Database Users

HKLM\Software\Microsoft\Welcome

This can be valuable for ROM makers only
Bored with welcome screen? Let's play with HKLM\Software\Microsoft\Welcome
Create Key HKLM\Software\Microsoft\Welcome,
create DWORD value Disable, set some values
execute \windows\welcome.exe
and look at the screen names, which doesn't appear
FFFF FF7F - disable everything except 'email setup' screen [WM5 only AKU 3.x]
FFFF FFBF - disable everything except 'password' screen [WM5 only]
FFFF FFDF - disable everything except 'complete' screen and the finishing tap
FFFF FFEF - disable everything except 'location' screen
FFFF FFF7 - disable everything except 'pop-up menus' screen
FFFF FFFB - disable everything except 'stylus' screen
FFFF FFFD - disable everything except 'align' screen
FFFF FFFE - disable everything except tap on the first screen [ignored if any other bit is cleared, the only difference is between FFFF FFFE and FFFF FFFF]
FFFF FFFF - disable everything [displays first 'splash' screen and exits]
Other bits - probably reserved for the future [look at the order of the things above]
There is another value: SystemStart - I have no idea what does it mean
There is another key Software\Microsoft\Shell\Event\Welcome - I have no idea what does it mean
There are references to the files "\Storage Card\Welcome.Not" "welcome.Not" - I have no idea.

Nice work.
V

Great work!
Thank you.

oh!
that is great!
i used another way to delete this entry from inflashfiles.dat and inboj.dat
Directory("\Windows\StartUp"):-File("Welcome.lnk","\Windows\welcome.lnk")
but yours better
and the others tpics,
if just replacing shellres.dll.xxx.mui on RAM
welcome will be come evry boot.
<mainly i used this for testing to make shellress.mui instantly>
i made one cab it can del the welcome.lnk from StartUP folder.
but after hard rest, welcome will come again,
(this is another topic..sorry)

Ok, so i know this post is old and probably out of sight and mind. But I have an issue. This key does not exist in my registry and I only get the alignment and password setup screens. I want the whole thing enabled. Please help a brother out.

FYI, the welcome.not thing skips the entire wizard. We used to use this in the WM2003 days (back then you couldn't skip the stupid Dr's Appointment tutorial). It was handy if you store your touchscreen alignment in the extrom.
You just create a blank text file called welcome.not and put it on the root of your storage card (won't work in extrom, naturally). Then do a hard reset with the card inserted and it will skip the welcome wizard entirely. If you hard reset without the card inserted, the welcome wizard will proceed as normal.
However, the registry entries are far better than that method. Good find!!!

I just wanted to make a little update to this thread for anyone using this information to skip various screens during welcome.
Only the last 8 bits are actually used to select/de-select subroutines when running welcome (at least for WM 6.1).
7F - disable everything except 'email setup' screen [WM5 only AKU 3.x]
BF - disable everything except 'password' screen [WM5 only]
DF - disable everything except 'complete' screen and the finishing tap
EF - disable everything except 'location' screen
F7 - disable everything except 'pop-up menus' screen
FB - disable everything except 'stylus' screen
FD - disable everything except 'align' screen
FE - disable everything except tap on the first screen
FF - disable everything [displays first 'splash' screen and exits]
For my ROM, I wanted to run welcome with align, location & complete screen.
1111 1101 (FD) - align screen
1110 1111 (EF) - location screen
1101 1111 (DF) - complete screen
---------------
1100 1101 (CD) or 205
ends up being....
Code:
<wap-provisioningdoc>
<!--334.05_Welcome-->
<characteristic type="Registry">
<characteristic type="HKLM\Software\Microsoft\Welcome">
<parm name="Disable" datatype="integer" value="205" />
</characteristic>
</characteristic>
</wap-provisioningdoc>

also if you want to skip everying just put the file welcome.not in the root of the storage card. **.not is the file extension **

irus said:
also if you want to skip everying just put the file welcome.not in the root of the storage card. **.not is the file extension **
Click to expand...
Click to collapse
Yes indeed, but make sure you apply the alignment settings by another means (provxml, cab, etc). I just spent a few days trying to figure out why endkey.exe was not working in the most recent version of my ROM (I use it to switch between vibrate/ring on long end key press). Turns out that if you don't do the align and you don't apply the settings some other way, endkey.exe does not work when you do a long press of the end key (at least on my Touch Pro).

I'm reviving this old thread since I'm running into an issue.
I usually disable everything in my ROM, thus:
Disable=dword:ff (or ffffffff)
After customization though, I need to tap on the taskbar to lauch the home screen. Otherwise, it just stays on the welcome splash.
Any ideas?

just bumping this up as i'd really appreciate an assist.
i've been trying to change the first boot in my 6.5.x build rom.
all i want is the 'allign screen' working
the current entry is
[HKEY_LOCAL_MACHINE\Software\Microsoft\Welcome]
"Disable" = dword:00000080
i may be thick but i'm really having trouble getting my head round this. i've tried
"Disable" = dword:FD
"Disable" = dword:1111 1101
"Disable" = dword:FFFF FFFD
which are all from this thread but none of these are working.
does anyone know what the entry actually is for 6.5.x? and if so i'd be grateful if someone could help.
many thanks in advance
Chris

I use
Code:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Welcome]
; only doing screen calibrate
"Disable"=dword:fffffffc

RoryB said:
I use
Code:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Welcome]
; only doing screen calibrate
"Disable"=dword:fffffffc
Click to expand...
Click to collapse
cheers for that. will give it a try when i get home

RoryB said:
I use
Code:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Welcome]
"Disable"=dword:fffffffc
Click to expand...
Click to collapse
i must be doing something wrong.. no matter what i try it's not changing the boot setup
it's still going 'tap', 'calibrate', 'time/date', and 'password'....
all i want is Tap and calibrate!!!!
this is doing my head in. i'd appreciate any other ideas???
many thanks to anyone who may be able to help
Chris

I will try to explain how to get any number you need:
1. Put this table in an excel,
2. Find the 8 digits corresponding to EACH of the screens wanted (eg. tap screen is FD or 253 and align screen is FE or 254 )
3. Tap each digit in a column (one line per screen wanted)
4. calculate the minimum of each column and get the 8 digits (in the example, min of 11111101 and 11111110 is 11111100).
5. If you use provxml go the other way round and with the total calculated find the Dec Value (3rd column) corresponding to the 8 digits (in the example 11111100 would be FFFFFFFC for reg/rgu files or 252 for xml/provxml files)
This way you can get whatever combination of screens you want.
My current rom has only tap screen (no alignment, no password, etc) and works fine.
If you do not get the expected results, most probably is not because you did it wrong but rather there is some other code replacing yours. My recommendation is to calculate the hex dec and binary values corresponding to the combination of screens that get loaded and then use the search function included in a visual kitchen to locate the file hindering your intended customization (Or simply look for the reg keys). Most of the roms will have as much as 3 or 4 places where welcome values are define (sys, oem, ext and yours !!). If you are not so patient create and ext package called zzz_whatever and in the files directory place a app.REG file so all values are overwritten. Make sure your reg or xml file does not mix with other non tested code since it may also happen that the file is not executed correctly and its rollbacked. When using provxml files non tested code should be placed behind so you can call mxipupdate_zzz01_tested and mxipupdate_zzz02_nontested to get the expected order. I think the order things get loaded are provxml, rgu, reg, xml and inside each group, package folder name and then file name.
Hope it helps, regards
Code:
Binary Hex Dec
10000000 80 128
10000001 81 129
10000010 82 130
10000011 83 131
10000100 84 132
10000101 85 133
10000110 86 134
10000111 87 135
10001000 88 136
10001001 89 137
10001010 8A 138
10001011 8B 139
10001100 8C 140
10001101 8D 141
10001110 8E 142
10001111 8F 143
10010000 90 144
10010001 91 145
10010010 92 146
10010011 93 147
10010100 94 148
10010101 95 149
10010110 96 150
10010111 97 151
10011000 98 152
10011001 99 153
10011010 9A 154
10011011 9B 155
10011100 9C 156
10011101 9D 157
10011110 9E 158
10011111 9F 159
10100000 A0 160
10100001 A1 161
10100010 A2 162
10100011 A3 163
10100100 A4 164
10100101 A5 165
10100110 A6 166
10100111 A7 167
10101000 A8 168
10101001 A9 169
10101010 AA 170
10101011 AB 171
10101100 AC 172
10101101 AD 173
10101110 AE 174
10101111 AF 175
10110000 B0 176
10110001 B1 177
10110010 B2 178
10110011 B3 179
10110100 B4 180
10110101 B5 181
10110110 B6 182
10110111 B7 183
10111000 B8 184
10111001 B9 185
10111010 BA 186
10111011 BB 187
10111100 BC 188
10111101 BD 189
10111110 BE 190
10111111 BF 191
11000000 C0 192
11000001 C1 193
11000010 C2 194
11000011 C3 195
11000100 C4 196
11000101 C5 197
11000110 C6 198
11000111 C7 199
11001000 C8 200
11001001 C9 201
11001010 CA 202
11001011 CB 203
11001100 CC 204
11001101 CD 205
11001110 CE 206
11001111 CF 207
11010000 D0 208
11010001 D1 209
11010010 D2 210
11010011 D3 211
11010100 D4 212
11010101 D5 213
11010110 D6 214
11010111 D7 215
11011000 D8 216
11011001 D9 217
11011010 DA 218
11011011 DB 219
11011100 DC 220
11011101 DD 221
11011110 DE 222
11011111 DF 223
11100000 E0 224
11100001 E1 225
11100010 E2 226
11100011 E3 227
11100100 E4 228
11100101 E5 229
11100110 E6 230
11100111 E7 231
11101000 E8 232
11101001 E9 233
11101010 EA 234
11101011 EB 235
11101100 EC 236
11101101 ED 237
11101110 EE 238
11101111 EF 239
11110000 F0 240
11110001 F1 241
11110010 F2 242
11110011 F3 243
11110100 F4 244
11110101 F5 245
11110110 F6 246
11110111 F7 247
11111000 F8 248
11111001 F9 249
11111010 FA 250
11111011 FB 251
11111100 FC 252
11111101 FD 253
11111110 FE 254
11111111 FF 255

chrisd1a1 said:
i must be doing something wrong.. no matter what i try it's not changing the boot setup
it's still going 'tap', 'calibrate', 'time/date', and 'password'....
all i want is Tap and calibrate!!!!
this is doing my head in. i'd appreciate any other ideas???
many thanks to anyone who may be able to help
Chris
Click to expand...
Click to collapse
Check the registry after you flash and the ROM is finished setting up. Does it read the values you set? Maybe there is another provxml or rgu setting it to a wrong value.

cruiserrr said:
I will try to explain how to get any number you need:
1. Put this table in an excel,
2. Find the 8 digits corresponding to EACH of the screens wanted (eg. tap screen is FD or 253 and align screen is FE or 254 )
3. Tap each digit in a column (one line per screen wanted)
4. calculate the minimum of each column and get the 8 digits (in the example, min of 11111101 and 11111110 is 11111100).
5. If you use provxml go the other way round and with the total calculated find the Dec Value (3rd column) corresponding to the 8 digits (in the example 11111100 would be FFFFFFFC for reg/rgu files or 252 for xml/provxml files)
This way you can get whatever combination of screens you want.
My current rom has only tap screen (no alignment, no password, etc) and works fine.
If you do not get the expected results, most probably is not because you did it wrong but rather there is some other code replacing yours. My recommendation is to calculate the hex dec and binary values corresponding to the combination of screens that get loaded and then use the search function included in a visual kitchen to locate the file hindering your intended customization (Or simply look for the reg keys). Most of the roms will have as much as 3 or 4 places where welcome values are define (sys, oem, ext and yours !!). If you are not so patient create and ext package called zzz_whatever and in the files directory place a app.REG file so all values are overwritten. Make sure your reg or xml file does not mix with other non tested code since it may also happen that the file is not executed correctly and its rollbacked. When using provxml files non tested code should be placed behind so you can call mxipupdate_zzz01_tested and mxipupdate_zzz02_nontested to get the expected order. I think the order things get loaded are provxml, rgu, reg, xml and inside each group, package folder name and then file name.
Hope it helps, regards
Code:
Binary Hex Dec
10000000 80 128
10000001 81 129
10000010 82 130
10000011 83 131
10000100 84 132
10000101 85 133
10000110 86 134
10000111 87 135
10001000 88 136
10001001 89 137
10001010 8A 138
10001011 8B 139
10001100 8C 140
10001101 8D 141
10001110 8E 142
10001111 8F 143
10010000 90 144
10010001 91 145
10010010 92 146
10010011 93 147
10010100 94 148
10010101 95 149
10010110 96 150
10010111 97 151
10011000 98 152
10011001 99 153
10011010 9A 154
10011011 9B 155
10011100 9C 156
10011101 9D 157
10011110 9E 158
10011111 9F 159
10100000 A0 160
10100001 A1 161
10100010 A2 162
10100011 A3 163
10100100 A4 164
10100101 A5 165
10100110 A6 166
10100111 A7 167
10101000 A8 168
10101001 A9 169
10101010 AA 170
10101011 AB 171
10101100 AC 172
10101101 AD 173
10101110 AE 174
10101111 AF 175
10110000 B0 176
10110001 B1 177
10110010 B2 178
10110011 B3 179
10110100 B4 180
10110101 B5 181
10110110 B6 182
10110111 B7 183
10111000 B8 184
10111001 B9 185
10111010 BA 186
10111011 BB 187
10111100 BC 188
10111101 BD 189
10111110 BE 190
10111111 BF 191
11000000 C0 192
11000001 C1 193
11000010 C2 194
11000011 C3 195
11000100 C4 196
11000101 C5 197
11000110 C6 198
11000111 C7 199
11001000 C8 200
11001001 C9 201
11001010 CA 202
11001011 CB 203
11001100 CC 204
11001101 CD 205
11001110 CE 206
11001111 CF 207
11010000 D0 208
11010001 D1 209
11010010 D2 210
11010011 D3 211
11010100 D4 212
11010101 D5 213
11010110 D6 214
11010111 D7 215
11011000 D8 216
11011001 D9 217
11011010 DA 218
11011011 DB 219
11011100 DC 220
11011101 DD 221
11011110 DE 222
11011111 DF 223
11100000 E0 224
11100001 E1 225
11100010 E2 226
11100011 E3 227
11100100 E4 228
11100101 E5 229
11100110 E6 230
11100111 E7 231
11101000 E8 232
11101001 E9 233
11101010 EA 234
11101011 EB 235
11101100 EC 236
11101101 ED 237
11101110 EE 238
11101111 EF 239
11110000 F0 240
11110001 F1 241
11110010 F2 242
11110011 F3 243
11110100 F4 244
11110101 F5 245
11110110 F6 246
11110111 F7 247
11111000 F8 248
11111001 F9 249
11111010 FA 250
11111011 FB 251
11111100 FC 252
11111101 FD 253
11111110 FE 254
11111111 FF 255
Click to expand...
Click to collapse
RoryB said:
Check the registry after you flash and the ROM is finished setting up. Does it read the values you set? Maybe there is another provxml or rgu setting it to a wrong value.
Click to expand...
Click to collapse
looks like you guys are right about something messing with this.
i set it to FC as advised but when i checked the reg on the build it's showing AC. i'm going to try a variation to see what happens..
i really appreciate the advice, just wish i could figure the fix
thanks for the help i appreciate it
Chris

hi,
try to search in the rgu of your OEMDrivers.
maybe there is a registry entry that is replacing your registry.
regards,
twisted

i really appreciate the advice, just wish i could figure the fix
Click to expand...
Click to collapse
What are you using for building the rom? I am pretty familiar with Ervius Visual Kitchen and it is quite straigth forward to use the search tool. Even if you use another kitchen you can download evk, put your files in the ext folder and do the search. Good luck!

I find Agent Ransack is a handy tool for searching the contents of files.
As a test you can set the registry the way you like and then run welcome.exe to see if the behaviour is the way you expect.

[TOOL] Deodex ICS

Hi
I have slightly modified Daneshm90's deodexer script to be able to deodex honeycomb and ICS roms. this only works for honecomb and ICS.
just place the contents of system/app in the app folder and the contents of the system/framework in the framework folder and run deoall.bat and choose option 1.
i dont know if this works as i dont have ICS and i need tester with ICS rooted and if anything happens to your phone or tablet it is not my responsibility.
please give any feedback.
if you can help then please dont hesitate.
please, i didnt do much its Daneshm90 that made the effort.
http://www.multiupload.com/B5OAAPD9JZ

i have an isc beta running on my sgs i9000
ill give it a go and report back

any one confirm this works with a honeycomb ROM? thanks for this script/tool.

Does not work on ICS

api level
for smali/baksmali 1.3.0 you must set api level see list
suc6
Android 4.0.3 =====> 15 <==== ICE_CREAM_SANDWICH_MR1 Platform Highlights
Android 4.0, 4.0.1, 4.0.2 =====> 14 <===== ICE_CREAM_SANDWICH
Android 3.2 =====> 13 <==== HONEYCOMB_MR2
Android 3.1.x =====> 12 <===== HONEYCOMB_MR1 Platform Highlights
Android 3.0.x =====> 11 <===== HONEYCOMB Platform Highlights
java -Xmx512m -jar baksmali-1.3.0.jar -a 15 -d framework -d app -d deodexed_APK -d deodexed_JAR -x "%~dp0app\%~n1.odex"
java -jar smali-1.3.0.jar -a 15 out -o "%~dp0temp_%~n1\classes.dex"

When deodexing a Honeycomb or earlier odex file, you must specify an api level. Quoted from JesusFreke
You shouldn't have to use the api option on ICS however it shouldn't hurt anything.

So this is working for 4.0.3?

==>So this is working for 4.0.3?<==
It worked for me in dsixda's kitchen when I specified api level 15, no errors occured

sparkienl said:
==>So this is working for 4.0.3?<==
It worked for me in dsixda's kitchen when I specified api level 15, no errors occured
Click to expand...
Click to collapse
Not working with samsung galaxy s2 XXKP8 ics

do it through hex editor
m!k3 said:
Not working with samsung galaxy s2 XXKP8 ics
Click to expand...
Click to collapse
ur wright it's not working with a lot of versions of the smali/baksmali,
but you can always do it by hand with a hex editor, remove the head and tail of the .odex file and rename it to classes.dex file

sparkienl said:
ur wright it's not working with a lot of versions of the smali/baksmali,
but you can always do it by hand with a hex editor, remove the head and tail of the .odex file and rename it to classes.dex file
Click to expand...
Click to collapse
Thanks for that handy tidbit, I didn't know about that.

tidbit
Delgoth said:
Thanks for that handy tidbit, I didn't know about that.
Click to expand...
Click to collapse
Here is an howto for manipulating .odex files with an hex editor.
Open the .odex file with an hex editor like HxD.exe
Search for this: "64 65 78 0A 30 33 35" or "dex.035"
You will find something like this:
"64 65 79 0A 30 33 36 00 28 00 00 00 AC 56 00 00 D8 56 00 00 0E 02 00 00 E8 58 00 00 A8 05 00 00 00 00 00 00 50 66 70 E9 64 65 78 0A 30 33 35"
All before "64 65 78 0A 30 33 35" or "dex.035" you must also delete.
The new head starts also here :"64 65 78 0A 30 33 35 00 D9 31 66 0D D8 BC DE 57 94 07 9C DA C5 1D F3 AD" or "dex.035.Ù1f.ؼÞW”.œÚÅ.ó."
Search for the tail with this:"2F 73 79 73 74 65 6D 2F 66 72 61 6D 65 77 6F 72 6B 2F 63 6F 72 65 2E 6F 64 65 78 00" or "/system/framework/core."
Count an extra 24 hex for your find and now remove the tail from that point on
You will then find something like this:
"1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24" extra 24 hex
"00 00 00 00 76 B7 77 3F 49 0E 2A 24 1B 00 00 00 09 00 00 00 1C 00 00 00 2F 73 79 73 74 65 6D 2F 66 72 61 6D 65 77 6F 72 6B 2F 63 6F 72 65 2E 6F 64 65 78 00"
^ delete the tail from here and rename the rest of the .odex file classes.dex

sparkienl said:
ur wright it's not working with a lot of versions of the smali/baksmali,
but you can always do it by hand with a hex editor, remove the head and tail of the .odex file and rename it to classes.dex file
Click to expand...
Click to collapse
which version of smali/baksmali are you using?

version
m!k3 said:
which version of smali/baksmali are you using?
Click to expand...
Click to collapse
I tried version 1.2.3/1.26/1.2.8 and 1.3.0 on your file "Not working with samsung galaxy s2 XXKP8 ics" but they didn't work for me.
USE THE UPDATED SMALI/BAKSMALI 1.3.2 WITH -a 15 and it will deodex your file

Trying to deodex some honeycomb...how do I change the api. I tried what was listed above, but did not work for me.
Thanks for any help.

pashinator said:
Hi
I have slightly modified Daneshm90's deodexer script to be able to deodex honeycomb and ICS roms. this only works for honecomb and ICS.
just place the contents of system/app in the app folder and the contents of the system/framework in the framework folder and run deoall.bat and choose option 1.
i dont know if this works as i dont have ICS and i need tester with ICS rooted and if anything happens to your phone or tablet it is not my responsibility.
please give any feedback.
if you can help then please dont hesitate.
please, i didnt do much its Daneshm90 that made the effort.
http://www.multiupload.com/B5OAAPD9JZ
Click to expand...
Click to collapse
not working in N7000
Please help me
Thanks

could you reupload the file? I can't download it..

Use dsixda kitchen and set the API level to 15 it will deodex without any problem. I done it successfully with my ICS ROM.

CM7 MAC Address Fix

I could not post directly in the development thread as I joined simply to share my solution. If anyone can confirm and prepare a better guide please post to CM7 thread by whistelstop.
You will need your factory mac address.
MAC Addresses all being the same is due to the nvs_map.bin file required by the tiwlan driver. dmseg driver will tell you it is looking for it and defaulting mac address.
I am running CM7 mileage will vary in stock rom.
http://www.omappedia.org/wiki/Porting_MCP_WLAN_to_Android#TxBiP_Calibration
I used the calibration instructions in terminal emulator on cm7 Kindle as "su"
#wlan_cu –b
# / w p 1 l 2 f 2
# / t b v 21
# / t b t 1 0 0 0 0 0 0 0
#/ q
New nvs_map.bin file will be ceated in /data/misc/wifi/
#cp /data/misc/wifi/nvs_map.bin to /sdcard/nvs_map.bin
connect to linux/windows host copy file to pc
open with hex editor I used xvi32 for windows.
link to my source for instruction for byte order and editing.
http://processors.wiki.ti.com/index...ce_(CLI)_User's_Guide#Editing_the_MAC_Address
Short instructions:
Editing the MAC Address
After the TX BIP runs, there is a new file called nvs_map.bin in Linux that contains the MAC address and the calibration data. The document SWAA044_NVS_INI_File_Functions_AN.pdf contains the format of the NVS file. If MAC address fields are manually edited with a hex editor, the byte order should be low byte first, followed by the high byte:
MAC address low register (offset 0x01 to 0x02)
MAC address LSB (offset 0x3 to 0x06)
MAC address high register (offset 0x08 to 0x09)
MAC address MSB (offset 0x0A to 0x0D)
The MAC address LSB and MAC address MSB, respectively, are shown in bold in the
following code for 08:00:28:12:34:56:
0000: 01 6d 54 56 34 12 28 01 71 54 00 08
For 11:22:33:44:55:66:
0000: 01 6d 54 66 55 44 33 01 71 54 22 11 00 00
Using a hex editor, you should change the bold numbers to the MAC address you
want to use.
Be careful about byte order and look closely at examples.
Good Luck
Please confirm instructions yourself and use at your own risk

Just tried that and it worked beautifully!
Thanks for that - great find!

TheKid2 said:
I could not post directly in the development thread as I joined simply to share my solution. If anyone can confirm and prepare a better guide please post to CM7 thread by whistelstop.
You will need your factory mac address.
MAC Addresses all being the same is due to the nvs_map.bin file required by the tiwlan driver. dmseg driver will tell you it is looking for it and defaulting mac address.
I am running CM7 mileage will vary in stock rom.
As I can not post links you will need to google my text and find correct link (noob)
maybe a moderator can fix for me.
######.omappedia.org/wiki/Porting_MCP_WLAN_to_Android#TxBiP_Calibration
I used the calibration instructions in terminal as "su"
#wlan_cu –b
# / w p 1 l 2 f 2
# / t b v 21
# / t b t 1 0 0 0 0 0 0 0
#/ q
New nvs_map.bin file will be ceated in /data/misc/wifi/
#cp /data/misc/wifi/nvs_map.bin to /sdcard/nvs_map.bin
connect to linux/windows host copy file to pc
open with hex editor I used xvi32 for windows.
link to my source for instruction for byte order and editing.
##processors.wiki.ti.com/index.php/OMAP35x_Wireless_Connectivity_WL1271_Command_Line_Interface_(CLI)_User%27s_Guide#Editing_the_MAC_Address
Short instructions:
Editing the MAC Address
After the TX BIP runs, there is a new file called nvs_map.bin in Linux that contains the MAC address and the calibration data. The document SWAA044_NVS_INI_File_Functions_AN.pdf contains the format of the NVS file. If MAC address fields are manually edited with a hex editor, the byte order should be low byte first, followed by the high byte:
MAC address low register (offset 0x01 to 0x02)
MAC address LSB (offset 0x3 to 0x06)
MAC address high register (offset 0x08 to 0x09)
MAC address MSB (offset 0x0A to 0x0D)
The MAC address LSB and MAC address MSB, respectively, are shown in bold in the
following code for 08:00:28:12:34:56:
0000: 01 6d 54 56 34 12 28 01 71 54 00 08
For 11:22:33:44:55:66:
0000: 01 6d 54 66 55 44 33 01 71 54 22 11 00 00
Using a hex editor, you should change the bold numbers to the MAC address you
want to use.
Be careful about byte order and look closely at examples.
Good Luck
Please confirm instructions yourself and use at your own risk
Click to expand...
Click to collapse
I'll verify tomorrow. Thanks for taking the time to help run this to ground and get a workaround.

** Deleted **
For new driver only ....

so next cm7 build will get the fix
right?

As it was my first post forum would not allow me to post links I am hoping someone will clean up solution and add to development thread.

whistlestop said:
I'll verify tomorrow. Thanks for taking the time to help run this to ground and get a workaround.
Click to expand...
Click to collapse
love this rom , I have four of these running on my router now with original factory mac addresses, Thank You for your work. I know from personal experience hours and hours can just disappear when you get involved with a project of this type.

Is there a way to get the factory MAC address while still in CM7 or do I have to load the stock ROM to get it and then go back to CM7?

I have not found am method other than loading stock software back on device.
If you only have one kindle on your network you most likely will never have a problem.
If you had more than one running cm7 you could have router issues as they all were reporting same mac address. You will not have any issues unless another cm7 kindle shows up on the same wireless access point as yours.

Unless you have a router log or something with your former mac address, I think you have to reload stock to find it. Thats what I did anyway.
Thanks to the OP for posting this; worked like a charm!

direct editing
could we use a hex editor to change the local file on the kindle?
I spotted one at the market place, and combined with SU privileges it might get the job done.

jfb9301 said:
could we use a hex editor to change the local file on the kindle?
I spotted one at the market place, and combined with SU privileges it might get the job done.
Click to expand...
Click to collapse
any hex editor should work. I am so use to using laptop still adjusting to touch keyboard.

Hopefully better instructions
having just stumbled through to OPs instructions (hats off to the OP for finding this). Successfully I might add, I thought I'd write up a hopefully more clear method of achieving this.
As I have had difficulty with the adb.exe command (connection issues, probably from a dodgy connection if I have too many USB devices plugged in) I chose to use applications local to my Kindle itself for as much as I could.
Apps:
adb.exe (the one that came with Kindle_Fire_Utility worked for me) grab a copy of this useful tool here kindle fire utility thread
Root explorer from the android market android market link
HexEditor android market link
Kindle fire
Computer
Data:
Your original MAC address - this might suck to get, as you will have to get it from your Kindle booted to stock Kindle Fire Firmware. I had installed CM7 using TWRP, so I booted to TWRP did a backup of my current CM7 OS, did a restore to the KF OS, booted to stock(rooted) opened up settings/device and nabbed that pesky MAC address, rebooted to TWRP, restored CM7.
Instructions:
connect KF to computer
open the computers start menu and select run, type CMD in the box
navigate to kindle_fire_utility/tools
type command: adb shell
adb should open and start communication with you Kindle
within the shell you have to type the following (be mindful of the spaces as they are important, ignore the #s as they are to make this post put the spaces in):
#wlan_cu –b
# / w p 1 l 2 f 2
# / t b v 21
# / t b t 1 0 0 0 0 0 0 0
#/ q
now use ctrl-c to end ADB, and command:
exit
to close cmd, you are done with windows.
now the kindle part...
open root explorer
/data/misc/wifi
select nvs_map.bin and copy to the sdcard, I made two copies and named the second nvs_map.bin.bak just in case things got screwed from this point on.
exit root explorer
open HexEditor
open /sdcard/nvs_map.bin and change the digits in the very first line of the file
(example from OPs post)
following code for 08:00:28:12:34:56:
0000: 01 6d 54 56 34 12 28 01 71 54 00 08 00 00
For 11:22:33:44:55:66:
0000: 01 6d 54 66 55 44 33 01 71 54 22 11 00 00
save the file
use root explorer to copy it back to /data/misc/wifi
long press the file and set permissions to RW-RW-RW-
Reboot.....
Done
---------- Post added at 04:09 PM ---------- Previous post was at 03:11 PM ----------
I confimed MAC address using my wifi router (DDWRT) is awesome.
Does anyone know a way to get CM7 to cough up the kindles MAC address?

I'm having some difficulties with these instructions. I've tried with the WiFi setting from CM7 on and off, and also with the full instructions from the omappedia.org site, and it's still not working. A quick Google didn't come up with anything.
This is my output (from an ADB shell, obviously):
Code:
# insmod /system/etc/wifi/tiwlan_drv.ko
# start wlan_loader
# ifconfig tiwlan0 up
# wlan_cu –b
ERROR - IpcWpa_Sockets_Open - can't connect the socket
******************************************************
Connection to supplicant failed
******************************************************
ERROR - IPC_STA_Private_Send - error sending Wext private IOCTL to STA driver (ioctl_cmd = 800003, res = -1, errno = 19)
ERROR - driver is not in RUNNING state!
user_main, start
\> Driver/, Connection/, Management/, Show/, Privacy/, scAn/, roaminG/, qOs/, poWer/, eVents/, Bt coexsistance/, Report/, dEbug/, biT/, aboUt, Quit
/ D S
\> Driver/, Connection/, Management/, Show/, Privacy/, scAn/, roaminG/, qOs/, poWer/, eVents/, Bt coexsistance/, Report/, dEbug/, biT/, aboUt, Quit
.../Driver> Start, sTop, stAtus
ERROR - IPC_STA_Private_Send - error sending Wext private IOCTL to STA driver (ioctl_cmd = 8000001, res = -1, errno = 19)
ERROR - Failed to start driver!
I have tried it with and without the first three lines (going straight to wlan_cu -b), and the / D S line is an unsuccessful attempt to start the driver. An attempt to just push through all the commands gives an error message with every line, and does not create the nvs_map.bin file.
Anyone have any ideas?

I had wifi on, and did not run the first 3 commands. No thoughts beyond that.
For reference, I am on the latest CM7 with the updated video stuff by wistlestop (I think)

csyria6919 & jfb9301,
I can confirm, you'll get the errors csyria6919 gets with WiFi OFF - turn on Wifi on the KF and then the ADB commands work without errors.
VERY NICE Fix - +1 thanks to TheKid2!
~J

csyria6919 said:
I'm having some difficulties with these instructions. I've tried with the WiFi setting from CM7 on and off, and also with the full instructions from the omappedia.org site, and it's still not working. A quick Google didn't come up with anything.
This is my output (from an ADB shell, obviously):
Code:
# insmod /system/etc/wifi/tiwlan_drv.ko
# start wlan_loader
# ifconfig tiwlan0 up
# wlan_cu –b
ERROR - IpcWpa_Sockets_Open - can't connect the socket
******************************************************
Connection to supplicant failed
******************************************************
ERROR - IPC_STA_Private_Send - error sending Wext private IOCTL to STA driver (ioctl_cmd = 800003, res = -1, errno = 19)
ERROR - driver is not in RUNNING state!
user_main, start
\> Driver/, Connection/, Management/, Show/, Privacy/, scAn/, roaminG/, qOs/, poWer/, eVents/, Bt coexsistance/, Report/, dEbug/, biT/, aboUt, Quit
/ D S
\> Driver/, Connection/, Management/, Show/, Privacy/, scAn/, roaminG/, qOs/, poWer/, eVents/, Bt coexsistance/, Report/, dEbug/, biT/, aboUt, Quit
.../Driver> Start, sTop, stAtus
ERROR - IPC_STA_Private_Send - error sending Wext private IOCTL to STA driver (ioctl_cmd = 8000001, res = -1, errno = 19)
ERROR - Failed to start driver!
I have tried it with and without the first three lines (going straight to wlan_cu -b), and the / D S line is an unsuccessful attempt to start the driver. An attempt to just push through all the commands gives an error message with every line, and does not create the nvs_map.bin file.
Anyone have any ideas?
Click to expand...
Click to collapse
Hi,
I only used docs as reference. Wifi should be turned on on Kindle. I issued all command from terminal emulator running on Kindle. Hope you have found solution that works for you. Also there are spaces in between just about every letter in the commands.
Let us know if you were successful.

Hello,
I am hearing about cpu utilization issue in another thread. http://forum.xda-developers.com/showthread.php?t=1411895
Can anyone running cm7 and using nvs_map file check utilization connected to secure network. My installation is not exhibiting cpu behavior stuck at 1008 that is being described. Wondering if using calibration file is actually improving performance.
As a side not same file can be used in the current build of ics they are developing in that thread.
cpu scaling issue does not show up on unsecured net. Need a few people to sound off here to determine if my kindles are the only ones not having scaling issue.
Thanks

Is there somewhere in cm7 to check cpu utilization, I looked everywhere ended up downloading task manager from market. Seems like task manager, and performance monitor should be in there somewhere. I am sure I am overlooking something simple.
Thanks

TheKid2 said:
Is there somewhere in cm7 to check cpu utilization, I looked everywhere ended up downloading task manager from market. Seems like task manager, and performance monitor should be in there somewhere. I am sure I am overlooking something simple.
Thanks
Click to expand...
Click to collapse
I used your guide, got CM7 on my device and will check that once I get home.
To check CPU utilization I'd recommend CPU Spy https://market.android.com/details?id=com.bvalosek.cpuspy

[TOOL] Newflasher (xperia command line flasher)

Disclaimer:
newflasher tool was made for testing and educational purposes, ME is not responsible for what you do on/with your device using newflasher, you must agree that you using newflasher on your own risk, I am not responsible if you brick your device or anything else!
How to use:
OPTIONAL STEP 1:
- if you have missing flash driver just double click exe and confirm driver extraction, an exe will become available, run it and install driver.
OPTIONAL STEP 2:
- this step is optional, this step dump trim area, you can do this and keep those file somewhere on your pc in case you hard brick your device so give it to servicians to repair your phone.
STEP 1:
- Download right firmware for your device using XperiFirm tool, put newflasher.exe into firmware dir created by XperiFirm tool. Before you double click newflasher.exe do in mind something, newflasher tool is programed to flash everything found in the same dir!!! So tool flash all .ta files, all .sin files, boot delivery (whole boot folder), partition.zip, in short all files found in dir! If you no want to flash something just move file which you no want to flash OUT OF FOLDER! Partition.zip .sin files can be flashed only if you extract partition.zip into newly created folder called partition!
STEP 2:
- To start flashing phone put your phone into flash mode, double click newflasher.exe and wait wait wait until your device gets flashed, thats it. Look into log to see if something goes wrong! If all right you are done. If not post your log so I can look!
SOME MORE THINGS:
"You do not need to unlock bootloader or to root the phone if you want to flash a stock firmware from XperiFirm.
There are no files in the stock firmware that need to be deleted. Prompts will ask you to skip some files.
Feel free to press N to every prompt since:
- TA dumping it's not related with DRM keys.
- Flash persist_* files only if you know what you are doing, since you will lose your attest keys. Backup persist partition.
If you need the firmware on both A and B slot use fastboot commands to choose the inactive partion and re-flash."
Happy flashing!
Supported platforms:
- Newflasher is working on Windows, Linux, Android and Darwin, just chose right newflasher binary. With Android version you can flash phone by using another phone!
Changelog:
- version 1: Sorry a lot of work is done in pre pre alpha version and I can't count every changes, just folow development process about version 1, a lot of work is done before it started working. One esential change was done to tool improvement and it is described in one of the my posts related to moving function "erase:" to the section before function "flash:", it is realy improvement and more safer than in time when it was at the start of flashing routine.
- version v2 (15.Aug.2017)
Implemented free disk space safety check, it was missing and danger in case flashing process gets interupted because of the lack of the free disk space needed for sin extractions and temporary files. I have also include GordonGate flash driver prompt so in case somebody have missing flash drivers, simple need to double click exe and folow drivers archive extraction procedure, later need to install these drivers trought Windos device mannager. Also I have implemented an realy pre pre alpha version of the maybe non working trim (why maybe? Because I don't own xzp so can't test) area dump routine, in case it is working we can dump some esentials trim area units from device (probably not a full dump as like it was on every oldest xperia models - no permissions for dumping drm key unit)
- version v3 (23.09.2017)
Some more security checks, it's now a bit safer than v2
- version v4 (21.10.2017)
Updated trim area dumper, now it stores log to the trimarea.log but dump is now in .ta format and writen to the 01.ta and 02.ta
- version v5 (22.10.2017)
Updated trim area dumper, add progress meter, fix y-n prompt (thanks @pbarrette)
- version v6 (22.10.2017)
Updated trim area dumper
- version v7 (23.10.2017)
Updated trim area dumper, newflasher redesigned a bit, fix new partitioning for Oreo
- version v8 (24.10.2017)
Fix trim area dumper
- version v9 & v10 (25.10.2017)
Workaorunds on trim area dumper
- version v11 (07.04.2018)
Support for 2018 devices
- version v12 (29.04.2018)
Try fix doublefree bug/crash (most noticed on Linux 64 bit binary)
- version v13 (01.05.2018)
Fix doublefree bug/crash by removing dynamic allocation from function get_reply
- version v14 & v15 (12.06.2019)
Sony XPeria 1 support added.
- version v16 (16.06.2019)
LUN0 detection optimized.
- version v17 (24.06.2019)
LUN0 detection bug fixed.
- version v18 (10.08.2019)
Untested fix for https://forum.xda-developers.com/cr...wflasher-xperia-command-line-t3619426/page105
Using builtin mkdir instead of calling it trought system call
- version v19 (08.10.2019)
Implemented prompt for flashing persist partition; print skipped .sin files
- version v20 (13.12.2019)
implemented prompt for flashing bootloader,bluetooth,dsp,modem,rdimage to booth a,b slots
- version v21 (29.06.2020)
implemented battery level status check before flashing, flashing bootloader,bluetooth,dsp,modem,rdimage to booth a,b slots is mandatory now and is flashed by default right now, more info, try fix previously reported isue on sync and powerdown command reported 2-3 years ago so I have disabled it and now enabled for test, implemented Macos support (curently need to be tested! If you have plan to test please flash only cache.sin DO NOT flash the rest because of safety for your device!)
- version v22 (30.06.2020)
trying to fix battery capacity retrieval
- version v23 (04.07.2020)
removed battery capacity retrieval (not going to work that way), fix trim area dump file name, new gordongate drivers
- version v24 (04.07.2020)
new feature - now you can run newflasher from script or console with your own command, e.g. newflasher getvar:Emmc-info , I didn't tested all the list of commands, if you do it share them with us!
- version v25 (09.07.2020)
New trim area dump tool, with this change trim area dump is created in 3 secconds. Do in mind this not dump protected units like drm key...etc! Some changes in scripting feature from v24
- version v26 (10.07.2020)
Added 4 diferent reboot modes, reboot to android, reboot to fastboot, reboot to bootloader, power off
- version v27 (11.07.2020) (not yet released)
Workaround in mac libusb
- version v28 (12.07.2020)
Workaround to sync response bug; Fully implemented support for Mac. I'm tested myself on mac 10.14 but confirmed working on mac 10.15 too
- version v29 (12.07.2020)
Mac proper libusb deinitialisation
- version v30 (13.07.2020)
Preparation for Debian packaging; I'm noticed that hex modified arm64 fake pie binary is not working so its now compiled with ndk and its true pie binary now
- version v31 (14.07.2020)
Fix cosmetic bug https://forum.xda-developers.com/showpost.php?p=83056693&postcount=1212 which might confuse somebody
- version 32, not yet released
- version 33 (30.07.2020)
Allow bootloader unlocking with newflasher; Try fix sync response bug for win and darwin too
- version 34 (08.08.2020)
Added support for 32bit sized trim area units (as trim area api changed in xperia mark 2 line) (not yet released because of bug)
- version 35 (08.08.2020)
Updated support for 32bit sized trim area units (as trim area api changed in xperia mark 2 line); Move trim area dumps out of root folder so it not get acidentaly flashed, dumps is now inside folder tadump
- version 36 (27.08.2020)
Some improvements and and possible bug fixes
- version 37 (09.12.2020)
Added support for Xperia 5 II with emmc instead of ufs (not working)
- version 38 (10.12.2020)
Fixed impropper implementation from v37
- version 39 (13.12.2020)
Since mark 2 devices protocol is changed a bit and on some devices OKAY reply is not in separated usb poacket, instead it is merged with data packet, added support for it
- version 40 (03.01.2021)
Temporary solution for determining partition 0 sin file caused by two diferent emmc csd info we found recently on mark 2 devices
- version 41 (03.01.2021)
Removed temporary solution from version 41 so right lun0 sin file get flashed and seccond lun0 get skipped or booth skipped if lun0 sin file do not match device storage size
- version 42 (11.03.2021)
Fix bug in flashing booth slots when current slot is A, thanks to @chrisrg for discovering bug!
- version 43 (12.06.2021)
Support for Mark 3 devices
- version 44 (19.06.2021)
Fully Mark III device implementation
- version 45 (20.06.2021)
Implemented battery level check and prompt user to take a risk and continue flashing or stop flasing if battery level is less than 15 percent
- version 46 (08.07.2021)
Fix problem with filenames which contain "_other", it need to be always flashed to the diferent slot
- version 47 (15.07.2021)
Removed prompt for persist.sin flashing, now its by default skip. Implemented bootloader log retrieval at the end of flashing for better understanding when something goes wrong. Implemented firmware log history retrieval for those who want to know history of the flashed firmwares
- version 48 (19.07.2021)
Flash bootloader,bluetooth,dsp,modem,rdimage to booth slots only on a,b devices
- version 49 (31.07.2021)
Support for XQ-BT41
- version 50 (12.08.2021)
Workin progress on asynchronous usb to make it more like synchronous, added progress bar during send-receive usb packets and more logging. Increased usb timeout to 2 minute. Trying fix sync command at the end of flashing as reported here -> https://github.com/munjeni/newflasher/issues/42
- version 51 (12.08.2021)
Fix empry line printed while receiving usb packets, thanks @elukyan
- version 52 (01.10.2021)
Implemented userprompt for keeping userdata, thanks @OhayouBaka for figuring out! Removed bootloader log retrieval
- version 53, 54, 55 (20.0822022)
Fix trimarea dumper crash on big endian machines, update building makefiles
Credits:
- without @tanipat and his pc companion debug logs this tool will never be possible! Thank you a lot for your time providing me logs! (by the influence of others, He was disappointed me with last post, but I still appreciate his help and can't forget it)
- without @thrash001 who helped testing our tool I never be continue building our tool since I don't have device for testing, thanks mate!
- didn't forgot @beenoliu, thanks mate for testing!
- thanks to @porphyry for testing linux version!
- thanks to @Snow_Basinger for providing sniff log from 2018 device and for testing on his 2018 device
- thanks to @frantisheq for testing newflasher on his 2018 device and for notify about doublefree bug
- thanks to @serajr for providing me some logs which helped me to figure out some things related to 2018 devices
- thanks to @noelex for helping in Xperia 1 implementation
- thanks to @Meloferz for testing on his xperia 1 mark II
- thanks to github contributors, testers and reporters: vog, noelex, TheSaltedFish, solarxraft, pbarrette, MartinX3, kholk
- thanks to Chirayu Desai for tracking addition to Debian and thanks to vog for initiating all that
- thanks to @elukyan for testing and providing me usb sniff logs for mark 3 devices imlementation, thank you so much
Common errors and how to solve:
https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/post-72610228
Source code:
https://github.com/munjeni/newflasher

let me start for you and report

here my log..
Code:
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&15c311e1&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&15C311E1&0&2
ERROR: TIMEOUT: failed with error code 997 as follows:
▄berlappender E/A-Vorgang wird verarbeitet.
- Error writing command!
Drücken Sie eine beliebige Taste . . .

Common errors and what you need to do:
ERROR: TIMEOUT: failed with error code 997 as follows:
Overlapped I/O operation is in progress.
FIX --------> https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/post-84603931
Error, didn't got signature OKAY reply! Got reply: FAILFailed to verify cms
FIX---------> Make sure to flash right rom model e.g. if your device is SO-01L you need to flash rom model SO-01L or e.g. your phone is H8314 you need to flash rom H8314 ... etc, otherwise you might hardbrick your phone!
Bootloop caused by rooback protection e.g. by flashing an OLD rom over NEWER one e.g. you have android 11 and want back to android 10 that will bootloop your phone if your phone have rollback protection
https://forum.xda-developers.com/t/...-xq-at51-with-flashtool.4119707/post-84509417
in short explanation your bootloader need to be unlocked. Than by relocking bootloader rollback index (rollback protection) is reset to zero. Than you can flash oldest rom because index in that case is zero so you won't get bootloop related to rollback protection.
It was confirmed working:
https://forum.xda-developers.com/t/...-xq-at51-with-flashtool.4119707/post-84637803
https://forum.xda-developers.com/t/...-xq-at51-with-flashtool.4119707/post-84673613
If neither help you to solve problem you should read boot log to get idea, use this command line option for newflasher:
newflasher Read-TA:2:2050

what I got
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#6&3a757eec&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: Universal Serial Bus controllers
Device Instance Id: USB\VID_0FCE&PID_B00B\6&3A757EEC&0&1
ERROR: GetOverlapped_in_Result: failed with error code 31 as follows:
A device attached to the system is not functioning.
- Error reaply! Device didn't replied with OKAY or DATA
Press any key to continue . . .
wait for others to report

Hm, you successfully wrote command but error on reaply Lets see new version is out

Today I have free time for development, I don't know when I will get free time again, so guys if you hurry to have flasher I am here and waiting. I do not have 2017 device model so I can't test, so can't continue development without your tests

Driver is the right.
here the next:
Code:
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&15c311e1&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&15C311E1&0&2
ERROR: TIMEOUT: failed with error code 997 as follows:
▄berlappender E/A-Vorgang wird verarbeitet.
- Successfully write 0x0 bytes to handle.
- Error writing command!
Drücken Sie eine beliebige Taste . . .

Strange! Maybe run as admin is need?

It would be great if tanipat debug newflasher with monitoring studio so I can compare whats going on? New version is out again.
Edit:
Curent version is safe so you no need to care for brick! Tool currently nothing write to internal mem! I will tell when it is ready for flashing! Now its just pre pre alpha version, only read from phone

in the windows devicemanager is it correct as "SOMC Flash Device"
the next one:
Code:
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&15c311e1&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&15C311E1&0&2
ERROR: TIMEOUT: failed with error code 997 as follows:
▄berlappender E/A-Vorgang wird verarbeitet.
- Error write! Need nBytes: 0x18 but done: 0x0
- Error writing command!
Drücken Sie eine beliebige Taste . . .

Can you right click on .exe and run as admin?

the same
Code:
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&15c311e1&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&15C311E1&0&2
ERROR: TIMEOUT: failed with error code 997 as follows:
▄berlappender E/A-Vorgang wird verarbeitet.
- Error write! Need nBytes: 0x18 but done: 0x0
- Error writing command!
Drücken Sie eine beliebige Taste . . .
---------- Post added at 08:42 PM ---------- Previous post was at 08:41 PM ----------
Code:
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&15c311e1&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&15C311E1&0&2
- Successfully write 0x18 bytes to handle.
- Successfully read 0xd bytes from handle.
Raw input [0xD]:
00000000 4F 4B 41 59 31 30 34 38 35 37 36 30 30 OKAY104857600
get_reaply:[0xD]:
00000000 4F 4B 41 59 31 30 34 38 35 37 36 30 30 OKAY104857600
- Successfully write 0xe bytes to handle.
- Successfully read 0x9 bytes from handle.
Raw input [0x9]:
00000000 4F 4B 41 59 47 38 31 34 31 OKAYG8141
get_reaply:[0x9]:
00000000 4F 4B 41 59 47 38 31 34 31 OKAYG8141
- Successfully write 0xe bytes to handle.
ERROR: GetOverlapped_in_Result: failed with error code 31 as follows:
Ein an das System angeschlossenes Gerõt funktioniert nicht.
- Successfully read 0x0 bytes from handle.
Raw input [0x0]:
- Error reaply: less than 4!
Drücken Sie eine beliebige Taste . . .
Sorry, i must disconnect the device for the next start

Thanks a lot! Seems some good progress here! I had set timeout to 60 secconds, seems it was not enought and caused timeout, now I have set to 120 secconds and donesome small modification, hope we get luck now, new version is out

Code:
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&15c311e1&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&15C311E1&0&2
- Successfully write 0x18 bytes to handle.
- Successfully read 0xd bytes from handle.
Raw input [0xD]:
00000000 4F 4B 41 59 31 30 34 38 35 37 36 30 30 OKAY104857600
- Successfully write 0xe bytes to handle.
- Successfully read 0x9 bytes from handle.
Raw input [0x9]:
00000000 4F 4B 41 59 47 38 31 34 31 OKAYG8141
- Successfully write 0xe bytes to handle.
ERROR: GetOverlapped_in_Result: failed with error code 31 as follows:
Ein an das System angeschlossenes Gerõt funktioniert nicht.
- Error reaply: less than 4!
Drücken Sie eine beliebige Taste . . .
and this, without disconect a view seconds later again start the exe
Code:
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&15c311e1&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&15C311E1&0&2
- Successfully write 0x18 bytes to handle.
ERROR: TIMEOUT: failed with error code 997 as follows:
▄berlappender E/A-Vorgang wird verarbeitet.
- Error reaply: less than 4!
Drücken Sie eine beliebige Taste . . .

Hmm strange realy. See https://www.lifewire.com/how-to-fix-code-31-errors-2623184 its seems your driver is not working propertly, maybe you have old flashtool driver and not one for newer device (which can be installed by installing sony pc companion software), I have no idea by now, unable to figure out why that happens Did you flashed by sony pc companion your device allready and you are sure it is working, can you confirm? Probably if you allready installed flashtool driver you will need to uninstall and reinstall pc companion, have no idea by now what might be a problem

so, i have erase the driver. restart windows, install the flashtool driver. start the exe:
Code:
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&15c311e1&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&15C311E1&0&2
- Successfully write 0x18 bytes to handle.
- Successfully read 0xd bytes from handle.
Raw input [0xD]:
00000000 4F 4B 41 59 31 30 34 38 35 37 36 30 30 OKAY104857600
- Successfully write 0xe bytes to handle.
- Successfully read 0x9 bytes from handle.
Raw input [0x9]:
00000000 4F 4B 41 59 47 38 31 34 31 OKAYG8141
- Successfully write 0xe bytes to handle.
ERROR: GetOverlapped_in_Result: failed with error code 31 as follows:
Ein an das System angeschlossenes Gerõt funktioniert nicht.
- Error reaply: less than 4!
Drücken Sie eine beliebige Taste . . .
now i erase the driver, restart windows and let windows install the driver over windows.
(i hope you can undersood my english)

Many thanks! Yes I understand you. I must go now, hope somebody figure out if driver is problem or bug in my tool, see you guys tommorow

New version is out, let me know please! I have researched a bit, seems get overlapped result caused some problems and returns imediatelly before thing complete, I have set to "wait complete" hope it is ok now

good morning, so i have reinstall sony companion and start the repair, the new driver is isntall but:
Code:
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&15c311e1&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&15C311E1&0&2
- Successfully write 0x18 bytes to handle.
- Successfully read 0xd bytes from handle.
Raw input [0xD]:
00000000 4F 4B 41 59 31 30 34 38 35 37 36 30 30 OKAY104857600
- Successfully write 0xe bytes to handle.
- Successfully read 0x9 bytes from handle.
Raw input [0x9]:
00000000 4F 4B 41 59 47 38 31 34 31 OKAYG8141
- Successfully write 0xe bytes to handle.
ERROR: GetOverlapped_in_Result: failed with error code 31 as follows:
Ein an das System angeschlossenes Gerõt funktioniert nicht.
- Error reaply: less than 4!
Raw input [0x0]:
Drücken Sie eine beliebige Taste . . .
---------- Post added at 10:27 AM ---------- Previous post was at 10:18 AM ----------
and this is from my windows7 32bit pc, only sony companion is install.
Code:
--------------------------------------------------------
newflasher (2).exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&448f588&0&1#{a5dcbf10-6530-11d2-901f-00
c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&448F588&0&1
- Successfully write 0x18 bytes to handle.
- Successfully read 0xd bytes from handle.
Raw input [0xD]:
00000000 4F 4B 41 59 31 30 34 38 35 37 36 30 30 OKAY104857600
- Successfully write 0xe bytes to handle.
- Successfully read 0x9 bytes from handle.
Raw input [0x9]:
00000000 4F 4B 41 59 47 38 31 34 31 OKAYG8141
- Successfully write 0xe bytes to handle.
ERROR: GetOverlapped_in_Result: failed with error code 31 as follows:
Ein an das System angeschlossenes Gerõt funktioniert nicht.
- Error reaply: less than 4!
Raw input [0x0]:
Drücken Sie eine beliebige Taste . . .

Unlocking LGUP features for fun and profit

I wasn't sure where to post this. If this is better posted somewhere else, please tell me or move it.
LGUP comes in different variants. Dev, LAB, Store, 3rdParty.
Depending on the variant you're running, different features are exposed by your model.dll.
If you hack LGUP, you can unlock features!
Hacked LGUP:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Store LGUP:
I've tested the 'DUMP' function to see if the unlocked features are actually working, and yes, it works:
Unfortunatly, LG has implemented checks to prevent you from just modifying your LGUP.exe or LGUP_8994.dll to expose these features.
LG uses a temporary file to pass the features from the DLL to the application.
So it's just a matter of pausing LGUP at the right time, changing the file and voila.
I did it this way:
Load LGUP.exe in IDA (Interactive Disassembler),
Wait until it's done analyzing.
Set debugger to windbg. (F9)
Run the application (F9) one-time to fix the memory addresses..
You will get popups about exceptions, pass them to the application and continue running.
Exit LGUP.
Set break-point to loc_6989F. (if you can't find the location, search for string UI_Config.lgl, go to the code-xref where it's used and break there).
Run application.
When application stops at the breakpoint, open "C:\Program Files (x86)\LG Electronics\LGUP\model\8994\UI_Config.lgl" in a text-editor.
Find/replace "LAB" with "Store".
Save the file.
Continue running the application.
Tada, unlocked features!

holy crap, this is actually really helpful!

I've found another way to do this.
LGUP uses signature verification to prevent you from just hex-editing the files.
The LGUP.exe verifies the model.dll and the model.dll verifies the LGUP.exe.
I've patched this out of my model/8994/LGUP_8994.dll and modified LGUP.exe to look for strUser="DEV" instead of strUser="Store".
Now I can just start lgup.exe and get the 'Dev' functions.
I'm not sure how to distribute this.
I don't think I should just distribute modified versions of LGs software. This will make LG unhappy.
But I'm also not sure how to distribute binary patches in a way that's easy to use for others.
Here are my patches:
--- LGUP.exe (1.14.0.3)
Code:
@@ -2227,7 +2227,7 @@
00008b20: 0445 0400 0f84 4201 0000 8b96 5445 0400 .E....B.....TE..
00008b30: 8b3d fcf0 4300 6884 5144 0052 ffd7 8945 .=..C.h.QD.R...E
00008b40: dc85 c074 518b 8e40 0100 00e8 6047 0100 [email protected]`G..
-00008b50: 85c0 751b 8945 e068 f4c5 4400 8d45 e050 ..u..E.h..D..E.P
+00008b50: 85c0 eb1b 8945 e068 f4c5 4400 8d45 e050 .....E.h..D..E.P
00008b60: c786 3001 0000 0100 0000 e82d d602 00ff ..0........-....
00008b70: 55dc 83f8 ff75 1f68 f4c5 4400 8d4d d851 U....u.h..D..M.Q
00008b80: c786 3001 0000 0100 0000 c745 d800 0000 ..0........E....
@@ -7486,7 +7486,7 @@
0001d3d0: 55d8 53c7 45a4 3000 0000 895d a889 5dac U.S.E.0....]..].
0001d3e0: c745 b002 0000 0089 5db4 897d b889 7dc0 .E......]..}..}.
0001d3f0: 895d c489 5dc8 895d d089 55bc c745 cc00 .]..]..]..U..E..
-0001d400: 0100 00ff 1544 f443 003d 0901 0b80 7f69 .....D.C.=.....i
+0001d400: 0100 00ff 1544 f443 00b8 0000 0000 eb69 .....D.C.......i
0001d410: 7460 3d26 2009 8074 523d 0400 0b80 7444 t`=& ..tR=....tD
0001d420: 3d00 010b 8075 5dff 15d8 f043 003d 0001 =....u]....C.=..
0001d430: 0b80 741f 3d03 000b 8074 183d 0100 0b80 ..t.=....t.=....
@@ -18056,7 +18056,7 @@
00046870: 696f 6e00 504f 5349 5449 4f4e 0000 0000 ion.POSITION....
00046880: 6e58 506f 7300 0000 6e59 506f 7300 0000 nXPos...nYPos...
00046890: 6e57 6964 7468 0000 5355 5050 4f52 5400 nWidth..SUPPORT.
-000468a0: 7374 7255 7365 7200 5354 4f52 4500 0000 strUser.STORE...
+000468a0: 7374 7255 7365 7200 4445 5600 0000 0000 strUser.DEV.....
000468b0: 534f 4654 5741 5245 5f53 5441 5449 4300 SOFTWARE_STATIC.
000468c0: 534f 4654 5741 5245 5f43 5452 4c00 0000 SOFTWARE_CTRL...
000468d0: 4649 4c45 5f54 5950 455f 4558 0000 0000 FILE_TYPE_EX....
model/8994/LGUP_8994.dll:
Code:
@@ -6451,7 +6451,7 @@
00019320: 55d8 53c7 45a4 3000 0000 895d a889 5dac U.S.E.0....]..].
00019330: c745 b002 0000 0089 5db4 897d b889 7dc0 .E......]..}..}.
00019340: 895d c489 5dc8 895d d089 55bc c745 cc00 .]..]..]..U..E..
-00019350: 0100 00e8 3439 1a00 3d09 010b 807f 6774 ....49..=.....gt
+00019350: 0100 00e8 3439 1a00 b800 0000 00eb 6774 ....49........gt
00019360: 5e3d 2620 0980 7450 3d04 000b 8074 423d ^=& ..tP=....tB=
00019370: 0001 0b80 755b ff15 0c05 1e10 3d00 010b ....u[......=...
00019380: 8074 1e3d 0300 0b80 7417 3d01 000b 8074 .t.=....t.=....t

This looks very promising
So i can modify it to do all this my self or have u made a moded one we can download

TheMadScientist420 said:
This looks very promising
So i can modify it to do all this my self or have u made a moded one we can download
Click to expand...
Click to collapse
You should do this yourself for now.
I don't think I should distribute modded versions of other peoples copyrighted work.

Thanks for instructions one more time!
As h850 user i had to patch LGUP.exe as per your instructions and /model/Common/LGUP_Common.dll (just searched for "3d 09 01 0b 80 7f" and replaced with "b8 00 00 00 00 eb") .
:good:

RolF2 said:
Thanks for instructions one more time!
As h850 user i had to patch LGUP.exe as per your instructions and /model/Common/LGUP_Common.dll (just searched for "3d 09 01 0b 80 7f" and replaced with "b8 00 00 00 00 eb") .
:good:
Click to expand...
Click to collapse
That's great to hear!
Good idea to just search for those bytes and replace them.
If other people had succes with this I'm curious to hear about it.

Good tool to backup partitons before bootloader unlock and after, to see whats changed

i dont know i cant follow whats going on i got to the point of searching for b8 00 00 00 00 eb but cant edit it

RolF2 said:
Thanks for instructions one more time!
As h850 user i had to patch LGUP.exe as per your instructions and /model/Common/LGUP_Common.dll (just searched for "3d 09 01 0b 80 7f" and replaced with "b8 00 00 00 00 eb") .
:good:
Click to expand...
Click to collapse
so i found this line of hex but cant edit it

You can't save changes in hex editor? Then run hex editor as administrator, or copy files for editing to another disk and try again.

Just curious... Does anybody know what the "boarddownload" option does?? Does that backup the motherboards firmware or bios or something?? Sorry if the question sounds dumb. Im not a developer or anything.

OK, looks like too quiet here. We can dump all partitions from phone by "dump" function, also there's "partition dl" function - so looks like we can flash only one partition to phone... Problem is that program is crashing when i try to flash back dumped partition ... so how to convert dumped partition image to flashable img as simple renaming to img does'n work ?

RolF2 said:
OK, looks like too quiet here. We can dump all partitions from phone by "dump" function, also there's "partition dl" function - so looks like we can flash only one partition to phone... Problem is that program is crashing when i try to flash back dumped partition ... so how to convert dumped partition image to flashable img as simple renaming to img does'n work ?
Click to expand...
Click to collapse
it isn't a problem with the image, it's a problem with the patch... we should really look into how to fix this

@smitel
can you try "partition dl" function in IDA ?

Honestly Annoying said:
it isn't a problem with the image, it's a problem with the patch... we should really look into how to fix this
Click to expand...
Click to collapse
How do you know it's a problem with the patch?
RolF2 said:
@smitel
can you try "partition dl" function in IDA ?
Click to expand...
Click to collapse
What do you mean?
Figure out what it does/wants?
Look at your crash?
FWIW, I get "Error: General exception error in _initializeProcess()" when I try 'PARTITION DL'.
I'm guessing the 'DUMP' function produces a raw dump of the blockdevice, where 'PARTITION DL' requires a particular header (as in .TOT or .MBN) to define what gets flashed where.

FWIW, I find the following functions in my LGUP_8994.dll:
Code:
v5 = sub_1000B4F0(v4, (int)"REFURBISH", v3);
v8 = sub_1000B4F0(v7, (int)"UPGRADE", v6);
v11 = sub_1000B4F0(v10, (int)"CHIPERASE", v9);
v14 = sub_1000B4F0(v13, (int)"BOARDDOWNLOAD", v12);
if ( (v14 || v2 < 0xD || (LOBYTE(v14) = v2 != 13, v14)) && sub_1000C6A0(v1, "PROCESS_FAC_BOARDDOWNLOAD") )
if ( sub_1000C6A0(v1, "PROCESS_CS_WEBDOWNLOAD") )
if ( sub_1000C6A0(v1, "PROCESS_MBNBUILD") && sub_1000C6A0(v1, "TOT BUILD") )
if ( sub_1000C6A0(v1, "RECOVERY") )
if ( sub_1000C6A0(v1, "DOWNGRADE") )
if ( sub_1000C6A0(v1, "SCRIPT") && sub_1000C6A0(v1, "PROCESS_FAC_SCR") )
if ( sub_1000C6A0(v1, "PROCESS_FAC_UPGRADE") )
if ( sub_1000C6A0(v1, "PRL/ERI WRITE") && sub_1000C6A0(v1, "PRL UPDATE") )
if ( sub_1000C6A0(v1, "PRL/ERI READ") && sub_1000C6A0(v1, "PRL READ") )
if ( sub_1000C6A0(v1, "PHONESETTING") )
if ( sub_1000C6A0(v1, "PARTITION DL") )
if ( sub_1000C6A0(v1, "PB BACKUP") )
if ( sub_1000C6A0(v1, "PB RESTORE") )
if ( sub_1000C6A0(v1, "FOTA UPGRADE") )
if ( !sub_1000C6A0(v1, "DUMP") )
I try if I can follow the 'path' to understand what code gets called, but it's not very clear to me.
Every 'if' just results in a
Code:
*(_DWORD *)(v16 + 88) = 48;
}
else
{
*(_DWORD *)(v16 + 88) = 47;
}
}
else
{
*(_DWORD *)(v16 + 88) = 46;
But I haven't been able to follow what happens with it.

Here's a list of what functions are which 'ID'.
Code:
DUMP = 48 / 30h;
FOTA UPGRADE = 47 / 2Fh
PB RESTORE = 46 / 2Eh
PB BACKUP = 45 / 2Dh
PARTITION DL = 44 / 2Ch
PHONESETTING = 8 / 8h
PRL/ERI READ / PRL READ = 43 / 2Bh
PRL/ERI WRITE / PRL WRITE = 42 / 2Ah
PROCESS_FAC_UPGRADE = 0 / 0h
SCRIPT / PROCESS_FAC_SCR = 2 / 2h
DOWNGRADE = 41 / 29h
RECOVERY = 6 / 6h
PROCESS_MBNBUILD / TOT BUILD = 40 / 28h
PROCESS_CS_WEBDOWNLOAD = special
v15 = *(_DWORD *)(v16 + 1364);
if ( v15 == 3 )
*(_DWORD *)(v16 + 88) = 17;
else
*(_DWORD *)(v16 + 88) = 2 * (v15 == 5) + 16;
PROCESS_FAC_BOARDDOWNLOAD / BOARDDOWNLOAD = 7 / 7h
CHIPERASE = 32 / 20h
UPGRADE = 15 / Fh
REFURBISH = 9 / 9h
I was hoping to find a switch/case somewhere that would consume all these possibilities, but only find a partial one.
In sub_10081930() I see:
Code:
switch ( v1 )
{
case 40:
result = sub_10081570(this);
break;
case 45:
result = sub_1007E440(this);
break;
case 46:
result = sub_100807A0();
break;
case 2:
result = (*(int (**)(void))(*(_DWORD *)this + 60))();
break;
default:
result = sub_10083A70(this);
break;
}
And in this sub_1007E440() I see references to 'PB Backup', so this is one switch/case.

FWIW, when I rename my modemst1_COM7 to modemst1_COM7.tot I get error: "Error: TOT file is invalid[1]".
This message gets outputted by sub_1004CD20().
This might help with finding how/where stuff gets processed.

smitel said:
FWIW, when I rename my modemst1_COM7 to modemst1_COM7.tot I get error: "Error: TOT file is invalid[1]".
This message gets outputted by sub_1004CD20().
This might help with finding how/where stuff gets processed.
Click to expand...
Click to collapse
the .tot is a whole list of files i dont think renaming one partition to tot would work
it sucks i look at all ure guys partition and it a twrp heaven fro restore. i still cant get the patch to work.
i wonder if old lg firmware extractor or diagtool could repack these into a .tot format though it between the two of them they made all my hard brick restore images and carp for g2 g3 g4
i couldnt find a updated firehose bin for my g4 but still made a complete debrick image
---------- Post added at 10:22 AM ---------- Previous post was at 10:17 AM ----------
smitel said:
How do you know it's a problem with the patch?
What do you mean?
Figure out what it does/wants?
Look at your crash?
FWIW, I get "Error: General exception error in _initializeProcess()" when I try 'PARTITION DL'.
I'm guessing the 'DUMP' function produces a raw dump of the block device, where 'PARTITION DL' requires a particular header (as in .TOT or .MBN) to define what gets flashed where.
Click to expand...
Click to collapse
man if i can get this patch to work for me. im not so good in this area of Hex edit.
its been a long time. lol old nes roms. i thing with all these dumps I could get them repacked into a tot format that lgflashtool could use. in my case, i don't have a zva firmware released and i think i could put one together here
maybe you could explain to me better how to patch this i try searching can't find it half the time when i do even as adminstrator i cant edit the hex code.