjeni said:
Hi, please give me hboot 1.03, I will test it and will report here!
Click to expand...
Click to collapse
Is this htcdev.com hboot 1.03 ? My device is locked now with this hboot!
Yes, it is the hdev hboot !
munjeni said:
Is this htcdev.com hboot 1.03 ? My device is locked now with this hboot!
Click to expand...
Click to collapse
Ok but this is b.s. from htcdev... its say unlocked but its still locked and s-on... no way s-off
Is possible downgrade to hboot 1.02?
No way for now .
munjeni said:
Ok but this is b.s. from htcdev... its say unlocked but its still locked and s-on... no way s-off
Click to expand...
Click to collapse
It's not S-OFF, but it does allow you to flash custom recovery, install ROMs, and write to system partition while booted. Most people won't have any issues with it.
I think there is a way to downgrade from 1.03 to 1.02, but it's not for the faint of heart. Ask in #liberatedAria on Freenode.
drumist said:
Ask in #liberatedAria on Freenode.
Click to expand...
Click to collapse
Yes, I joined irc and when I said "hallo" Anthony1s gave me BAN , so why?
Try this
http://forum.xda-developers.com/showpost.php?p=21746420&postcount=14
It worked for me!
Anthony1s seems a little touchy, I asked for help and I was banned too.
munjeni said:
Yes, I joined irc and when I said "hallo" Anthony1s gave me BAN , so why?
Click to expand...
Click to collapse
---------- Post added at 07:55 PM ---------- Previous post was at 07:54 PM ----------
With revolutionary hboot fastboot oem emapiWlanMac 00 01 02 03 04 05 works fine, although thanks anyway
zeubea said:
Try this
http://forum.xda-developers.com/showpost.php?p=21746420&postcount=14
It worked for me!
Click to expand...
Click to collapse
Thanks, do you installed hboot 1.02 ower htcdev hboot 1.03 using this??
Indeed I installed 1.0.0 hboot RUU and then upgrading to 1.02, then revo for S-off , then unrevocked for cwm,.and finally restore. Crazy, but it worked for me.
munjeni said:
Thanks, do you installed hboot 1.02 ower htcdev hboot 1.03 using this??
Click to expand...
Click to collapse
Ok, but I think its not possible if have hboot 1.03... allready tried with gold card without luck
You must to patch misc partition as previous step. I modified a tool for it. I detail this step at http://forum.xda-developers.com/showpost.php?p=23381950&postcount=21
zeubea said:
for downgrade 1.03 to 1.02 and worked for me.
Click to expand...
Click to collapse
you had hboot 1.03 from htcdev -> http://htcdev.com/bootloader/ ? Are you sure?
EDIT:
I can confirm it not working while have hboot 1.03, tried now!
This is misc partition that is modified, and gold card is 100% gold card that I used before
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 31 31 31 31 31 31 31 31 00 00 00 00 00 00 00 00 11111111........
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 44 65 76 69 63 65 57 61 72 6D 42 6F 6F 74 00 00 DeviceWarmBoot..
00000030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
00000040 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
00000050 43 45 20 53 65 72 69 61 6C 20 49 6E 55 73 65 00 CE Serial InUse.
00000060 44 65 62 75 67 20 43 61 62 6C 65 20 45 6E 61 00 Debug Cable Ena.
00000070 43 45 20 20 20 55 53 42 20 20 49 6E 55 73 65 00 CE USB InUse.
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000090 43 6C 65 61 72 41 75 74 6F 49 6D 61 67 65 00 00 ClearAutoImage..
000000A0 31 2E 31 31 2E 31 31 31 2E 31 00 00 00 00 00 00 1.11.111.1......
Indeed I installed 1.0.0 hboot RUU and then upgrading to 1.02, then revo for S-off , then unrevocked for cwm,.and finally restore. Crazy, but it worked for me
Click to expand...
Click to collapse
from this mesage I did not see that you had hboot 1.03, do you want to confirm?
YES I had hboot 1.03 from htdev.
Did you do relock? fastboot oem lock
Yes, its working after relocking... thanks dude!
Ok, I gave the hboot 1.03, so problem solved
Related
I got ELF0300 to change to WWE..I m confused please help me to solve
IPL 2.20.0002
SPL 2.26.0000
which hard spl correct for this? and is this elf or elfin?
thank you
look buddy.. to know whether your device is elf or elfin.. you need to check you RAM and Flash size (Elf --> 64 MB RAM, 128 MB Flash)(Elfin --> 128 MB RAM, 256 MB Flash).. you figure this out by going to Settings --> System Tab --> Device info.
As for the HardSPL.. there isn't any one specific for your phone.. but i would suggest HardSPL 3.10
hope that helps..
please help
my htc touch p3452 is dead becoz i flash but something is wrong and then it was dead now it will on on bootloder mode(red,green,blue) here is my detail please tell ,me what to do
it show..
IPL 3.07.0002
SPL 3.07.0000
DEVICE ID= ELF010050
CID= DOPOD001
45 4C 46 30 31 30 30 35 30 00 00 00 00 00 00 00 ELF010050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
44 4F 50 4F 44 30 30 31 00 00 00 00 00 00 00 00 DOPOD001........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
i also tryed to flash "DID-ELF010050_CID-DOPOD001_ROM-2.20.721.2B" but is not flashed it gave "error 270 update error" something please tell me where is the problem and how to solve please guys
I recently just re-flashed the rom on my elf, it got to 100% and windows said it completed. I now try to turn the phone on and nothing happens? the battery isnt dead either, help please
tjeaton said:
I recently just re-flashed the rom on my elf, it got to 100% and windows said it completed. I now try to turn the phone on and nothing happens? the battery isnt dead either, help please
Click to expand...
Click to collapse
hmmm, not sure if this helps (coz i arrived at it through a different process). but my device couldn't be turned on. no light even as charger was plugged in. but i did the "hold Camera button and poke the reset hole" then i got into boot into bootloader
please help
my htc touch p3452 is dead becoz i flash but something is wrong and then it was dead now it will on on bootloder mode(red,green,blue) here is my detail please tell ,me what to do
it show..
IPL 3.07.0002
SPL 3.07.0000
DEVICE ID= ELF010050
CID= DOPOD001
45 4C 46 30 31 30 30 35 30 00 00 00 00 00 00 00 ELF010050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
44 4F 50 4F 44 30 30 31 00 00 00 00 00 00 00 00 DOPOD001........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
i also tryed to flash "DID-ELF010050_CID-DOPOD001_ROM-2.20.721.2B" but is not flashed it gave "error 270 update error" something please tell me where is the problem and how to solve please guys
You have to cid unlock first before flashing any rom...
vicky.9871 said:
my htc touch p3452 is dead becoz i flash but something is wrong and then it was dead now it will on on bootloder mode(red,green,blue) here is my detail please tell ,me what to do
it show..
IPL 3.07.0002
SPL 3.07.0000
DEVICE ID= ELF010050
CID= DOPOD001
45 4C 46 30 31 30 30 35 30 00 00 00 00 00 00 00 ELF010050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
44 4F 50 4F 44 30 30 31 00 00 00 00 00 00 00 00 DOPOD001........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
i also tryed to flash "DID-ELF010050_CID-DOPOD001_ROM-2.20.721.2B" but is not flashed it gave "error 270 update error" something please tell me where is the problem and how to solve please guys
Click to expand...
Click to collapse
ok.. maybe you should try this.. hope it helps..
tito12 said:
You have to cid unlock first before flashing any rom...
Click to expand...
Click to collapse
Yup by the prob its showin, the CID is definitely locked, so 1st unlock the CID & then flash the ROM of your choice..!!!
Do remember also upgrade the "IPL & HSPL"..!!!
Njoy the FLASHING..!!!
thankyou but tell me
how to downgrade or upgrade my ips and spl my device already in bootloder mode please tell me
to upgrade your SPL (or flash HardSPL) u first need to have your device "alive" again as flashing the HardSPL is done by using ActiveSync.. I would suggest you try a hard reset (by holding the Call & End buttons and reseting with the stylus).. if that didn't work and you still can't load into WinMo interface.. then you might want to try the method I mentioned above..
hope this helps..
Ok just some info about the phone:
I already CID unlocked it, so that couldnt have been the problem as i was running onyx rom
I have tried getting into the three colours screen and still nothing happens, the battery isn't dead
Led used to turn on when it was charging now it doesn't :/
On button doesn't seem to make the device do anything either
tjeaton said:
Ok just some info about the phone:
I already CID unlocked it, so that couldnt have been the problem as i was running onyx rom
I have tried getting into the three colours screen and still nothing happens, the battery isn't dead
Led used to turn on when it was charging now it doesn't :/
On button doesn't seem to make the device do anything either
Click to expand...
Click to collapse
Did you flash an original or shipped ROM?? sometimes that causes problems when used with HardSPL..
Yeah it was an original backup of the factory rom that was already on it, is their anyway of actually recovering my phone to a normal state again, at least the tri color or even led's when charging
tjeaton said:
Yeah it was an original backup of the factory rom that was already on it, is their anyway of actually recovering my phone to a normal state again, at least the tri color or even led's when charging
Click to expand...
Click to collapse
srry man.. but I can't help you.. flashing an original ROM over HardSPL can brick your phone.. and I don't want to disappoint you but I don't know how to recover it.. still I'm a not a pro.. :S:S
anyone else out there on xda can help, it would be great if you could thanks for the help so far people
i'm no sure that u have a software problem but if it is, then your only hope is jtag.
check this: http://forum.xda-developers.com/showthread.php?t=602233
too bad there is no more information anywhere, but at least those jtags are easy to solder!
g00d luck!
btw, have you tried the voodoo reset posted by aonellbicho in the jtag thread? any luck with it?
I've never seen it before, and u will probably need as many hands as Shiva has to do it...
guess i can give it a go, what else could go wrong lol
yeah the voodoo reset doesn't work, i think its a fake its pretty hard to press all of those things at once
Hi,
from the firmware upgrade of an ARM9 Windows Embedded CE 6.0 Device, I was able to extract a number of files, including the kernel image (NK.BIN.COMP).
However, with tools such as osnbtool, ImgfsToDump or ImgFsTools I was unable to decompress the image.
The image starts with:
Code:
00000000 58 50 52 53 e7 8b 26 01 16 89 00 00 05 00 01 00 |XPRS..&.........|
00000010 42 30 30 30 46 46 0a 00 10 36 80 50 10 2b 01 39 |B000FF...6.P.+.9|
00000020 00 04 00 00 00 eb 01 00 00 fe 03 00 ea 40 78 00 |[email protected]|
00000030 08 78 00 00 00 05 00 63 03 00 00 45 43 45 43 7c |.x.....c...ECEC||
00000040 f6 60 81 48 1c 01 8d 18 01 7c e6 2a 01 00 20 36 |.`.H.....|.*.. 6|
00000050 80 64 de 00 00 11 c5 47 00 02 04 00 00 d3 00 a0 |.d.....G........|
00000060 e3 00 f0 21 e1 0c 00 9f e5 10 0f 01 ee 87 15 00 |...!............|
00000070 eb 83 18 00 f8 37 00 ea 78 10 00 c0 b0 01 00 10 |.....7..x.......|
00000080 80 97 0a 7c 75 97 4e 39 00 02 18 00 20 18 00 08 |...|u.N9.... ...|
00000090 66 18 00 5a b8 00 d8 02 b9 00 07 00 0f 0f 6b 65 |f..Z..........ke|
000000a0 72 6e 65 6c 2e 64 6c 6c 7b 00 33 40 00 00 c4 04 |rnel.dll{[email protected]|
000000b0 4b 00 01 41 44 00 50 10 40 09 05 59 00 4c 53 5a |[email protected]|
000000c0 00 78 20 03 59 00 ec 10 29 80 f0 08 04 01 4b 5a |.x .Y...).....KZ|
000000d0 00 5a 03 04 52 54 58 00 39 81 00 00 81 24 0b 90 |.Z..RTX.9....$..|
000000e0 5f 00 c9 d0 5f 00 30 4c e0 5b 00 86 11 00 13 ba |_..._.0L.[......|
000000f0 50 58 00 44 4c 00 0b 10 20 00 cc a0 00 00 05 4e |PX.DL... ......N|
I suppose this is the Xpress compression format that is used in Win CE 6.0 ?
Are there any tools available that can decompress this image ?
Also, I would like to know which emulators you use to test out Win CE images.
I tried qemu-system-arm with the ARM926EJ-S core emulation, but it didn't work so far.
Ultimately, I would like to be able to boot into the image I extracted from the firmware upgrade and start a remote debugger inside the image, so that I can step through the code.
cheers,
knossos2
Hi,
as I already knew that the image was a Windows Embedded CE 6.0 image, I installed Platform Builder and other required development components.
My plan was to find out how the NK.BIN.COMP image is decompressed by the WinCE 6.0 loader.
It turned out, that the file had just been compressed with the WinCE 6.0 bincompress.exe tool (PUBLIC/COMMON/OAK/BIN/I386/bincompress.exe).
Although at least some of the tools I tried previously had compression support by using the WinCE libraries, it didn't work.
My best guess is that the libraries were for older versions of WinCE and thus it didn't work.
So, if you ever see "XPRS" at the start of a WinCE file, it has been compressed with bincompress.exe
I'm now trying to run the decompressed image either in qemu or in the MS Device Emulator.
I guess the Device Emulator will be the easier way.
Cheers,
knossos2
Hey everyone. This is not tested but I would like input. On the LG G3, I could flash partitions in fastboot mode which allowed me to change the device from an AS990 to a US990 or LS990. Would it be possible to flash the H918/H830 bin files through the patched LGUP partition DL to change the device type? Again just a brainstorm thread. Please post below.
Reserved
reserved
What could we gain from changing the device type? (Some have incompatible hardware if i'm right)
Also Aren't partitions checked by the bootloader( or kernel i dunno much) for any modification?
Sent from my LG-H860 using Tapatalk
abol_fa said:
What could we gain from changing the device type? (Some have incompatible hardware if i'm right)
Also Aren't partitions checked by the bootloader( or kernel i dunno much) for any modification?
Sent from my LG-H860 using Tapatalk
Click to expand...
Click to collapse
I'm not sure about the hardware but I think the RS998 might be close enough that a custom Rom would run
I'm interested in this. I have a us992 and it's the same hardware than rs998 but I can't root or unlock bootloader. It could be cool if there's a way to change it...
thjubeck said:
Hey everyone. This is not tested but I would like input. On the LG G3, I could flash partitions in fastboot mode which allowed me to change the device from an AS990 to a US990 or LS990. Would it be possible to flash the H918/H830 bin files through the patched LGUP partition DL to change the device type? Again just a brainstorm thread. Please post below.
Click to expand...
Click to collapse
By attaching a debugger to LGUP I found a couple of new commands
INFOSPRO is called 4 times which by reading is setting some sort of properties
SIGN
SIGN is called twice before anything begins to work such as the OPEN or WRTE command and the response should be something like success cmd SIGN
I think this is the missing link as after this all commands are given with 2 kilocent commands then 2 kilometr commands in that order so possibly the SIGN command is important but also the fact that the kilocent command is given twice then the 2 kilometr responses are sent but that's just speculation. Let me know what you guys think
also two other commands that were found are
OPCMCHEK
MISCWRTE
EDIT: I think CHCKCLER is our missing link. Disclaimer I am on the LG G5 but it has the same issue. Also the INFOSPRO may also need to be set [/B]
.
.
Debugged application message: [00:22:968] [T0002856] 49 4E 46 4F 47 50 52 4F 00 00 00 00 00 00 00 00 00 00 00 00 08 0B 00 00 43 D0 00 00 B6 B1 B9 B0 INFOGPRO................C.......
.
Debugged application message: [00:23:062] [R0000032] 49 4E 46 4F 47 50 52 4F 00 00 00 00 00 00 00 00 00 00 00 00 08 0B 00 00 00 00 00 00 B6 B1 B9 B0 INFOGPRO........................
.
Debugged application message: [00:23:062] [T0002856] 49 4E 46 4F 53 50 52 4F 00 00 00 00 00 00 00 00 00 00 00 00 08 0B 00 00 32 CF 00 00 B6 B1 B9 B0 INFOSPRO................2.......
.
Debugged application message: [00:23:187] [R0000032] 49 4E 46 4F 53 50 52 4F 00 00 00 00 00 00 00 00 00 00 00 00 08 0B 00 00 00 00 00 00 B6 B1 B9 B0 INFOSPRO........................
.
Debugged application message: [00:23:187] usb speed is high speed.
.
Debugged application message: [00:23:187] Not Support Fail Safe
.
Debugged application message: [00:23:187] Progress sleep for 1000 9 11
.
Debugged application message: [00:23:203] Set Progress 9
.
Debugged application message: [00:23:703] Set Progress 10
.
Debugged application message: [00:24:203] [T0000032] 43 48 43 4B 43 4C 45 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8C BA 00 00 BC B7 BC B4 CHCKCLER........................
.
Debugged application message: [00:24:203] [R0000032] 43 48 43 4B 43 4C 45 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BC B7 BC B4 CHCKCLER........................
.
Debugged application message: [00:24:203] LAF_CMD_SUB_CLER.
.
Debugged application message: [00:24:203] DATA CHECK SUM ERROR device = 0 tool = 0
.
Debugged application message: [00:24:203] ==============Start Direct Download 2485MB ==============
.
Debugged application message: [00:24:218] umount system (/system)
.
Debugged application message: [00:24:218] [T0000032] 4B 49 4C 4F 43 45 4E 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E3 7B 00 00 B4 B6 B3 B0 KILOCENT.................{......
.
Debugged application message: [00:24:218] [R0000032] 4B 49 4C 4F 43 45 4E 54 90 A9 25 4A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B4 B6 B3 B0 KILOCENT..%J....................
.
Debugged application message: [00:24:218] [T0000048] 4B 49 4C 4F 4D 45 54 52 00 00 00 00 02 00 00 00 00 00 00 00 10 00 00 00 A3 07 00 00 B4 B6 B3 B0 KILOMETR........................
F4 7C 31 45 4C FF 58 73 0A D6 CB 7D 23 7B F0 17 .|1EL.Xs...}#{..
.
Debugged application message: [00:24:218] [R0000032] 4B 49 4C 4F 4D 45 54 52 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B4 B6 B3 B0 KILOMETR........................
.
Debugged application message: [00:24:218] [T0000047] 45 58 45 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F 00 00 00 57 EC 00 00 BA A7 BA BC EXEC....................W.......
75 6D 6F 75 6E 74 20 2F 73 79 73 74 65 6D 00 umount./system.
.
Debugged application message: [00:24:234] [R0000032] 45 58 45 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F 00 00 00 00 00 00 00 BA A7 BA BC EXEC............................
.
Debugged application message: [00:24:234] [T0000032] 4B 49 4C 4F 43 45 4E 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E3 7B 00 00 B4 B6 B3 B0 KILOCENT.................{......
.
Debugged application message: [00:24:234] [R0000032] 4B 49 4C 4F 43 45 4E 54 CA DB 0F 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B4 B6 B3 B0 KILOCENT...!....................
.
Debugged application message: [00:24:234] [T0000048] 4B 49 4C 4F 4D 45 54 52 00 00 00 00 02 00 00 00 00 00 00 00 10 00 00 00 6D 6D 00 00 B4 B6 B3 B0 KILOMETR................mm......
CB 74 3A 1A 43 2F 7D F9 DF 11 42 DC 7E 09 0A 8C .t:.C/}...B.....
.
Debugged application message: [00:24:234] [R0000032] 4B 49 4C 4F 4D 45 54 52 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B4 B6 B3 B0 KILOMETR........................
.
Debugged application message: [00:24:234] [T0000060] 45 58 45 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1C 00 00 00 17 2E 00 00 BA A7 BA BC EXEC............................
6D 6F 75 6E 74 20 2D 6F 20 72 65 6D 6F 75 6E 74 2C 72 6F 20 2F 73 79 73 74 65 6D 00 mount.-o.remount,ro./system.
.
Debugged application message: [00:24:234] [R0000032] 45 58 45 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 23 00 00 00 00 00 00 00 BA A7 BA BC EXEC................#...........
.
Debugged application message: [00:24:234] /system Unmount Success.
.
Debugged application message: [00:24:234] Erase Partition name : system, sector addr : 0xE886, size(sector count) : 0x120000
thjubeck said:
....
Click to expand...
Click to collapse
It's nice that you're looking into this, there is another guy in the V20 section, @runningnak3d who is also looking into making partition dl work.
BUT.... don't try to flash T-Mobile bootloader on any other variant phone. You will hard brick. T-Mobile uses a different key to sign it's files, and that key is programmed into the read-only-memory of a TMO phone.
Edit: Besides, he is looking into a different way of unlocking, by flashing a modified persistent partition with LGUP I believe.
askermk2000 said:
BUT.... don't try to flash T-Mobile bootloader on any other variant phone. You will hard brick. T-Mobile uses a different key to sign it's files, and that key is programmed into the read-only-memory of a TMO phone.
Click to expand...
Click to collapse
Don't worry I'm not an idiot I did my research like the thread says Brainstorm. Sometimes crazy ideas lead people to start thinking. Which reminds me.... Ooo look Squirrel. Be sure to post your ha's when you read that. Anyways in all seriousness checking with the other persons and who knows possibly sometime may have a solution.
thjubeck said:
Don't worry I'm not an idiot I did my research like the thread says Brainstorm. Sometimes crazy ideas lead people to start thinking. Which reminds me.... Ooo look Squirrel. Be sure to post your ha's when you read that. Anyways in all seriousness checking with the other persons and who knows possibly sometime may have a solution.
Click to expand...
Click to collapse
I see. So you where offended, and you're subtly calling me an idiot.
You must be a proud person.
And you couldn't have "done your research" at the time of posting, as why then would you ask about flashing TMO bootloader on a non-TMO device?
Would it be possible to flash the H918/H830 bin files through the patched LGUP partition DL to change the device type?
Click to expand...
Click to collapse
Also your reply reeks of utter nonsense.
askermk2000 said:
I see. So you where offended, and you're subtly calling me an idiot.
You must be a proud person.
And you couldn't have "done your research" at the time of posting, as why then would you ask about flashing TMO bootloader on a non-TMO device?
Also your reply reeks of utter nonsense.
Click to expand...
Click to collapse
Seriously man no harm intended and as for utter nonsense yes,yes it was.....partially. Also, like how you quoted me saying bootloader... wait you didn't. Missed that somewhere. Not necessarily pointing to that you could flash a system partition that was already rooted or something like that again emphasizing brainstorm thread here.
thjubeck said:
Seriously man no harm intended and as for utter nonsense yes,yes it was.....partially. Also, like how you quoted me saying bootloader... wait you didn't. Missed that somewhere. Not necessarily pointing to that you could flash a system partition that was already rooted or something like that again emphasizing brainstorm thread here.
Click to expand...
Click to collapse
Well how else would you change your "device type"?
Maybe I don't understand what you mean by that. I may have jumped to wrong conclusion, if so then I guess you where right to be slightly offended.
Anyway, persistent.bin seems to be where it's at. You should work with @runningnak3d he was looking earlier for some help.
I recently acquired a Verizon-branded LG V20 (VS995) and I my eventual goal is to put TWRP and LineageOS on it like my last phone. The first step is to downgrade it to a vulnerable stock image using UPPERCUT. However, I'm finding that LGUP is unable to begin to perform the flash.
My setup/procedure is as such:
1. Fresh Windows 7 x64 installation in Virtualbox 5.2.16 on Arch Linux
1a. USB filter setup so that USB 1004:633a is always passed through to Windows 7
2. Installed drivers: LGMobileDriver_WHQL_Ver_4.2.0.exe
3. Installed LGUP 1.14: LGUP_Store_Frame_Ver_1_14_3.msi
4. Insert battery into LG V20 VS995
5. Insert USB into computer
6. Hold VOLUP while inserting USB-C into V20
7. Wait as "download mode" message appears and then changes to "Firmware Update" screen.
8. Wait for Windows to install all drivers, ensuring devmgmt.msc shows COM port
9. Launch UPPERCUT v1.0.0.0, granting admin permissions
10. Wait for LGUP to launch, initialize, and show a VS9951CA device
11. Select the December 2016 KDZ: VS99512A_06_1114_ARB00.kdz
12. Select UPGRADE and hit Start
After waiting for the 15 second initialization period, LGUP displays the error "Cannot decide device boot mode. set Unknown". If left in this state for several minutes, LGUP will eventually bring up a dialog saying "Error: 0x2000, Port open error (COMX)". LGUP sometimes says it is on a step which I have not transcribed correctly but resembles "_prepareAndDL" before showing the "Cannot decide device boot mode. set Unknown" error, but I've only seen this step once or twice.
SHA1 sums of the files I'm using:
eac54e3e0cfe6e8d7cd395e245170e13de4fcd67 lgmobiledriver_whql_ver_4.2.0.exe
f7b41f77047698bc8e030dddf4ef6fbdb5c3af41 lgup_store_frame_ver_1_14_3.msi
46c9a349d62287d81c94ce7148233c0922604273 uppercut_1.0.0.0.zip
3104b93b7243e3274932b2c56b8383cdecf7ede3 vs99512a_06_1114_arb00.kdz
Is UPPERCUT still the recommended tool to flash stock firmware for this model? Should I be installing it via fastboot instead (if so, is there a thread to follow)? Is the 1CA update no longer downgradable?
--------------------
I tried to use the patched LGUP tool instead of UPPERCUT to see if that helped at all. I did not try to flash the KDZ, but rather just tried to DUMP the existing partitions. I ran into the same error as the post title again.
Procedure:
0. In the LGUP program files directory:
1. Copy the original LGUP.exe to LGUP.original.exe
2. Copy the patched LGUP.exe into it's place
3. Copy in the 'model/common' directory from the patched LGUP zip
4. Steps 4->8 from above
9. Launch patched LGUP (no UPPERCUT)
10. Same as above
11. Select DUMP, hit start, select dump location
SHA1 sum of additional files:
242640ddb023308b9a103e0a767f27511c9a2db0 lgup_v20dll_patched.zip
I captured a trace of the USB communication with wireshark. I used the LG LAF protocol plugin (can't post links yet: github com/Lekensteyn/lglaf/blob/master/lglaf.lua) and it didn't find any USB frames that matched the protocol. I'm no USB wire protocol expert, but it looks like the phone is sending a response:
Code:
0000 1b 00 10 b0 62 03 80 fa ff ff 00 00 00 00 09 00 ...°b..úÿÿ......
0010 01 02 00 01 00 83 03 97 00 00 00 ef a0 00 00 00 ...........ï*...
0020 00 00 56 53 39 39 35 00 00 00 00 00 56 53 39 39 ..VS995.....VS99
0030 35 31 43 41 00 00 00 00 00 00 00 00 00 00 00 00 51CA............
0040 00 00 00 00 00 00 00 00 00 00 01 33 35 39 39 36 ...........35996
0050 38 30 37 32 39 39 39 30 37 36 00 00 00 00 00 60 8072999076.....`
0060 1e 41 6e 64 72 6f 69 64 00 00 00 37 2e 30 00 00 .Android...7.0..
0070 00 00 00 00 00 3X 3X 3X 3X 3X 3X 3X 3X 3X X9 00 .....XXXXXXXXXX.
0080 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 31 63 6f 6d 6d 6f 6e 00 00 00 ......1common...
00a0 56 5a 57 31 00 00 00 00 00 00 00 00 00 00 7d 5d VZW1..........}]
00b0 86 7e .~
There were five such frames, all essentially identical less a byte or two. I suspect if I had let the capture go they would have continued to arrive at an interval. So it's possible the LGUP tool just is not recognizing the ping that the phone is sending?
Install the VirtualBox extension pack and set your USB config for that VM to 2.0 or 3.1, and you should be good.
1CA is definitely downgradable. This is a USB communication problem.
-- Brian
I re-confirmed that I had the guest extensions installed (VM has no nic and all files were transferred in via shared folders, which requires guest extensions). But it turns out I did have the USB bus set to USB 2.0. After setting that to USB 3.0 and installing the Intel USB3 drivers for Windows, LGUP started the download without issue. This is still the patched LGUP (no UPPERCUT) and using the UPGRADE option with the KDZ mentioned in the OP. Oddly enough, it did not clear my data, as it asked for my encryption passphrase when it rebooted. It did successfully downgrade me, so I just did a factory reset to clear my old data and apps. As a reminder, the LG out-of-the-box experience starts checking for OTA updates as soon as the phone starts up, so remove your SIM before you start.
1. Remove SIM
2. Do one of the following:
CLI:
Code:
vboxmanage modifyvm $vmname --usbehci off && vboxmanage modifyvm $vmname --usbxhci on
UI: Right click VM > Settings > USB > USB 3.0 (XHCI) Controller