Related
This message is intended to you all who tried to unlock the ExtROM of HTC Artemis and ended with not working ExtROM.
I am not sure if I can 100% document how I have achieved it, but I will try to do my best
You will need:
-collection of tools attached to this post
-WinRAR http://www.winrar.com/
-Winimage http://www.winimage.com/
First you will need an extrom image file, its part of the nbh image which you can unpack from the original image using winrar.
To extract the extended ROM image use the tool NBHextract.
command: NBHextract image.nbh
It will extract about 6 nb files one of them will be xx_ExtROM.nb.
You can check the content of the image with WinImage, you can also customize the image by removing or adding other cab, xml or exe files.
Remember only signed files will be executed.
Connect the phone to PC, you don't need to configure ActiveSync for synchronization.
From command prompt start following commands to enable RAPI:
cecopy EnableRapi.cab dev:\
cecopy Cert_SPCS.cab dev:\
cerun.exe -b CE:\Windows\wceload.exe \Cert_SPCS.cab /noui
cerun.exe -b CE:\Windows\wceload.exe \EnableRapi.cab /noui
pdocread -l
The STRG handles section from the output is what we will need for next commands.
STRG handles:
handle cdfc4c7e 1.89G (0x79120e00)
handle 8e9e43d2 14.99M (0xefc400)
handle aea981c6 38.24M (0x263e000)
handle eeae71ae 50.95M (0x32f4000)
handle cfb25ef6 2.94M (0x2f0000)
handle 2fb25ea2 3.06M (0x30fc00)
Insert the handle "code" of the ExtROM partition (the one about 15MB big) to following commands:
one for reading the current extrom from the phone
pdocread -h 0x8e9e43d2 0 0xf00000 extrom.ima
and other one to write the prepared image to the phone
pdocwrite -h 0x8e9e43d2 -v extrom.nb 0x000000 0xf00000
Remember the handle code changes every restart.
After you write the image to the phone do a hard reset.
Press both SW keys and use the Stylus for pressing the soft reset button, keep holding the soft keys until a message appears then press the green answering/calling button to format the phone (Hard Reset).
After hard reset and completing the touch screen adjusting wizard should load the ExtROM automatic setup like before.
Remember after hard reset you need to re-enable RAPI in case you want read or write the phone again.
Your device doesn't have to bee CID unlocked to be able write the images to the phone using this procedure.
Although this procedure seems to be pretty easy be careful Be sure you have at least one working ship update from your provider in case things go wrong.
I have also successfully written the OS.nb from the original HTC ship update and PDAmobiz releases with the same procedure.
Good luck!
Finally...using this method I've managed to repair my extrom. Few weeks ago I deleted all files in extended rom (using Total Commander) and was never able to restore it again (copying files gives error message 29 access denied). Now its all restored again...jaaaaiiii
instead of hardreset i did softreset because i didn't want to install all apps again
This is great! I'm now using my own customized Ext_rom. Thank you very much.
does this method allow one to unhide and unlock the ext_rom? Up to now I have not been able to really unlock the ext_rom.
thanks,
apap said:
does this method allow one to unhide and unlock the ext_rom? Up to now I have not been able to really unlock the ext_rom.
thanks,
Click to expand...
Click to collapse
No, this is not to unlock or unhide the ext_rom. With this method, you can just customize (adding or deleting files) your ext_rom image file on your PC. Then you can write your customized ext_rom back to your Artemis.
size of ext rom
i need to change size of ext rom on artemis.
regards.
Not working properly(((
Hi
I have used this method described above to re-write my Extrom with new items in there, its went OK, BUT the issue is that now Extrom doesnt start automatically after hard reset...it is just seats silently in the memory...just it. Can anyone help to activate it.
Thanks
hi I've one proble, I'm stop on the hangle step,, whot is handle? how I can see the right handle code? And how I can rebuild the custom rom and install it in my phone?
bye.
STRG handles
Hi PiGeonCZ
thanks for your method
pls explain what STRG handles/volumes associated with Windows.nb, Radio.nb, IPL.nb etc , as for example i wanted to upgrade my radio.nb or os.nb but does not know which string handle to work with.
and how to activate Extrom as now it is not loaded itself after hard reset.
thanks
PiGeonCZ said:
This message is intended to you all who tried to unlock the ExtROM of HTC Artemis and ended with not working ExtROM.
I am not sure if I can 100% document how I have achieved it, but I will try to do my best
You will need:
-collection of tools attached to this post
-WinRAR http://www.winrar.com/
-Winimage http://www.winimage.com/
First you will need an extrom image file, its part of the nbh image which you can unpack from the original image using winrar.
To extract the extended ROM image use the tool NBHextract.
command: NBHextract image.nbh
It will extract about 6 nb files one of them will be xx_ExtROM.nb.
You can check the content of the image with WinImage, you can also customize the image by removing or adding other cab, xml or exe files.
Remember only signed files will be executed.
Connect the phone to PC, you don't need to configure ActiveSync for synchronization.
From command prompt start following commands to enable RAPI:
cecopy EnableRapi.cab dev:\
cecopy Cert_SPCS.cab dev:\
cerun.exe -b CE:\Windows\wceload.exe \Cert_SPCS.cab /noui
cerun.exe -b CE:\Windows\wceload.exe \EnableRapi.cab /noui
pdocread -l
The STRG handles section from the output is what we will need for next commands.
STRG handles:
handle cdfc4c7e 1.89G (0x79120e00)
handle 8e9e43d2 14.99M (0xefc400)
handle aea981c6 38.24M (0x263e000)
handle eeae71ae 50.95M (0x32f4000)
handle cfb25ef6 2.94M (0x2f0000)
handle 2fb25ea2 3.06M (0x30fc00)
Insert the handle "code" of the ExtROM partition (the one about 15MB big) to following commands:
one for reading the current extrom from the phone
pdocread -h 0x8e9e43d2 0 0xf00000 extrom.ima
and other one to write the prepared image to the phone
pdocwrite -h 0x8e9e43d2 -v extrom.nb 0x000000 0xf00000
Remember the handle code changes every restart.
After you write the image to the phone do a hard reset.
Press both SW keys and use the Stylus for pressing the soft reset button, keep holding the soft keys until a message appears then press the green answering/calling button to format the phone (Hard Reset).
After hard reset and completing the touch screen adjusting wizard should load the ExtROM automatic setup like before.
Remember after hard reset you need to re-enable RAPI in case you want read or write the phone again.
Your device doesn't have to bee CID unlocked to be able write the images to the phone using this procedure.
Although this procedure seems to be pretty easy be careful Be sure you have at least one working ship update from your provider in case things go wrong.
I have also successfully written the OS.nb from the original HTC ship update and PDAmobiz releases with the same procedure.
Good luck!
Click to expand...
Click to collapse
if I want to read Os.nb wich is the correct script?
pdocread -h 0x8e9e43d2 0 0xf00000 extrom.ima is your exemple, 0 (zero) is the partition disk of ext rom, so i can try to insert 3 (three), the right partition of my OS (58 mb) rom and insert 0xf000000? it's all right?
es: pdocread -h 0x???????? 0 0xf000000 OS.ima (?= my handle), it's all right???
Work Great
For PiGeonCZ, I need your help for two question:
I've do all your steps, and I can read all ext-rom from other P3300 and i can write the new one in my O2 phone, but when I press the hard reset the ext rom still in loop when try to install the ttn.cab, why? I've try to delete ttn and the relative row in config.txt but the rom still in loop when try to install the other file (defoult page....)
my second question is about the OS dump. My friend have the original italian language of P3300, and he has dumped all his OS.nb whit this parameter:
es: pdocread -h 0x???????? 0 0xf000000 OS.ima (?= his handle), it's all right???
0f000000 (one zero plus of extrom exemple, all right?)
but about the end of all process, he have an error about impossible to read the right sector why? is there a mode to backup the OS.nb, and so how I can read if it's is all right dumped?? (do you know any program to read .nb file?) do you know any program to recompile the nba rom?
best regard.
@thefamous
Try to put the lines with ttn setup at the end of the config.txt. Before the "LOCK: Disabled" line. It worked for me.
This thread is about the extrom, please keep it clean of other things.
Anyway. You don't need to use handles when reading the whole OS image. Try following command: pdocread 0 0x3900000 OS.nba
PiGeonCZ said:
@thefamous
Try to put the lines with ttn setup at the end of the config.txt. Before the "LOCK: Disabled" line. It worked for me.
This thread is about the extrom, please keep it clean of other things.
Anyway. You don't need to use handles when reading the whole OS image. Try following command: pdocread 0 0x3900000 OS.nba
Click to expand...
Click to collapse
thanks, I've try to change the line of ttn setup in config.sys but now still in loop on PP_DefaultPage_WWE.CAB. I've try to modify this line (cut and paste it below LOK: line) but still loop on the other file.. do you have any solution? I'll try to re install the original ext rom and all work well.
this is my original config.sys
LOCK:Enabled
EXEC:\Windows\cusTSK.exe \Windows\HTC_Default.tsk
CAB: \Extended_ROM\MP_CVSDcpl_20060718.cab
XML: \Windows\MP_MMS3.5_HTC_Generic_Artemis_060818.xml
CAB: \Extended_ROM\PP_DefaultPage_WWE.CAB
XML: \Extended_ROM\PP_ExtVer.xml
CAB: \Extended_ROM\MP_ttn.cab
CAB: \Extended_ROM\MP_TT6_Voice13_ITA.cab
CAB: \Extended_ROM\PP_RemoveBTlnk.cab
CAB: \Extended_ROM\ST_PatchPeripheral.cab
CAB: \Windows\PP_CommManager_Patch_060808.CAB
EXEC:\Extended_ROM\ChgScutAttri.exe
LOCKisabled
RST: Reset
P.S. wich is the write command for OS.nba? this is all right command: pdowrite OS.nba 0 0x3900000? thanks
@thefamous
I am sorry but I don't know what could be wrong, for me has worked putting the freezing cabs just above the LOCK: DISABLED.
Zdravím,
funguje to i pro PDAmobiz ROMky jo?
thefamous said:
thanks, I've try to change the line of ttn setup in config.sys but now still in loop on PP_DefaultPage_WWE.CAB. I've try to modify this line (cut and paste it below LOK: line) but still loop on the other file.. do you have any solution? I'll try to re install the original ext rom and all work well.
this is my original config.sys
LOCK:Enabled
EXEC:\Windows\cusTSK.exe \Windows\HTC_Default.tsk
CAB: \Extended_ROM\MP_CVSDcpl_20060718.cab
XML: \Windows\MP_MMS3.5_HTC_Generic_Artemis_060818.xml
CAB: \Extended_ROM\PP_DefaultPage_WWE.CAB
XML: \Extended_ROM\PP_ExtVer.xml
CAB: \Extended_ROM\MP_ttn.cab
CAB: \Extended_ROM\MP_TT6_Voice13_ITA.cab
CAB: \Extended_ROM\PP_RemoveBTlnk.cab
CAB: \Extended_ROM\ST_PatchPeripheral.cab
CAB: \Windows\PP_CommManager_Patch_060808.CAB
EXEC:\Extended_ROM\ChgScutAttri.exe
LOCKisabled
RST: Reset
P.S. wich is the write command for OS.nba? this is all right command: pdowrite OS.nba 0 0x3900000? thanks
Click to expand...
Click to collapse
try putting a Cert_SPCS.cab in the first of the config list.
hi, can u tell me where i have to do the first step with the nbhextract.exe??
or can someone send me an image of a xda orbit?
Command "pdocread -l" returns following:
STRG handles:
handle 2e9d5306 2.00M (0x1ff800)
handle 4ea971d2 51.99M (0x33fcc00)
handle 8eae81ae 49.95M (0x31f2000)
handle 6fb26ef6 2.94M (0x2f0000)
handle 4fb26ea2 3.06M (0x30fc00)
so, I don't see 15M partition. Which handle should I use?
XDA Orbit extrom damaged
Hi to all..
Can someone tell me wich address I must use from info below to read/write
extrom to XDA Orbit?
Thanks
D:\ArtExtROMtools>pdocread -l
52.99M (0x34fe000) TrueFFS
| 3.06M (0x30fc00) Part00
| 2.94M (0x2f0000) Part01
| 46.99M (0x2efe000) Part02
54.96M (0x36f6000) TrueFFS
| 3.06M (0x30fc00) Part00
| 2.94M (0x2f0000) Part01
| 46.99M (0x2efe000) Part02
2.00M (0x1ff800) TRUEFFS
| 3.06M (0x30fc00) Part00
| 2.94M (0x2f0000) Part01
| 46.99M (0x2efe000) Part02
2.00M (0x1ff800) TRUEFFS
| 3.06M (0x30fc00) Part00
| 2.94M (0x2f0000) Part01
| 46.99M (0x2efe000) Part02
1.87G (0x77a80000) DSK1:
| 1.87G (0x77a60200) Part00
STRG handles:
handle ee3083e6 1.87G (0x77a60200)
handle 8e9ae6de 2.00M (0x1ff800)
handle 4e9e03be 2.00M (0x1ff800)
handle aea9e1c6 54.96M (0x36f6000)
handle 0eaeb1ae 46.99M (0x2efe000)
handle afb29ef2 2.94M (0x2f0000)
handle 4fb29e9e 3.06M (0x30fc00)
disk ee3083e6
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 8e9ae6de
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 4e9e03be
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk aea9e1c6
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 0eaeb1ae
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 33 3d 02 04 0b 0b 16 d8 0c 09 06 62
disk afb29ef2
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 33 3d 02 04 0b 0b 16 d8 0c 09 06 62
disk 4fb29e9e
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 33 3d 02 04 0b 0b 16 d8 0c 09 06 62
D:\ArtExtROMtools>
Hi guys, I have been looking for a while now how to backup the Artemis ROM. I put up a little tutorial, hope you guys think it is usefull.
----------------------------------------------------------
1. Download ITSUTILS by Itsme: http://nah6.com/~itsme/itsutilsbin-20070323.zip
2. Extract the files to a directory.
3. You will find pdocread.exe inside the extracted directory.
4. Make a directory somewhere on a disk, where you want to save the parts to lets say for example C:\ROM
Backup the following parts like this:
SPL:
pdocread -n 0 -b 0x20000 0 0x100000 C:\ROM\bdk0-spl.nb
CID:
pdocread -n 1 -b 0x10000 0 0x40000 C:\ROM\bdk1-0-cidarea.nb
GSM Data:
pdocread -n 1 -b 0x4000 0x10000 0x4000 C:\ROM\bdk1-4-gsmdata.nb
GSM Radio ROM:
pdocread -n 1 -b 0x40000 0x140000 0x280000 C:\ROM\bdk1-5-gsmcode.nb
Splash Screen:
pdocread -n 1 -G 0x30000 -b 0x10000 0xF0000 0x30000 C:\ROM\bdk1-f-splash.nb
Extended ROM:
pdocread -h 0x[HANDLE] 0 0xf00000 C:\ROM\ExtROM.nb
Change [HANDLE]. You can get the handle by typing pdocread -l Watch out! the Handle is different every time
OS:
pdocread 0x3500000 C:\ROM\OS.nb
Good luck and if you have any questions feel free to ask them!
And ofcourse a HUGE thanks to pof for finding out these things!
i give it a try but where does he write the backup?
What is the program to use for make a backup? I don't understand...
fabbio87 said:
What is the program to use for make a backup? I don't understand...
Click to expand...
Click to collapse
The instructions are very clear, try to read again guys. You have to type these commands in the DOS command window (Click Start -> Run..., type CMD on the Open box then Click OK)
rvbcrs said:
OS:
pdocread 0x350000 C:\ROM\OS.nb
Click to expand...
Click to collapse
Thanks rvbcrs, I would like to make a correction here
0x3500000 instead of 0x350000
furthermore they are different from Artemis derivations
for ARTE100 (HTC P3300) it is 0x3900000
for ARTE200 (O2 Orbit) it is 0x3500000
for ARTE300 (LOVE, i.e Dopod M700) it is 0x3E00000
correct me if I am wrong!
rvbcrs said:
Hi guys, I have been looking for a while now how to backup the Artemis ROM. I put up a little tutorial, hope you guys think it is usefull.
----------------------------------------------------------
1. Download ITSUTILS by Itsme: http://nah6.com/~itsme/itsutilsbin-20070323.zip
2. Extract the files to a directory.
3. You will find pdocread.exe inside the extracted directory.
4. Make a directory somewhere on a disk, where you want to save the parts to lets say for example C:\ROM
Backup the following parts like this:
SPL:
pdocread -n 0 -b 0x20000 0 0x100000 C:\ROM\bdk0-spl.nb
CID:
pdocread -n 1 -b 0x10000 0 0x40000 C:\ROM\bdk1-0-cidarea.nb
GSM Data:
pdocread -n 1 -b 0x4000 0x10000 0x4000 C:\ROM\bdk1-4-gsmdata.nb
GSM Radio ROM:
pdocread -n 1 -b 0x40000 0x140000 0x280000 C:\ROM\bdk1-5-gsmcode.nb
Splash Screen:
pdocread -n 1 -G 0x30000 -b 0x10000 0xF0000 0x30000 C:\ROM\bdk1-f-splash.nb
Extended ROM:
pdocread -h 0x[HANDLE] 0 0xf00000 C:\ROM\ExtROM.nb
Change [HANDLE]. You can get the handle by typing pdocread -l Watch out! the Handle is different every time
OS:
pdocread 0x350000 C:\ROM\OS.nb
Good luck and if you have any questions feel free to ask them!
And ofcourse a HUGE thanks to pof for finding out these things!
Click to expand...
Click to collapse
@all sorry about my english
If my phone brick how can i write origin OS to my phone.
pls guide me in details because i'm newbie
thanks for your kind!
Tamagochi said:
The instructions are very clear, try to read again guys. You have to type these commands in the DOS command window (Click Start -> Run..., type CMD on the Open box then Click OK)
Click to expand...
Click to collapse
i know i have to type it in a dos box but where does the program write the backup of the os to. i get the following message: hexdumpTFSToStdout(0x3900000, 0x0)
i have a arte100 device (p3300)
rvbcrs wrote:
4. Make a directory somewhere on a disk, where you want to save the parts to lets say for example C:\ROM
Click to expand...
Click to collapse
Where is the problem? C:\ROM
Realflo said:
rvbcrs wrote:
Where is the problem? C:\ROM
Click to expand...
Click to collapse
yes i know but the OS.nb gives an error and the program is bussy for about 2 minutes and there is no file in the c:\rom directory the onley thin i get is this message:
hexdumpTFSToStdout(0x3900000, 0x0)
pvdhelm said:
i know i have to type it in a dos box but where does the program write the backup of the os to. i get the following message: hexdumpTFSToStdout(0x3900000, 0x0)
i have a arte100 device (p3300)
Click to expand...
Click to collapse
I have the same problem.
After the command :
I:\pda\rom>pdocread 0x3900000 I:\pda\rom\Bachup\OS.nb
HexdumpTFFSToStdout(0x3900000, 0x0)
and nothing ....
IN :
Extended ROM:
pdocread -h 0x[HANDLE] 0 0xf00000 C:\ROM\ExtROM.nb
Change [HANDLE]. You can get the handle by typing pdocread -l Watch out! the Handle is different every time
What is my [HANDLE] ? I can't see which one ?
my command pdocread -l :
56.95M (0x38f4000) TrueFFS
| 3.06M (0x30fc00) Part00
| 2.94M (0x2f0000) Part01
| 50.95M (0x32f4000) Part02
38.24M (0x263e000) TrueFFS
| 3.06M (0x30fc00) Part00
| 2.94M (0x2f0000) Part01
| 50.95M (0x32f4000) Part02
14.99M (0xefc400) TRUEFFS
| 3.06M (0x30fc00) Part00
| 2.94M (0x2f0000) Part01
| 50.95M (0x32f4000) Part02
14.99M (0xefc400) TRUEFFS
| 3.06M (0x30fc00) Part00
| 2.94M (0x2f0000) Part01
| 50.95M (0x32f4000) Part02
1.89G (0x79280000) DSK1:
| 1.89G (0x79120e00) Part00
STRG handles:
handle 8fb7d542 1.89G (0x79120e00)
handle 4e99b5ee 14.99M (0xefc400)
handle 4e9e345a 14.99M (0xefc400)
handle 6ea971d2 38.24M (0x263e000)
handle 8eae71ae 50.95M (0x32f4000)
handle efb25ef2 2.94M (0x2f0000)
handle 0fb25e9e 3.06M (0x30fc00)
disk 8fb7d542
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 4e99b5ee
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 4e9e345a
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 6ea971d2
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 8eae71ae
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 6f 11 01 01 28 13 0a 78 07 08 06 f8
disk efb25ef2
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 6f 11 01 01 28 13 0a 78 07 08 06 f8
disk 0fb25e9e
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 6f 11 01 01 28 13 0a 78 07 08 06 f8
ALLYou it is necessary previously to do Aplication unlock:
Use
1) Cert_SPCS.cab
2) EnableRapi.cab
arc said:
ALLYou it is necessary previously to do Aplication unlock:
Use
1) Cert_SPCS.cab
2) EnableRapi.cab
Click to expand...
Click to collapse
get the same error message as before i installed the .cab files
pvdhelm said:
get the same error message as before i installed the .cab files
Click to expand...
Click to collapse
Same for me ....
And don't know which HANDLE I have to use from the list http://forum.xda-developers.com/showpost.php?p=1324492&postcount=10
pvdhelm Mistake in syntax.
Use :
pdocread 0x0 0x3900000 OS.nb0
I knew something was missing
Thanks
Now I have my ROms Backup ...
What can I do with it
It seems that if you want to restore you need to sign the ROMs
Questions :
Sign all of them ?
Only OS ?
how to sign them ?
Do I use pdocwrite ?
Do I use the beautyfull Artemis Update SPL (USPL) v.01 from pof (great job!!) ?
thanks
If you have USPL - use htcrt for making ROM in nbh .
http://forum.xda-developers.com/showthread.php?t=311909
htcrt- do signature for USPL - this signature not HTC -only if you use USPL.
You may create only System -OS.nb0
Tamagochi said:
Thanks rvbcrs, I would like to make a correction here
0x3500000 instead of 0x350000
furthermore they are different from Artemis derivations
for ARTE100 (HTC P3300) it is 0x3900000
for ARTE200 (O2 Orbit) it is 0x3500000
for ARTE300 (LOVE, i.e Dopod M700) it is 0x3E00000
correct me if I am wrong!
Click to expand...
Click to collapse
Great thanks! I can't test these values.. so I will write them down, but I don't know if it will work..
arc said:
If you have USPL - use htcrt for making ROM in nbh .
http://forum.xda-developers.com/showthread.php?t=311909
htcrt- do signature for USPL - this signature not HTC -only if you use USPL.
You may create only System -OS.nb0
Click to expand...
Click to collapse
Amen too that! hehe..
Extended ROM:
pdocread -h 0x[HANDLE] 0 0xf00000 C:\ROM\ExtROM.nb
Change [HANDLE]. You can get the handle by typing pdocread -l Watch out! the Handle is different every time
how do i know wich handle i use ?
after the backup i got this files:
is this good?
bdk0-spl.nb 1.00 mb
bdk1-0-cidarea.nb 256 kb
bdk1-4-gsmdata.nb 16 kb
bdk1-5-gsmcode.nb 2.50mb
bdk1-f-splash.nb 192 kb
OS.nb0 56.0mb
Can anybody point me in the right direction about getting a New windows Mobile install for this and how to unlock the sim
any help would be much appreciated
Symbol (Motorola) MC35
Here is a link to firmware
http://support.symbol.com/support/product/MC35.html
Unfortunately no sign of WM6 for this yet hopefully one day
Symbol Motorola MC35 ROM Dumping
itsutils would not work or me by default so I used regeditSTG2 to change
HKLM\Security\Policies\Policies
valuename '00001001' was set to dword:2, changed it to dword:1
Now the unsigned dll can run
Next
C:\its>pdocread.exe -l
47.95M (0x2ff4000) TRUEFFS
| 1.50M (0x17fc00) Part00
| 1.69M (0x1b0000) Part01
| 28.81M (0x1cd0000) Part02
17.98M (0x11fb800) TRUEFFS
| 1.50M (0x17fc00) Part00
| 1.69M (0x1b0000) Part01
| 28.81M (0x1cd0000) Part02
46.97M (0x2ef8000) TRUEFFS
| 1.50M (0x17fc00) Part00
| 1.69M (0x1b0000) Part01
| 28.81M (0x1cd0000) Part02
STRG handles:
handle 47ec1cee 46.92M (0x2eeb400)
handle 67ee0c3a 17.96M (0x11f7000)
handle 67f327c6 28.81M (0x1cd0000)
handle a7f326ae 1.69M (0x1b0000)
handle 67f3268a 1.50M (0x17fc00)
disk 47ec1cee
3 partitions, 3 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 c5 5d 01 02 3a 1e 0d 7a 07 07 06 2d
disk 67ee0c3a
3 partitions, 3 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 c5 5d 01 02 3a 1e 0d 7a 07 07 06 2d
disk 67f327c6
3 partitions, 3 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 c5 5d 01 02 3a 1e 0d 7a 07 07 06 2d
disk a7f326ae
3 partitions, 3 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 c5 5d 01 02 3a 1e 0d 7a 07 07 06 2d
disk 67f3268a
3 partitions, 3 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 c5 5d 01 02 3a 1e 0d 7a 07 07 06 2d
Now Lets Dump them
C:\its>pdocread -w -d TRUEFFS -p Part00 0 0x17fc00 Part00.raw
CopyTFFSToFile(0x0, 0x17fc00, Part00.raw)
C:\its>pdocread -w -d TRUEFFS -p Part01 0 0x1b0000 Part01.raw
CopyTFFSToFile(0x0, 0x1b0000, Part01.raw)
C:\its>pdocread -w -d TRUEFFS -p Part02 0 0x1cd0000 Part02.raw
CopyTFFSToFile(0x0, 0x1cd0000, Part02.raw)
Symbol Motorola MC35 is now Dumped!
Now What?
oooooo any progress with this? i really want to get an mc35 but i would miss the community support
This tutorial is about making a custom ROM for ATIV S or any other Samsung WP8 phone.
Samsung ROM files:
.wp8 - main file with OS and boot
.csc - file with regional info
.smd - ROM for WP7 devices
All those files have (almost) the same format. I call it SMD. Old .smd file can be unpacked using this instruction, back in time smd-tool was made for it, but format changed slightly. This process was only tested on ATIV S.
CSC
.csc files aren't flashed to device, those are just containers for MBN files. And MBN files are copied to DPP during flashing process.
AS ALWAYS YOU ARE MAKING THIS ON YOUR OWN RISK! AND GOOD LUCK
Tutorial contents
Basic:
Making custom CSC (.mbn)
Extracting SMD
How to work with "packed" partitions
What to edit in ROM
Packing SMD
Advanced:
Making CSC from MBN
Making developer ROM
Making custom CSC (.mbn)
Software
sam-tools
Any tool for mounting drive images (OSFMount)
MBN Creator
MBN Creator is a kitchen itself. It has some limitations, but creating MBNs with MBN Creator is very easy. This method is described in the end.
Unpacking CSC files
Official CSCs come in .csc files. Use smd-tool to unpack file.csc to csc_dump folder:
Code:
smd-tool /u file.csc /d csc_dump
Now mount DPP.bin and copy CSC.mbn file from it. Unmount DPP then.
Code:
\Samsung\CSC\CSC.mbn
Now use mbn-tool to extract files from csc.mbn to mbn_dump folder:
Code:
mbn-tool /u csc.mbn /d mbn_dump
Every folder in mbn_dump is for one CSC code. There are 4 files inside every folder (AUT for ex.):
SS_AUT.ini - init values for welcome screen (first boot). Language, region, timezone and carrier.
SS_AUT.reg - registry file.
SS_AUT_AppInstall.provxml - PROVXML file with (and only) install app instructions.
SS_AUT_CSC.xml - PROVXML file.
Warning! There is a size limit for any file ~50KB. MBN itself is limited to DPP free space.
Packing MBN
Code:
mbn-tool /p mbn_dump /f my.mbn /ver I8750OXXCMK2 /subver OXX
CSC version (I8750OXXCMK2) should be greater or equal to your ROM version. Otherwise it will be ignored. DOC2 CSC will work on CMK2 ROM, but not vice versa!
Warning! Official DNI and DOC ROMs don't support custom MBNs.
Using MBN Creator
You can apply predefined tweaks from 1st tab or add your own directly into files. Last tab contains MBN file properties. MBN Creator is limited to only one CSC code.
You can check your work in
Code:
MBN Creator temp
folder. Output file is CSC.mbn.
Flashing MBN with MBN Creator
Reboot phone into Download Mode
Connect to PC and install drivers
Copy or create CSC.mbn file
Press Flash, Scan
Choose CSC code and press Flash
All done. Reset phone. Perform HR if MBN didn't apply.
Warning! MBN Creator can't flash files larger than 64KB.
Flashing MBN with stock Downloader
Open .wp8 and .mbn files
Check "Select" and uncheck everything but "CSC"
If flasher asks you about something click NO
Extracting SMD
Software
sam-tools
Any tool for mounting drive images (OSFMount)
Unpack
Unpack file.wp8 to dump folder
Code:
smd-tool /u file.wp8 /d dump
Output example:
Code:
Partition name NAND off N size ROM off R size Part. ID Type Status
GPT 00000000 00000800 00200C00 0000FC00 00000000 00000000 [ OK ]
SECURE 00000800 00000800 00210800 00000400 00000001 00000000 [ OK ]
DPP 00001000 00004000 00210C00 00800000 00000002 00000000 [ OK ]
SBL1 00008000 00000BB7 00A10C00 0016A400 00000003 00000000 [ OK ]
SBL2 P 00009000 00000BB7 00B7B000 0016A400 00000004 00000000 [ OK ]
SBL3 0000A000 00000FFF 00CE5400 001F8000 00000005 00000000 [ OK ]
UEFI S 0000B000 00001387 00EDD400 00207C00 00000006 00000000 [ OK ]
RPM 0000D000 000003E7 010E5000 0006E400 00000007 00000000 [ OK ]
TZ 0000E000 000003E7 01153400 0006E400 00000008 00000000 [ OK ]
WINSECAPP 0000F000 000003FF 011C1800 0007E000 00000009 00000000 [ OK ]
PLAT 0001A000 00003FFF 0123F800 00742800 0000000A 00000000 [ OK ]
EFIESP 00020000 0001FFFF 01982000 0094A400 0000000B 00000000 [ OK ]
MMOS 00046000 0002403F 022CC400 0440B800 0000000C 00000000 [ OK ]
MainOS 0006C000 004B295F 066D7C00 61F20000 0000000D EACCE221 [ OK ]
Data 00520000 01838FFF 685F7C00 02920000 0000000E EACCE221 [ OK ]
Output files:
header - header of SMD
GPT - partition table
PLAT, EFIESP, MMOS - partitions with FAT file system
MainOS and Data - NTFS partitions
other files - bootloader and other low level stuff
DPP partition isn't flashed to phone. In wp8 file it's empty.
EACCE221 means that partition is packed.
How to work with "packed" partitions
Software
sam-tools
Any tool for mounting drive images (OSFMount)
Unpack
Large zero areas are cut off from those partitions. image-rebase can restore such files.
Code:
image-rebase /u MainOS.bin /o MainOS.img
You can now mount and edit MainOS.img.
Warning! Data partition is very large and almost empty.
Pack
First of all slice image file:
Code:
image-rebase /s MainOS.img /z 2048
This command will cut off zero areas larger than 2048 sectors (1MB).
MainOS.img.xml is a template file.
Now you can glue files together using template:
Code:
image-rebase /p MainOS.bin /t MainOS.img.xml
What to edit in ROM
CSCMgr
This service applies MBN file. The idea is to downgrade it to CMK2 (GDR3) version. To do so replace those files:
system32\CSCMgr.dll
system32\CSCMgrSvc.dll
system32\drivers\CSCMgrSvc.dll (yes, it's a copy)
FCRouter
This service is used by Samsung system tools to perform actions with high privileges. Files:
system32\FCRouter.dll
system32\FCRouterProxy.dll
system32\drivers\FCRouter.dll
system32\drivers\FCDriver.dll
Registry hives
Code:
system32\config
You can edit those hive as you want. But HR will destroy all you work.
OSRepack
It a simple tool to work with packages on mounted partitions. Available here.
SDelete
There is a tool called SDelete which can fill all free space on a drive with zeros.
Code:
sdelete -z X:
Very useful for non-developer ROMs.
Packing SMD
Software
sam-tools
Hex editor (HxD)
Pack MainOS image
Code:
image-rebase /s MainOS.img /z 2048
image-rebase /p MainOS.bin /t MainOS.img.xml
Prepare SMD header
It's not really a header but a first part of file. This file can be used as template for your later work. It contains all partitions except MainOS.
Code:
smd-tool /info file.wp8
This command will give you some info about SMD file structure. Open it in hex editor and copy all data up to MainOS ROM offset to a new file. Add Data.bin to this new file.
There are some structures at the start of file. For example:
4D 61 69 6E 4F 53 00 00 00 00 00 00 00 00 00 00
00 C0 06 00 5F 29 4B 00 00 7C FF 08 00 0E AD 61
1F 1F 1F 1F 00 00 00 00 21 E2 CC EA 00 00 00 00
2B C2 5E C9 6A 2F 0B E1 6F 1C 95 FC 49 FF E9 FD
Start and length are colored.
Warning! Those numbers are little endian (12345678 = 78 56 34 12)
Replace Data Start with MainOS Start. You can use Ctrl+C & Ctrl+B (copy and paste with replace).
Replace MainOS Start with length of this (template) file.
Save file.
Adding MainOS
Add MainOS.img to your template.
Replace MainOS Length with length (in bytes) of MainOS.bin file.
Replace 16 bytes at offset 0x50 with zeros.
Count MD5 hash of the file (HxD can do it) and write it at 0x50 (^C & ^B).
Save this file as .wp8
You can check numbers you entered with following command:
Code:
smd-tool /info custom.wp8
Warning! This .wp8 file can only be flashed with Downloader v3.54
Making CSC from MBN
Software
Hex editor (HxD)
Pack
Open CSC file in HxD.
At 0x00A00C00 it has MBN file contents.
Replace it with your MBN and fill rest of the CSC with zeros.
Warning! This file can't be unpacked with this instruction because FAT is broken. You can unpack it manually.
Correct MD5 as you did for WP8 file.
Warning! This CSC can fool Downloader but not phone. New CSCMgr will still ignore custom MBN.
Making developer ROM
Such ROMs can be directly mounted with OSFMount.
This command will pseudo slice MainOS.img:
Code:
image-rebase /s MainOS.img /z 4000000
Entire partition will be in one piece.
If you pack SMD with this file you can mount it and edit without repacking SMD.
In OSFMount enter offset equal to MainOS ROM offset + 0x1000.
Don't forget to recalculate MD5 after edit.
OMG, WOLF! People tell me that my tutorials are too long. But you are a true match for me!! :highfive:
Congrats on this great achievement! :victory:
Wow! Huge thanks for rewriting these tutorials in English; I wasn't expecting you to do it so soon! Can't wait to play around and to see what others come up with.
I play around with the replacement of files FC Router + WP8 Diag on my GT-I8750 (from the SM-W750V, SPH-I800, SGH-I187, SGH-T899M), in the end everything works.
Powered mode Smart Download.
so I could be possible to use ATIV S version of CSCMgr on SE. And SE then will have custom MBN
Yea, that's what I gathered from the info as well. Unfortunately I won't have time to try this out for another 4-7 days but I'll let you know if I do. And if you (or anyone else) feels like whipping it up and you need someone to try it, shoot me a PM.
Added info about sdelete and OSRepack to "What to edit in ROM"
I have an idea to record full process of ROM making and upload it on Youtube. Will it be useful?
Added poll.
YOU ARE TAKING YOUR OWN RISK TO DO THIS. But I succeed and I suppose it will work on others.
My thread in Chinese:
http://tieba.baidu.com/p/5666986960...14141&unique=C1FF2FC2F12BF43C9E62C4918B0688A2
In English:
Just download this modem.img
https://pan.baidu.com/s/1Qu5W_Gw3qCk32M4L4JMecg
IMG is based on 8.1 latest modem. If you are on 8.0/7.1, please try carefully
And flash it to both modem partitions.
fastboot flash modem_a .........\modem.img
fastboot flash modem_b .........\modem.img
And wipe userdata and FRP.
fastboot erase userdata
fastboot erase frp(Optional. To skip setup wizard.)
Then turn the phone up.
Done.
Why?
On initial SIM insertion, Android copies carrier config files into data and then flashes one of them into modemst.
I just changed all mcfg_sw.mbn files into 1+3T's, which supports CT.
Get the single mbn file here:
https://pan.baidu.com/s/1QrDefK44bNu9VWUR8fOjEA
On Pixel 2 this way probably works I think. Anyone going to try?
hv a look into 2XL factory image and there's no mcfg_sw.mbn in modem.img:crying:
Sent from my Pixel 2 XL using XDA Labs
This method can theoretically be used to get functioning 2x CA and 3x CA on the US models in Europe and elsewhere. I have managed to enable 256QAM from the australian modem config file on an US model, this happened by replacing some mbn files (somehow it set it in place without having to wipe anything, not sure how.)
I have not managed to make the CA work yet. Wonder if anyone has a proper modem config for this and if wiping really is necessary for this.
As I understand:
1) mbns go to /firmware/radio/modem_pr/mcfg/configs/mcfg_sw/generic/*
2) If you wipe data, or delete the radio folder in this point, it copies/regenerates the files from point 1 to /data/misc/radio/modem_config/mcfg_sw/generic/*
3) The EFS generates its carrier_policy.xml under policyman from the data partition?
Whatever I do to the carrier_policy.xml it doesnt change anything. The UE EUTRA policy remains the same.
Thanks for your post, this is the best way I can find to enable China Telecom LTE on Pixel.
Based on your post, I did some further checks, and found a way to do this without erasing data partition, and even no need to root.
Successfully tested on my Pixel running Android P.
Same as your method, we will change modem.img and copy mcfg_sw.mbn from 1+3T's image.
From the aosp source code, we can see that the init.radio.sh will copy configs from modem.img if the versions in ver_info.txt is changed.
So we can just simply change the version to another value, and it will copy the new configs.
The following are the detailed steps, we need a Linux environment to mount modem.img:
1. extract modem.img from Pixel factory image.
2. extract NO-HLOS.bin from 1+ 3T factory image (download from oneplus).
3. In order to add new files into modem.img, first need to expand its size:
Code:
dd if=/dev/zero of=modem.img bs=4096 count=100 conv=notrunc oflag=append
This command appends about 400KB to the end of the modem.img.
The total size of CT configs in 1+ 3T is about 230KB, but you can change to a larger count if you need to add more files.
4. mount modem.img:
Code:
mkdir modem
sudo mount -o loop modem.img modem
5. mount NO-HLOS.bin:
Code:
mkdir oneplus
sudo mount -o loop NO-HLOS.bin oneplus
6. create a "china" folder, since we only copy the CT configs, and skip CMCC and CU configs.
Code:
sudo mkdir modem/modem_pr/mcfg/configs/mcfg_sw/generic/china/
7. copy CT configs from oneplus:
Code:
sudo cp -r oneplus/image/modem_pr/mcfg/configs/mcfg_sw/generic/china/ct modem/modem_pr/mcfg/configs/mcfg_sw/generic/china/
8. change the ver_info.txt:
Code:
sudo vim modem/modem_pr/verinfo/ver_info.txt
It is enough to only change the last digit.
9. umount the images:
Code:
sync
umount modem
umount oneplus
10. flash the modem.img:
Code:
fastboot flash modem_a modem.img
fastboot flash modem_b modem.img
fastboot reboot
After reboot, Pixel will be able to use China Telecom LTE.
sbjbs said:
Thanks for your post, this is the best way I can find to enable China Telecom LTE on Pixel.
Based on your post, I did some further checks, and found a way to do this without erasing data partition, and even no need to root.
Successfully tested on my Pixel running Android P.
Same as your method, we will change modem.img and copy mcfg_sw.mbn from 1+3T's image.
From the aosp source code, we can see that the init.radio.sh will copy configs from modem.img if the versions in ver_info.txt is changed.
So we can just simply change the version to another value, and it will copy the new configs.
The following are the detailed steps, we need a Linux environment to mount modem.img:
1. extract modem.img from Pixel factory image.
2. extract NO-HLOS.bin from 1+ 3T factory image (download from oneplus).
3. In order to add new files into modem.img, first need to expand its size:
This command appends about 400KB to the end of the modem.img.
The total size of CT configs in 1+ 3T is about 230KB, but you can change to a larger count if you need to add more files.
4. mount modem.img:
5. mount NO-HLOS.bin:
6. create a "china" folder, since we only copy the CT configs, and skip CMCC and CU configs.
7. copy CT configs from oneplus:
8. change the ver_info.txt:
It is enough to only change the last digit.
9. umount the images:
10. flash the modem.img:
After reboot, Pixel will be able to use China Telecom LTE.
Click to expand...
Click to collapse
Could this work on pixel 3 ? Any idea which mbn files I'd need to get wifi calling? Like, what would I do if I wanted Deutsche Telekom mb files ton replaces What my phone is currently using?
matkwok said:
hv a look into 2XL factory image and there's no mcfg_sw.mbn in modem.img:crying:
Click to expand...
Click to collapse
Yup. They changed filesystems or setup on the 2 and 3 . I saw that they do exist in modem partition on 2 but I haven't seen any of those files in the 3 yet.
TEEEEEEEEED said:
YOU ARE TAKING YOUR OWN RISK TO DO THIS. But I succeed and I suppose it will work on others.
My thread in Chinese:
http://tieba.baidu.com/p/5666986960...14141&unique=C1FF2FC2F12BF43C9E62C4918B0688A2
In English:
Just download this modem.img
https://pan.baidu.com/s/1Qu5W_Gw3qCk32M4L4JMecg
IMG is based on 8.1 latest modem. If you are on 8.0/7.1, please try carefully
And flash it to both modem partitions.
fastboot flash modem_a .........\modem.img
fastboot flash modem_b .........\modem.img
And wipe userdata and FRP.
fastboot erase userdata
fastboot erase frp(Optional. To skip setup wizard.)
Then turn the phone up.
Done.
Why?
On initial SIM insertion, Android copies carrier config files into data and then flashes one of them into modemst.
I just changed all mcfg_sw.mbn files into 1+3T's, which supports CT.
Get the single mbn file here:
https://pan.baidu.com/s/1QrDefK44bNu9VWUR8fOjEA
On Pixel 2 this way probably works I think. Anyone going to try?
Click to expand...
Click to collapse
What's the difference from just moving the mbn to replaces the one in the phone ?
Also, could you do this for my pixel 3? I need mbns from Xperia xx3 I think
Xdevillived666 said:
Could this work on pixel 3 ? Any idea which mbn files I'd need to get wifi calling? Like, what would I do if I wanted Deutsche Telekom mb files ton replaces What my phone is currently using?
Click to expand...
Click to collapse
I can't tell you if it can work on Pixel 3, because I don't have a Pixel 3.
I have checked the modem.img in Pixel 3 factory image, there is no "modem_pr" directory, which contains the config files.
but I have also checked the Pixel3's init.radio.sh, it will check the ver_info.txt and still copys the "modem_pr" directory:
Code:
cp -r /firmware/image/modem_pr/mcfg/configs/* /data/vendor/radio/modem_config
So I guess you can create the directory and copy config files into it. And don't forget to change the ver_info.txt.
This is the structure of Pixel 1 modem.img:
Code:
├── mba.mbn
├── modem.b00
├── modem.b01
├── modem.b02
├── modem.b03
├── modem.b04
├── modem.b05
├── modem.b06
├── modem.b07
├── modem.b08
├── modem.b09
├── modem.b10
├── modem.b11
├── modem.b12
├── modem.b13
├── modem.b15
├── modem.b16
├── modem.b17
├── modem.b18
├── modem.b19
├── modem.b20
├── modem.mdt
├── modem_pr
│ ├── mcfg
│ │ └── configs
│ │ └── mcfg_sw
│ │ └── generic
│ │ ├── apac
│ │ ├── aus
│ │ ├── china
│ │ ├── common
│ │ ├── eu
│ │ └── na
│ └── verinfo
│ └── ver_info.txt
├── qdsp6m.qdb
└── version.cfg
This is the structure of Pixel 3 modem.img:
Code:
├── image
│ ├── mba.mbn
│ ├── modem.b00
│ ├── modem.b01
│ ├── modem.b02
│ ├── modem.b03
│ ├── modem.b04
│ ├── modem.b05
│ ├── modem.b06
│ ├── modem.b07
│ ├── modem.b08
│ ├── modem.b09
│ ├── modem.b10
│ ├── modem.b11
│ ├── modem.b12
│ ├── modem.b13
│ ├── modem.b14
│ ├── modem.b15
│ ├── modem.b16
│ ├── modem.b17
│ ├── modem.b18
│ ├── modem.b19
│ ├── modem.b20
│ ├── modem.b21
│ ├── modem.b22
│ ├── modem.b23
│ ├── modem.b24
│ ├── modem.b25
│ ├── modem.b26
│ ├── modem.b27
│ ├── modem.b28
│ ├── modem.b29
│ ├── modem.mdt
│ ├── modemr.jsn
│ ├── qdsp6m.qdb
│ └── version.cfg
└── verinfo
└── ver_info.txt
I don't know the structure inside the modem_pr directory for Pixel 3. You may try the same structure as Pixel 1, or you can check the existing structure in /data/vendor/radio/modem_config/
sbjbs said:
I can't tell you if it can work on Pixel 3, because I don't have a Pixel 3.
I have checked the modem.img in Pixel 3 factory image, there is no "modem_pr" directory, which contains the config files.
but I have also checked the Pixel3's init.radio.sh, it will check the ver_info.txt and still copys the "modem_pr" directory:
So I guess you can create the directory and copy config files into it. And don't forget to change the ver_info.txt.
This is the structure of Pixel 1 modem.img:
This is the structure of Pixel 3 modem.img:
I don't know the structure inside the modem_pr directory for Pixel 3. You may try the same structure as Pixel 1, or you can check the existing structure in /data/vendor/radio/modem_config/
Click to expand...
Click to collapse
Thanks mate. I know they changed the location for mbn files. I only found it a week ago or so.
Vendor/rfs/msm/mpss/read only/vendor/mbn/mcfg_sw
I'm guessing then that this means I can't use the same method and would have to repack vendor?
How would I change ver_info.txt? Can I modify the existing one ?
And would this be the right one or would I have to do it inside the modem image for ver_info.txt?
Xdevillived666 said:
And would this be the right one or would I have to do it inside the modem image for ver_info.txt?
Click to expand...
Click to collapse
On Pixel 1, the modem.img is mounted read-only on /firmware/radio
On Pixel 3, the modem.img is mounted read-only on /vendor/firmware_mnt, and /firmware is a symlink which links to /vendor/firmware_mnt
If you want to change the ver_info.txt, you can remount /vendor/firmware_mnt for read-write if you have root permission.
you also can change it in modem.img and flash it.
since the location was changed, I don't know when and who will copy config files from "Vendor/rfs/msm/mpss/read only/vendor/mbn/mcfg_sw",
so I'm not sure if this method still works. but you can try it. good luck.
---------- Post added at 06:56 PM ---------- Previous post was at 06:47 PM ----------
Xdevillived666 said:
And would this be the right one or would I have to do it inside the modem image for ver_info.txt?
Click to expand...
Click to collapse
for Pixel 3, the old ver_info.txt is located at:
/data/vendor/radio/ver_info.txt
you may check its content first.
This is part of the content of init.radio.sh for Pixel 3:
Code:
#
# Make modem config folder and copy firmware config to that folder for RIL
#
if [ -f /data/vendor/radio/ver_info.txt ]; then
prev_version_info=`cat /data/vendor/radio/ver_info.txt`
else
prev_version_info=""
fi
cur_version_info=`cat /firmware/verinfo/ver_info.txt`
if [ ! -f /firmware/verinfo/ver_info.txt -o "$prev_version_info" != "$cur_version_info" ]; then
rm -rf /data/vendor/radio/modem_config
mkdir /data/vendor/radio/modem_config
chmod 770 /data/vendor/radio/modem_config
cp -r /firmware/image/modem_pr/mcfg/configs/* /data/vendor/radio/modem_config
chown -hR radio.radio /data/vendor/radio/modem_config
cp /firmware/verinfo/ver_info.txt /data/vendor/radio/ver_info.txt
chown radio.radio /data/vendor/radio/ver_info.txt
fi
cp /firmware/image/modem_pr/mbn_ota.txt /data/vendor/radio/modem_config
chown radio.radio /data/vendor/radio/modem_config/mbn_ota.txt
echo 1 > /data/vendor/radio/copy_complete
sbjbs said:
On Pixel 1, the modem.img is mounted read-only on /firmware/radio
On Pixel 3, the modem.img is mounted read-only on /vendor/firmware_mnt, and /firmware is a symlink which links to /vendor/firmware_mnt
If you want to change the ver_info.txt, you can remount /vendor/firmware_mnt for read-write if you have root permission.
you also can change it in modem.img and flash it.
since the location was changed, I don't know when and who will copy config files from "Vendor/rfs/msm/mpss/read only/vendor/mbn/mcfg_sw",
so I'm not sure if this method still works. but you can try it. good luck.
---------- Post added at 06:56 PM ---------- Previous post was at 06:47 PM ----------
for Pixel 3, the old ver_info.txt is located at:
/data/vendor/radio/ver_info.txt
you may check its content first.
This is part of the content of init.radio.sh for Pixel 3:
Click to expand...
Click to collapse
Yeah, I'd have to do it at modem level. Can't seem to get it working with a file explorer though I see it , it doesn't say anything. That would require Linux, right ?
I've also tried using a custom built magisk(for pixel2) with a model that allows access to diagnostic mode and opens ports. Using qpst and built in pdc tool, you can flash individual mbn files to enable volte and vowifi. I have native volte support through Bouygues, but vowifi is only allowed on certain phones through my carrier. I get the port open, but pdc keeps giving me a qmi error saying the USB driver isn't correct . Pissing me off.
I also tried the old trick of just using a root explorer , replacing mbn at file level , inserting a different sim card, inserting back own sim card, and rebooting . This did activate volte and wifi sms on first gen pixel but doesn't work after that .
Not sure I can do anything to activate vowifi though I am provisioned for it via sim card/my carrier .
Xdevillived666 said:
Yeah, I'd have to do it at modem level. Can't seem to get it working with a file explorer though I see it , it doesn't say anything. That would require Linux, right ?
I've also tried using a custom built magisk(for pixel2) with a model that allows access to diagnostic mode and opens ports. Using qpst and built in pdc tool, you can flash individual mbn files to enable volte and vowifi. I have native volte support through Bouygues, but vowifi is only allowed on certain phones through my carrier. I get the port open, but pdc keeps giving me a qmi error saying the USB driver isn't correct . Pissing me off.
I also tried the old trick of just using a root explorer , replacing mbn at file level , inserting a different sim card, inserting back own sim card, and rebooting . This did activate volte and wifi sms on first gen pixel but doesn't work after that .
Not sure I can do anything to activate vowifi though I am provisioned for it via sim card/my carrier .
Click to expand...
Click to collapse
I'm sorry I have no experience with what you are doing.
If you want to change the modem.img, you'd better in Linux.
Your phone is a Linux too, if you have root access, you can push the modem.img to a temp directory on you device, and change it.
the mount command is a bit different:
Code:
losetup /dev/block/loop0 modem.img
mkdir modem
mount /dev/block/loop0 modem
From the init.radio.sh, the modem.img/image/modem_pr/mbn_ota.txt seems to be important, there is no such file for Pixel1.
Have you tried changing the mbn_sw.txt in vendor/rfs/msm/mpss/readonly/vendor/mbn/mcfg_sw, and adding your configs to the list?
sbjbs said:
I'm sorry I have no experience with what you are doing.
If you want to change the modem.img, you'd better in Linux.
Your phone is a Linux too, if you have root access, you can push the modem.img to a temp directory on you device, and change it.
the mount command is a bit different:
From the init.radio.sh, the modem.img/image/modem_pr/mbn_ota.txt seems to be important, there is no such file for Pixel1.
Have you tried changing the mbn_sw.txt in vendor/rfs/msm/mpss/readonly/vendor/mbn/mcfg_sw, and adding your configs to the list?
Click to expand...
Click to collapse
Thanks for the reply. I figured I needed Linux for this.
As for the second part, I have some Sony mbn files from xz3. My carrier supports voWifi on this phone, so I nabbed the firmware specific to my phone, extracted the mbns , placed them into the area where mine are, added the necessary text to mcfg_sw.txt but it doesn't activate voWifi as far as I can tell. I've attached said Sony files if ya wanna check them out
https://drive.google.com/file/d/1Rbh5n3zmNfVd1t75OZjbqQ8thcua-XL1/view?usp=drivesdk
I'll take a look at the mbn_ota.txt . What, if anything , could be done with it?
Edit: I losetup and i cant find that file ???
Side note: for some reason, I can't erase modem st1/2 in pixel 3. It's gives me a "remote error " in fastboot.
Xdevillived666 said:
Thanks for the reply. I figured I needed Linux for this.
As for the second part, I have some Sony mbn files from xz3. My carrier supports voWifi on this phone, so I nabbed the firmware specific to my phone, extracted the mbns , placed them into the area where mine are, added the necessary text to mcfg_sw.txt but it doesn't activate voWifi as far as I can tell. I've attached said Sony files if ya wanna check them out
https://drive.google.com/file/d/1Rbh5n3zmNfVd1t75OZjbqQ8thcua-XL1/view?usp=drivesdk
I'll take a look at the mbn_ota.txt . What, if anything , could be done with it?
Side note: for some reason, I can't erase modem st1/2 in pixel 3. It's gives me a "remote error " in fastboot.
Click to expand...
Click to collapse
For adding ChinaTelecom lte and volte on Pixel 3, people just change the mbn_sw.txt and it works.
I'm not sure what the mbn_ota.txt is used for, I'm guessing it has a similar effect as mbn_sw.txt, but it is useless for your current situation.
Thanks for your trust, but I don't think I can help.
sbjbs said:
For adding ChinaTelecom lte and volte on Pixel 3, people just change the mbn_sw.txt and it works.
I'm not sure what the mbn_ota.txt is used for, I'm guessing it has a similar effect as mbn_sw.txt, but it is useless for your current situation.
Thanks for your trust, but I don't think I can help.
Click to expand...
Click to collapse
Thank you for responding as often as you did and trying to help
A few last questions:
Carrierconfig.apk res xml cant be modified, can it?
I saw that it contains bools for vowifi being enabled or not
How do they change the txt, exactly?They just put the location of said mbn that they placed in the txt file?
My carrier config is already in the default mcfg_sw.txt and only allows volte. Maybe I could add the text from the mcfg_sw.txt and mbn files from the xz3 that supports vowifi and volte and delete all others under there? Or does that mbn_ota.txt override that?
I really just wnna force vowifi , lol. voLTE is okay but I miss sms over wifi like I got with my first gen pixel.
In anycse, thanks again for the help! I sincerely appreciate it
Would this thread help me out any? Modifying carrier policy is something I've been looking into ,but doing so at app lever is damned near impossible
http://bbs.gfan.com/android-9204634-1-1.html
Xdevillived666 said:
Thank you for responding as often as you did and trying to help
A few last questions:
Carrierconfig.apk res xml cant be modified, can it?
I saw that it contains bools for vowifi being enabled or not
How do they change the txt, exactly?They just put the location of said mbn that they placed in the txt file?
My carrier config is already in the default mcfg_sw.txt and only allows volte. Maybe I could add the text from the mcfg_sw.txt and mbn files from the xz3 that supports vowifi and volte and delete all others under there? Or does that mbn_ota.txt override that?
I really just wnna force vowifi , lol. voLTE is okay but I miss sms over wifi like I got with my first gen pixel.
In anycse, thanks again for the help! I sincerely appreciate it
Would this thread help me out any? Modifying carrier policy is something I've been looking into ,but doing so at app lever is damned near impossible
http://bbs.gfan.com/android-9204634-1-1.html
Click to expand...
Click to collapse
Yes, you can decompile a apk and change the xml and recompile it by tools like apktool.
For ChinaTelecom lte on Pixel 3, you can refer to this post: http://bbs.gfan.com/android-9535442-1-1.html
they append a line to mbn_sw.txt:
Code:
mcfg_sw/generic/China/CT/Commercial/OpenMkt/mcfg_sw.mbn
if want to enable volte, append another line:
Code:
mcfg_sw/generic/China/CT/Commercial/VoLTE_OpenMkt/mcfg_sw.mbn
and add some properties in build.prop:
Code:
ro.mtk_ims_support=1
ro.mtk_volte_support=1
persist.mtk.volte.enable=1
persist.dbg.volte_avail_ovr=1
persist.dbg.ims_volte_enable=1
persist.dbg.volte_avail_ovr=1
persist.dbg.vt_avail_ovr=1
persist.dbg.wfc_avail_ovr=1
persist.radio.rat_on=combine
persist.radio.data_ltd_sys_ind=1
persist.radio.data_con_rprt=1
persist.radio.calls.on.ims=1
Before the OP‘s method of changing modem.img, people used to change carrier_policy.xml if they want to use ChinaTelecom on Pixel 1.
you can refer to this: http://www.usbmi.com/2281.html
But I only got the Pixel recently, I have never tried that.
IMPORTANT: please don't forget to backup your EFS and related partitions before doing that.
sbjbs said:
Yes, you can decompile a apk and change the xml and recompile it by tools like apktool.
For ChinaTelecom lte on Pixel 3, you can refer to this post: http://bbs.gfan.com/android-9535442-1-1.html
they append a line to mbn_sw.txt:
Code:
mcfg_sw/generic/China/CT/Commercial/OpenMkt/mcfg_sw.mbn
if want to enable volte, append another line:
Code:
mcfg_sw/generic/China/CT/Commercial/VoLTE_OpenMkt/mcfg_sw.mbn
and add some properties in build.prop:
Code:
ro.mtk_ims_support=1
ro.mtk_volte_support=1
persist.mtk.volte.enable=1
persist.dbg.volte_avail_ovr=1
persist.dbg.ims_volte_enable=1
persist.dbg.volte_avail_ovr=1
persist.dbg.vt_avail_ovr=1
persist.dbg.wfc_avail_ovr=1
persist.radio.rat_on=combine
persist.radio.data_ltd_sys_ind=1
persist.radio.data_con_rprt=1
persist.radio.calls.on.ims=1
Before the OP‘s method of changing modem.img, people used to change carrier_policy.xml if they want to use ChinaTelecom on Pixel 1.
you can refer to this: http://www.usbmi.com/2281.html
But I only got the Pixel recently, I have never tried that.
IMPORTANT: please don't forget to backup your EFS and related partitions before doing that.
Click to expand...
Click to collapse
Thanks. I had a look at the threads and it is a great resource, so thanks.
You can also try this in the future:
https://forum.xda-developers.com/pixel-2-xl/how-to/guide-qxdm-port-activation-pixel-2-xl-t3884967
I get all ports on p3 open but cant get pdc tool to connect.
When I had my pixel 1, I used this to get wifi messaging and volte working perfectly:
"You need to do the following Steps: -Check with your Carrier if your subscription is persistently provisioned for VoLTE and not based on the used device -Root your device with magisk and install the VoLTE enabler module (this is for android sw level VoLTE activation) https://forum.xda-developers.com/apps/magisk/module-v4-volte-enabler-t3649613/page1 -Download ES File Explorer with root rights and head to /data/misc/radio/modem_config/mcfg_sw/generic/common/wildcard/wildcard and backup mcfg_sw.mbn to any location for example google drive -Copy mcfg_sw.mbn from /data/misc/radio/modem_config/mcfg_sw/generic/common/eu/dt/commerci/volte to /data/misc/radio/modem_config/mcfg_sw/generic/common/wildcard/wildcard and overwrite the existing mcfg_sw.mbn and set file permission to r-- --- --- (this is really important, if the file rights are not correct, it can cause boot loops. -Enter a SIM card into the device witch has a carrier specific mcfg_sw.mbn file, I did it with a TMUS SIM card. If you don't have one, order one through the internet for example at https://www.reisesim.de/de/prepaid-sim-karte-usa/t-mobile-usa-sim-karten/ -Insert your personal SIM back into the device and do a reboot
This is not a 100% guarantee that it will work, for my carrier it worked. If it is not working, you can also try with the TMUS, Telstra or EE mcfg_sw.mbn.
It's very likely that WiFi Calling will not work, because there's a additional config file which includes the epdg adress which can only modified through EFS explorer from Qualcomm. If WiFi Calling is not working, disable the function!!
"
Thanks again for your help. Hopefully more carriers support pixel natively in the future, otherwise I dont see myself getting another one with such a lack of support and features:-/
sbjbs said:
Thanks for your post, this is the best way I can find to enable China Telecom LTE on Pixel.
Based on your post, I did some further checks, and found a way to do this without erasing data partition, and even no need to root.
Successfully tested on my Pixel running Android P.
Same as your method, we will change modem.img and copy mcfg_sw.mbn from 1+3T's image.
From the aosp source code, we can see that the init.radio.sh will copy configs from modem.img if the versions in ver_info.txt is changed.
So we can just simply change the version to another value, and it will copy the new configs.
The following are the detailed steps, we need a Linux environment to mount modem.img:
1. extract modem.img from Pixel factory image.
2. extract NO-HLOS.bin from 1+ 3T factory image (download from oneplus).
3. In order to add new files into modem.img, first need to expand its size:
Code:
dd if=/dev/zero of=modem.img bs=4096 count=100 conv=notrunc oflag=append
This command appends about 400KB to the end of the modem.img.
The total size of CT configs in 1+ 3T is about 230KB, but you can change to a larger count if you need to add more files.
4. mount modem.img:
Code:
mkdir modem
sudo mount -o loop modem.img modem
5. mount NO-HLOS.bin:
Code:
mkdir oneplus
sudo mount -o loop NO-HLOS.bin oneplus
6. create a "china" folder, since we only copy the CT configs, and skip CMCC and CU configs.
Code:
sudo mkdir modem/modem_pr/mcfg/configs/mcfg_sw/generic/china/
7. copy CT configs from oneplus:
Code:
sudo cp -r oneplus/image/modem_pr/mcfg/configs/mcfg_sw/generic/china/ct modem/modem_pr/mcfg/configs/mcfg_sw/generic/china/
8. change the ver_info.txt:
Code:
sudo vim modem/modem_pr/verinfo/ver_info.txt
It is enough to only change the last digit.
9. umount the images:
Code:
sync
umount modem
umount oneplus
10. flash the modem.img:
Code:
fastboot flash modem_a modem.img
fastboot flash modem_b modem.img
fastboot reboot
After reboot, Pixel will be able to use China Telecom LTE.
Click to expand...
Click to collapse
Hello, can you tell me under which directory I should execute "mkdir modem", "mkdir oneplus" "sudo mkdir modem/modem_pr/mcfg/configs/mcfg_sw/generic/china/"?
I'm doing it under / directory and getting "read-only file system" error.
bonedriven said:
Hello, can you tell me under which directory I should execute "mkdir modem", "mkdir oneplus" "sudo mkdir modem/modem_pr/mcfg/configs/mcfg_sw/generic/china/"?
I'm doing it under / directory and getting "read-only file system" error.
Click to expand...
Click to collapse
I'm sorry to reply so late. On your host machine, you can cd to a 'writable' directory (your HOME directory, for example) to mkdir the mountpoint.
I just verified that this still works on Pixel1 Android 10.