Hi,
I have a target board with mips VR4131 processor. The target board already having one boot loader on flash. Now I need to put my own bootloader which I modified according to the requirement on the flash. As I know MIPS have fixed starting address 0xbfc00000, how to change this address to other address so that after power on it can enter to the new address (modified bootloader).
Actual my bootloader doesn’t have support for my target board initially, hence I modified source code like initialization for cpu , sdram according to the target board. Now I want to put my code into FUJITSU flash memory for testing purpose, without overwrite the previous boot loader. After power on the board, instead of previous one, I need to run my modified boot loader.
I don’t have previous bootloader source code and much details about that. switch/jumper settings for remapping is not present in my target board manual.
But previous bootloader is giving command prompt successfully.
Q1. If I found an address and stored the second bootloader then After reset, how can I execute the second bootloader without executing the first bootloader?
Hi I've been trying to figure out if AWS can be easily supported in models that don't have the 1700 WCDMA spectrum enabled. Not sure if it's hardware or software.
So far I've found 1700 References look to be missing from the variant I have in the QCN
Actual Supported GSM 1900/850
WCDMA 1900/800/1800/900/2100
Edge 850/900/1800/1900
I've managed to pull the QCN files from 2 Moto X for comparison however I don't have a developer model or T-mobile version to compare.
Could some one be kind enough to send me a copy of theirs. Please PM me since it could contain your IMEI since I see a single reference so far that isn't a null value.
Root or unlocked bootloader is not required
You'll need to install the moto x drivers located here:
https://motorola-global-portal.custhelp.com/app/answers/prod_answer_detail/a_id/94931/p/30,6720,8696/reg/348778
QSPT Tools 2.7 Build 378 or newer
Please google where to find it I'm unsure if I'm allowed to post it.
Then you need to boot your phone with BPTools enabled.
1. Power off device
2. Hold Down and Power
3. Follow Instructions to select BPtools (Up is actualy to select not power)
4. Phone will boot normally however new devices will be listed in device manager
5. Go into device manager and you'll see 3 Moto references and 1 rmnet with no drivers in Other devices. You'll need to force a driver motorola drivers don't have references to vendor hw id correctly.
6. Select "Motorola QC Diag Interface" Update Driver --> Let me pick from a list of device drivers from my computer --> Show All Devices --> Motorola --> Motorola QC Diag Port (Force Install) Should now have a port assigned.
7. Start QPST Configuration --> Select Ports Tab --> Select Com# - USB/QC Diagnostic (Should See SURF8960) --> Now on the toolbar tab Select Start Clients --> Software Download --> Select Backup Tab --> Browse where to save QCN File then hit start.
EDIT: Bands are defined in the NVM which is inaccessible in EFS Explorer as well as mot_hob when using QPST? I wonder what mot_hob is. Looks like you need QXDM however I don't have an XP box at the moment.
so you are trying to enable the software disabled bands?
eeshlikhith said:
so you are trying to enable the software disabled bands?
Click to expand...
Click to collapse
Yeah pretty much so far I had one sample for T-mobile from @theOrangeMix and compared the two QCN file and didn't see a 1700 band listed in the qcn. It maybe in a part that is OEM specific, that the tool cannot read. MSM8960 has a software based modem much like the I747 and T999L so assuming Motorola went the same route we can possibly just repurpose the modem for AWS friendly frequencies which should be in the T-mobile or Developer variant.
So far the nvdata partition is write protected atleast with QPST not sure if it has something to do with the locked bootloader, haven't unlocked mine yet or they have some other tool they use to alter the nvdata.
Does someone know how to enable the diag mode / port on the U Ultra?
I've tried:
##3424# in Dialer
setprop sys.usb.config diag,adb
setprop persist.usb.eng 1
An unknown device just wont appear in Windows Device Manager.
Has anybody found a way to enable diag mode (can be used for adding more LTE Carrier Aggregation Combinations, for example the very common Combination of Band 3, 7 and 20 in Europe is just missing, although the hardware is capable or enabling 256QAM Modulation in LTE Downlink for a 33% speed boost if the network supports it)?
Maybe we need S-OFF to enable it?
These projects are intended for developers only. If you are familiar with Android phones, you probably know what Little Kernel does. This port of Little Kernel is capable of booting Android Linux Kernel images (though I haven't tested it yet, need to set up the build environment) and ARM64 ELF images on Lumia 950 XL via SCM call. I used it to bootstrap my ARM64 variant UEFI on Lumia 950 XL (not released yet).
Boot Shim is a Windows Boot Manager application that takes control from Windows Boot Manager, loads ELF image, kicks UEFI out and bootstraps it. To use it, you have to unlock your Lumia phone via WPInternals. Then place BootShim.efi to somewhere, and add a new BCD entry (set NOINTEGRITYCHECKS and TESTSIGNING).
Source and binary for Boot Shim: https://github.com/imbushuo/boot-shim (branch msm8994)
Source for LK: https://github.com/imbushuo/lk
Refer to the LK note for Dragonboard 410c for information regarding toolchains, LK build and misc info. Currently, Lumia 930 and 950XL are validated (msm8974-test and msm8994-test-2 branch).
All functionalities in LK is available, including USB and the display panel (though I used passed FrameBuffer pointer from UEFI, which means LK doesn't deal with DSI panel configuration. Hence you have a BGRA8888 FB, not typical to see in Android devices' bootloaders). Fastboot is available. However, the nature of EFI framebuffer forced you to load the kernel at somewhere higher than EFI FB address. If you are going to boot Linux kernel, you'd better take care of this.
Go ahead and see what you can do with Lumia!
Hello,
I appreciate your work. Can you give a brief outline of what changes might be necessary to support Lumia 950s? Unfortunately I have only been able to get hold of a 950. I looked through your repositories and unfortunately nothing stood out.
If I understand properly, the boot process is as follows:
Windows Boot Manager
UEFI
LK
System
Do you know how step 1 is implemented? Can the Windows Boot Manager be replaced? I am aware of the boot process of at least the 410c (I have a DragonBoard) but do not understand how the stages correspond to the WP10 boot process.
Cheers,
R0b0t1
This tool is for Gods.
I appreciate this project.
I had no time and got bored, I bootstrapped Linux kernel from grub2 succesfully on l640xl, but I abandoned it.
Hi,
A few days ago, my Fire HD10(2019) refused to power on, or rather it would show some life (amazon screen IIRC), but go no further. Now it doesn't even do that.
On a PC I can see whats its doing across USB. "Bus 002 Device 083: ID 0e8d:0003 MediaTek Inc. MT6227 phone" on usb for about 45 seconds, then it disconnects for maybe 20s, and then repeats. Now I take the 0e8d:0003 device to be the amazon bootloader - so looks to me like the bootloder works, but crashes hard and restarts as soon as it tries to start android. So looks like the box is bricked.
I've tried the various buttons to go into fastboot - no success. Neither "adb devices" nor "fastboot devices" can see the device. On first booting, the machine brings up a serial interface (USB ACM device), alas I've not been able to connect to this.
So what are my options of getting into the machine? If I can't access the bootloader via the serial interface, are there UART pins on the board? If so where? If I can access the bootloader, can I switch to fastboot mode, so I can reflash the android OS? Where is the best place to look for info like this?
davidsummers said:
Hi,
A few days ago, my Fire HD10(2019) refused to power on, or rather it would show some life (amazon screen IIRC), but go no further. Now it doesn't even do that.
On a PC I can see whats its doing across USB. "Bus 002 Device 083: ID 0e8d:0003 MediaTek Inc. MT6227 phone" on usb for about 45 seconds, then it disconnects for maybe 20s, and then repeats. Now I take the 0e8d:0003 device to be the amazon bootloader - so looks to me like the bootloder works, but crashes hard and restarts as soon as it tries to start android. So looks like the box is bricked.
I've tried the various buttons to go into fastboot - no success. Neither "adb devices" nor "fastboot devices" can see the device. On first booting, the machine brings up a serial interface (USB ACM device), alas I've not been able to connect to this.
So what are my options of getting into the machine? If I can't access the bootloader via the serial interface, are there UART pins on the board? If so where? If I can access the bootloader, can I switch to fastboot mode, so I can reflash the android OS? Where is the best place to look for info like this?
Click to expand...
Click to collapse
It is actually the mediatek bootrom (your device can have mtk-su temp root access, if you downgrade). You must have one of the early release ones that have access to it. My guess there is something wrong with the preloader... While i can't pin it down, the information to reload is all in this thread...
New Fire HD10 2019 Bootless Root Method + Bootloader Unlock Brainstorming
There's a new Fire 10 coming out, with an Octacore processor, USB-C charging, and FireOS based on Pie: https://arstechnica.com/gadgets/2019/10/amazons-new-fire-hd-10-tablet-costs-149-and-charges-via-usb-c/ I most certainly don't need any more...
forum.xda-developers.com
Yes it was an early device. Alas it connected to the web, and updated itself from 7.3.1.0 before I disabled most of the amazon processes. So the original mtk-su for 7.3.1.0 never worked on my machine. Alas can't use this any more - as can't get into android any more.
I'm up to page 30 of the thread you posted, alas nothing read so far has managed to get into the machine.
And first progress - bypass_utility version 1.4.2. can connect (when run as root) and gives:
[2023-01-22 14:32:12.028038] Waiting for device
[2023-01-22 14:32:39.691833] Found port = /dev/ttyACM0
[2023-01-22 14:32:40.083041] Device hw code: 0x788
[2023-01-22 14:32:40.083391] Device hw sub code: 0x8a00
[2023-01-22 14:32:40.083586] Device hw version: 0xca00
[2023-01-22 14:32:40.083770] Device sw version: 0x0
[2023-01-22 14:32:40.083959] Device secure boot: True
[2023-01-22 14:32:40.084143] Device serial link authorization: False
[2023-01-22 14:32:40.087904] Device download agent authorization: True
[2023-01-22 14:32:40.088223] Disabling watchdog timer
[2023-01-22 14:32:40.092031] Disabling protection
[Errno 5] Input/Output Error
[2023-01-22 14:32:41.464834] Payload did not reply
davidsummers said:
And first progress - bypass_utility version 1.4.2. can connect (when run as root) and gives:
[2023-01-22 14:32:12.028038] Waiting for device
[2023-01-22 14:32:39.691833] Found port = /dev/ttyACM0
[2023-01-22 14:32:40.083041] Device hw code: 0x788
[2023-01-22 14:32:40.083391] Device hw sub code: 0x8a00
[2023-01-22 14:32:40.083586] Device hw version: 0xca00
[2023-01-22 14:32:40.083770] Device sw version: 0x0
[2023-01-22 14:32:40.083959] Device secure boot: True
[2023-01-22 14:32:40.084143] Device serial link authorization: False
[2023-01-22 14:32:40.087904] Device download agent authorization: True
[2023-01-22 14:32:40.088223] Disabling watchdog timer
[2023-01-22 14:32:40.092031] Disabling protection
[Errno 5] Input/Output Error
[2023-01-22 14:32:41.464834] Payload did not reply
Click to expand...
Click to collapse
It has been a long time. Maybe try disconnecting the battery, not sure if it is staying in bootrom mode.... I remember mine had to have the battery removed or it would try to goto the preloader (i think). I used the process to downgrade back to 7.3.1.0, but it was like a year ago.
Michajin said:
It has been a long time. Maybe try disconnecting the battery, not sure if it is staying in bootrom mode.... I remember mine had to have the battery removed or it would try to goto the preloader (i think). I used the process to downgrade back to 7.3.1.0, but it was like a year ago.
Click to expand...
Click to collapse
Yes - mine stayed in 0e8d:0003 mode, when the device bricked itself - made no difference with battery on or off, always when through the same minute cycle, where the device would disconnect, then reboot.
Interesting after running the bypass utility - it has stayed up in the 0e8d:0003 mode - and hasn't rebooted.
davidsummers said:
Yes - mine stayed in 0e8d:0003 mode, when the device bricked itself - made no difference with battery on or off, always when through the same minute cycle, where the device would disconnect, then reboot.
Interesting after running the bypass utility - it has stayed up in the 0e8d:0003 mode - and hasn't rebooted.
Click to expand...
Click to collapse
it disabled the watchdog timer. From what is can see everything points to a potential wrong setup..
bypass_utility/README.md at master · MTK-bypass/bypass_utility
Contribute to MTK-bypass/bypass_utility development by creating an account on GitHub.
github.com
This post shows the same error as you read through it.
Payload did not reply · Issue #13 · MTK-bypass/exploits_collection
[Errno 5] Input/Output Error Payload did not reply
github.com
OK - using SP_Flash_Tool v5.2008 to attempt to flash maverick-downgrade-7.0_PR7310_940N and I get the error:
Connect BROM failed: STATUS_SEC_AUTH_FILE_NEEDED(-1073545198)
Disconnect!
BROM Exception! ( ERROR : STATUS_SEC_AUTH_FILE_NEEDED (-1073545198) , MSP ERROE CODE : 0x00.
[HINT]:
Please select a valid authentication file or ask for help.)((ConnectBROM,../../../flashtool/Conn/Connection.cpp,105))
So where do I get the authentication file from?
Michajin said:
it disabled the watchdog timer. From what is can see everything points to a potential wrong setup..
bypass_utility/README.md at master · MTK-bypass/bypass_utility
Contribute to MTK-bypass/bypass_utility development by creating an account on GitHub.
github.com
Click to expand...
Click to collapse
ah yes - that explains why it was rebooting. So guess I have to dig into [Errno 5] Input/Output Error.
Seems like only way I have into the tablet any more is the mediatek bootrom, but as the tablet is sick - if that doesn't work, then probably its permanently dead. E.g. even getting access to a uart wouldn't help.
You have to only do file by file.
5. bypass_utility run succes with message "Protection disabled"
6. Run SPFlash Tool and flash boot, recovery, vendor, system. Wait to finish
7. Hold power button 15s to power off (check Ports in Device Manager windows)
8. Hold volume up and power boot to recovery with triactangle icon
9. Hold power and tap volume up then choose reset factory
10. Reboot
Thanks Michajin - I'm obviously having problems with the bypass_utility, whilst it connects to the MediaTek bootrom, it is not able to disable protection - and test mode bombs out. I've taken this up on the bypass_utility thread:
xda bypass utility