Related
This looks like one of the most easily moddable/hackable boxes I have ever seen. It is sold by a UK company Maplin and is called a "Maplin Game Capture HD" .
(Sorry in order to get through the new user limitation on posting links I have had to horribly mangle my links)
world wide web dot maplin dot co dot uk /p/maplin-game-capture-hd-a84qu
It is a (cheap) HDMI capture box up to 1080p that has three modes capture to SD card, stream to network and capture to PC via USB. For game play, but can capture any HDMI input (non-HDCP).
The reason it's potentially easily moddable is that a telnet to port 23 in network mode gives you a root shell on it straight away. With a fully writeable root file system.
So far I have used this to start an FTP daemon that lets me FTP files straight from the SD Card though the NIC is a bit slow. Stole the command from their /plbin/start_ftpd.sh file and run "tcpsvd -vE 0.0.0.0 21 ftpd -w /".
There is a also a web interface for debug, that can be started with cd /plbin; ./test_web.sh. I may have had to set the WEBPAGE_LANGUAGE to "en" in nvram, to allow it to start. "/bin/plnvram wr WEBPAGE_LANGUAGE en"
The admin password for the web interface is just blank.
Very interestingly, if you use their app to display the streamed content from this device it allows you to see HDCP content, just not record it. I have so far had no need to look into this.
Lots of other functionality looks just commented out in the configs.
The web interface tells me this device is actually a SIGMA-PL330B,
world wide web marketwired dot com /press-release/sigma-designs-introduces-new-hd-video-encoder-technology-1518168.htm
And may well be the same (or a repackaged) version of this box
world wide web dot maxmediatek dot com pd-page/MM_V.htm
HS602 as they seem to use the same app to display the stream.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Here it is!
Your LINK
Ebay LINK
.
Did you come across anything that allowed you to record using software other than VivaStation?
I didn't but I haven't looked to hard, as recording to SD card was all I needed.
Hi - I've been looking for a way to start the streaming on this box by command line when logged into the box via telnet, but no real luck.
joemensor said:
Hi - I've been looking for a way to start the streaming on this box by command line when logged into the box via telnet, but no real luck.
Click to expand...
Click to collapse
I bought this from Maplin, but had to return the first one for a refund as I could not get the software to install on W10 (even with .net 3.5 installed), just kept throwing an error in Chinese! After looking online for replacements that do the same thing, costing between £80-250 (even the used ones, granted they do proper 1080 over Ethernet), I decided in the end to buy the box again, but from ebay...
This time I did manage to get the ShareView software installed on another machine after I spent a day installing windows 7 on it (it's an old machine + 235 updates!)..
Anyway, the commands the shareview software sends (via telnet) to get it to stream over ethernet seem quite straightforward..
First it "uploads" a config file with the contents..
Code:
SystemControl-StreamType ts
SystemControl-StreamData video+audio
SystemControl-Profile extended
SystemControl-Level 4
SysFunction-Function encode
SysFunction-Video h264
SysFunction-Audio audio
PictureResolution-InPicWidth 1920
PictureResolution-InPicHeight 1080
OutPictureResolution-OutPicWidth 640
OutPictureResolution-OutPicHeight 480
SystemControl-XferMode frame
SystemControl-SpsrFreq 1
SystemControl-FFMode frame
SystemControl-VMode cavlc
RateControl-Vbr 0
RateControl-Mode viu
RateControl-AvgBitRate 3000
VbrBitRate-MinBitRate 4285
VbrBitRate-MaxBitRate 3600
GopLoopFilter-IntraPeriod 30
GopLoopFilter-BNum 0
GopLoopFilter-Idr close
InputControl-ScanFormat progressive
InputControl-SrcMode hdmi
InputControl-SyncMode 0
InputControl-DataType raw
InputControl-InFrameRate 60
InputControl-OutFrameRate 30
InputControl-Fmt progressive
InputControl-CkEdge positive
DeInterlace-mode none
FilterControl-StartPixel 0
FilterControl-StartLine 0
SysLink-VideoInput viu
SysLink-VideoOutput host
SysLink-AudioInput aiu
SysLink-AudioOutput host
AudioControlParam-AudioType aac
AudioControlParam-SampleRate 48k
AudioControlParam-ChNum 2
AudioControlParam-LrclkI high
AudioControlEx-AacVer mpeg2
AudioControlEx-HType adts
AudioControlEx-CutoffFreq 18000
AudioControlEx-TNS 1
AudioControlEx-IS 1
AudioControlEx-PNS 1
AudioControlEx-MS 1
to /plbin/hs_enc_ts.cfg
And then launches the following command, three times, not sure why but it does., because when I run it, it only needs to be ran once..
Code:
/plbin/plstrm enc config /plbin/hs_enc_ts.cfg oudp <IP ADDRESS> oport 8085 reduceprintf nouserinput
That's all I know for now, will update if I find anything new to report =D
Hi mpmc - I think it does more than just uploads that file and runs the plstrm executable. Somehow it also passes the stream settings too. I feel I am getting somewhere, but still not able to kick off the streaming via the command line.
joemensor said:
Hi mpmc - I think it does more than just uploads that file and runs the plstrm executable. Somehow it also passes the stream settings too. I feel I am getting somewhere, but still not able to kick off the streaming via the command line.
Click to expand...
Click to collapse
Sorry for such a late reply.
I'm guessing by stream settings you mean the settings that upload to places like youtube? If so, I'm not sure myself as I don't need it for that function, but I will have a go & see if I can figure it out, but hopefully somebody has already worked it out by now.
Sorry for necroposting, but this thread hid me right on the spot. I got this box (in the form of Startech's overpriced variant), mainly for its standalone streaming to RTMP, but also as it has SD recording and HDMI capture (which I needed exactly, and nothing else).
The 720P streaming is horrible - bad codec settings (bitrates and gop probably), which means that 720P looks like 320x240 upscaled. So I opened the box to find a board number, so maybe some hack would pop up.. But telnet? - This is golden
Before I start reverse engineering (I don't really have any experience with telnet or *nix based stuff), maybe someone here worked out the details and would like to share?
TLDR. How do I set up the streaming codec settings via telnet and make them stick?
adomas said:
Sorry for necroposting, but this thread hid me right on the spot. I got this box (in the form of Startech's overpriced variant), mainly for its standalone streaming to RTMP, but also as it has SD recording and HDMI capture (which I needed exactly, and nothing else).
The 720P streaming is horrible - bad codec settings (bitrates and gop probably), which means that 720P looks like 320x240 upscaled. So I opened the box to find a board number, so maybe some hack would pop up.. But telnet? - This is golden
Before I start reverse engineering (I don't really have any experience with telnet or *nix based stuff), maybe someone here worked out the details and would like to share?
TLDR. How do I set up the streaming codec settings via telnet and make them stick?
Click to expand...
Click to collapse
Glad I'm not the only one still playing with this box.
I did have a go at working out the protocol used between the box and the software, I got as far as understanding how they find each other. The software makes a UDP broadcast to 255.255.255.255 on port 8086 with the message "HS602". The box then sends a UDP message ("YES") back, direct to the caller on the same port. The box then opens tcp port 8087 to which the software connects & they converse..
Sample of their conversation goes like this..
Client to box..
Code:
00000000 38 01 af 00 8c e0 af 00 68 54 d1 6b ff ff ff 8....... hT.k...
0000000F 32 01 af 00 00 00 00 00 50 df af 00 8c e0 af 2....... P......
0000001E 01 00 03 00 4c d5 af 00 8c e0 af 00 68 54 d1 ....L... ....hT.
0000002D 32 01 db 02 7c df af 00 3e ee 73 6a 00 00 00 2...|... >.sj...
0000003C 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000004B 0f 01 00 00 f0 e6 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
0000005A 04 01 00 00 0c e7 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
00000069 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000078 0f 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000087 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000096 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000000A5 0f 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000B4 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000C3 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000000D2 0f 01 ef 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000E1 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000F0 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000000FF 0f 01 f0 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000010E 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000011D 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000012C 0f 01 f2 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000013B 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000014A 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000159 0f 01 f3 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000168 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000177 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000186 0f 01 f4 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000195 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001A4 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000001B3 0f 01 f5 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001C2 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001D1 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000001E0 0f 01 f6 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001EF 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001FE 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000020D 0f 01 f7 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000021C 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000022B 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000023A 0f 01 f8 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000249 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000258 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000267 0f 01 f9 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000276 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000285 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000294 0f 01 fa 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002A3 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002B2 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000002C1 0f 01 fb 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002D0 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002DF 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000002EE 0f 01 fe 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002FD 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000030C 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000031B 0f 01 ff 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000032A 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000339 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000348 0f 01 00 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000357 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000366 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000375 0f 01 01 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000384 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000393 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000003A2 0f 01 02 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003B1 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003C0 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000003CF 0f 01 03 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003DE 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003ED 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000003FC 0f 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000040B 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000041A 32 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000429 0f 01 ed 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000438 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000447 32 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000456 0f 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
box to client
Code:
00000000 38 01 af 00 8c e0 af 00 68 54 d1 6b ff ff ff 8....... hT.k...
0000000F 01 01 af 00 00 00 00 00 50 df af 00 8c e0 af ........ P......
0000001E 01 00 03 1b 4c d5 af 00 8c e0 af 00 68 54 d1 ....L... ....hT.
0000002D 01 01 db 02 7c df af 00 3e ee 73 6a 00 00 00 ....|... >.sj...
0000003C 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000004B 00 01 00 00 f0 e6 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
0000005A 1b 01 00 00 0c e7 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
00000069 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000078 00 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000087 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000096 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000000A5 00 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000B4 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000C3 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000000D2 00 01 ef 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000E1 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000F0 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000000FF 00 01 f0 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000010E 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000011D 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000012C 00 01 f2 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000013B 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000014A 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000159 00 01 f3 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000168 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000177 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000186 00 01 f4 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000195 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001A4 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000001B3 00 01 f5 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001C2 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001D1 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000001E0 00 01 f6 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001EF 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001FE 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000020D 00 01 f7 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000021C 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000022B 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000023A 00 01 f8 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000249 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000258 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000267 00 01 f9 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000276 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000285 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000294 00 01 fa 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002A3 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002B2 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000002C1 00 01 fb 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002D0 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002DF 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000002EE 00 01 fe 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002FD 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000030C 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000031B 00 01 ff 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000032A 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000339 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000348 00 01 00 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000357 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000366 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000375 00 01 01 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000384 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000393 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000003A2 00 01 02 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003B1 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003C0 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000003CF 00 01 03 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003DE 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003ED 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000003FC 00 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000040B 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000041A 01 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000429 00 01 ed 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000438 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000447 01 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000456 00 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
I have no clue as to what this is! Hopefully you'll have better luck trying to decode it!
What I found so far, is that when I set up FTP the way OP posted, I can access the whole file system. I have copied it all, and am trying to find where the stream settings are stored. The mentioned cfg file does not exist though. If that works, I'll just make some custom app, that will telnet to open ftp, and upload my settings every time. However I am currently trying to just work out the basics of telnet controlling a linux system. None of the tutorials online help at all, but I found, that I can execute commands that are compiled packages in the operating folder. So far that helped for nothing I found a qzip thing in it, so maybe I will image the filesystem a little more properly than over ftp.
How could I listen the telnet communication between ShareView and the HS602? Btw - both of your pasted pieces are the same - intentional or mistake?
It also seems, that there is a whole settings web interface in plbin\www\, but I don't yet understand how to set up the webserver.
After finally launching the webserver I found that the website is some sample design and while it saves it's settings, they have no relation to the operation of the device. Going back to searching where ShareView puts it's settings and how to change them.
adomas said:
What I found so far, is that when I set up FTP the way OP posted, I can access the whole file system. I have copied it all, and am trying to find where the stream settings are stored. The mentioned cfg file does not exist though. If that works, I'll just make some custom app, that will telnet to open ftp, and upload my settings every time. However I am currently trying to just work out the basics of telnet controlling a linux system. None of the tutorials online help at all, but I found, that I can execute commands that are compiled packages in the operating folder. So far that helped for nothing I found a qzip thing in it, so maybe I will image the filesystem a little more properly than over ftp.
How could I listen the telnet communication between ShareView and the HS602? Btw - both of your pasted pieces are the same - intentional or mistake?
It also seems, that there is a whole settings web interface in plbin\www\, but I don't yet understand how to set up the webserver.
Click to expand...
Click to collapse
The stream settings aren't stored anywhere as far as I can tell, it gets sent to the running plkw binary, which appears to be the "server" for the software. This is what handles the upload to the receiving rtmp server, receiving of the encoder config, etc.
I used Wireshark to intercept the chatter between the software & the box. Yes, I know they're the same, I'm assuming it's just an echo.
I'd actually bricked mine by disabling the auto.sh scripts & ended up with no network. Thankfully mine has serial/uart pins populated & I was able to reverse the changes! Took me a while to figure the pinout (no meter) and why some chars weren't registering (needs parity set to EVEN).
Code:
Pinout starting from back of the SD card slot (Look underneath for the square pin).
[ 1 ][ 2 ][ 3 ][ 4 ]
1 = VCC (5v) - If not powered by usb it'll crash if ethernet is connected shortly after boot.
2 = TX
3 = RX
4 = GND
Will update if I find anything else out.
mpmc said:
The stream settings aren't stored anywhere as far as I can tell
Click to expand...
Click to collapse
The thing is that it does work as the manual says - set it up, and then it can be used standalone, even after a reboot. Some kind of settings seem to be in the binaries plkw, plstrm and quite a few others, stored in plain text (echo texts maybe?)
mpmc said:
Thankfully mine has serial/uart pins populated & I was able to reverse the changes!
Click to expand...
Click to collapse
Good to know. I thought that looked like some JTAG.. Did you go via telnet there as well?
Could you elaborate on how did you find what file and what command it sends over telnet? (The ones mentioned in #6)
Could you elaborate on how did you find what file and what command it sends over telnet? (The ones mentioned in #6)
Click to expand...
Click to collapse
By killing the already running plkw process on the box & running it again, you get to see what it outputs when they talk. That output is from wireshark.
adomas said:
The thing is that it does work as the manual says - set it up, and then it can be used standalone, even after a reboot. Some kind of settings seem to be in the binaries plkw, plstrm and quite a few others, stored in plain text (echo texts maybe?)
Click to expand...
Click to collapse
Yes, it appears that I was wrong, it does in fact store them, it writes them to memory (I'm guessing to the nvram block (see cat /proc/mtd)). I only found this out after watching the plkw binary via serial & by chance running "plnvram list" which makes the running plkw (not plnvram) print out it's current config.
The values set are
Code:
rd = read
/bin # plnvram rd username
username = http://foo.com
/bin # plnvram rd password
password = ONETWO
Good to know. I thought that looked like some JTAG.. Did you go via telnet there as well?
Click to expand...
Click to collapse
I'm not sure what you mean via telnet. you connect the pins to your ttl/uart serial converter (I used this one) & which drops into sh on tty0.
mpmc said:
Yes, it appears that I was wrong, it does in fact store them, it writes them to memory (I'm guessing to the nvram block (see cat /proc/mtd)). I only found this out after watching the plkw binary via serial & by chance running "plnvram list" which makes the running plkw (not plnvram) print out it's current config.
The values set are
Code:
rd = read
/bin # plnvram rd username
username = http://foo.com
/bin # plnvram rd password
password = ONETWO
Click to expand...
Click to collapse
To be fair, I actually don't really understand what you did here exactly. I don't have an uart usb adapter handy to try. But it brought me some (a lot actually) random pieces of understanding
I am unable to make it list out plnvram contents, only rd exact variables. I found a lot of those in plnvram_default.dat, but those appear to be useless. They are the values stored by the web interface and have nothing to do with ShareView settings, or how the box encodes the stream when its button is pressed. What I really want to find, is what variable names are used for ShareView settings (other than password, username, which are the places I can put RTMP link into).
ShareView has two dropboxes "Outputsize" and "bitrate", which I assume generates a quite few lines to plnvram that include exact encoding settings. Could you by any chance find where those fall into?
adomas said:
To be fair, I actually don't really understand what you did here exactly. I don't have an uart usb adapter handy to try. But it brought me some (a lot actually) random pieces of understanding
I am unable to make it list out plnvram contents, only rd exact variables. I found a lot of those in plnvram_default.dat, but those appear to be useless. They are the values stored by the web interface and have nothing to do with ShareView settings, or how the box encodes the stream when its button is pressed. What I really want to find, is what variable names are used for ShareView settings (other than password, username, which are the places I can put RTMP link into).
ShareView has two dropboxes "Outputsize" and "bitrate", which I assume generates a quite few lines to plnvram that include exact encoding settings. Could you by any chance find where those fall into?
Click to expand...
Click to collapse
As I already said , the plkw binary handles communicating with the software & this is what sets everything up, streamurl, streamkey etc, it is also what does the streaming when triggered by the button or software, unfortunately I've yet to figure out how it actually triggers! When the software connects it sends the encode config (creates the hs_enc_ts.cfg file and client.cfg in /plbin). The plkw then launches the plstrm binary three times (no idea why as one is enough from what I've found).
The outputsize & bitrate are set in the hs_enc_ts.cfg.
Code:
RateControl-AvgBitRate 8000
VbrBitRate-MinBitRate 11428
VbrBitRate-MaxBitRate 10400
Boot from serial.
Code:
Boot loader started
QL330-B0 detected
Entered diagnostic mode
Branching to external diagnostic code
Loading boot loader .....................................done
[ 0.000000] Linux version 2.6.35.8-arm1ql300 ([email protected]) (gcc version 4.3.2 (Sourcery G++ Lite 2008q3-72) ) #994 PREEMPT Tue Jul 29 10:58:16 CST 2014 v1.21
[ 0.000000] CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
[ 0.000000] CPU: VIVT data cache, VIVT instruction cache
[ 0.000000] Machine: 0xc097f798,QL300-EVB Qpixel Artesa Evaluation Board
[ 0.000000]
[ 0.000000] ******************************************************
[ 0.000000] * pl330_ofc_en : 0
[ 0.000000] * pl330_cmos_reset_en : 0
[ 0.000000] * pl330_devid : 0x03300001
[ 0.000000] * pl330_sdio0_en : 1
[ 0.000000] * pl330_sdio1_en : 0
[ 0.000000] * pl330_gpiogrp1_en : 0
[ 0.000000] * pl330_gpiogrp2_en : 0
[ 0.000000] * pl330_swi2c_en : 1
[ 0.000000] * pl330_local_bus_mutex_type : 1
[ 0.000000] * pl330_eth_en : 1
[ 0.000000] * pl330_frondend_type : 14
[ 0.000000] * pl330_userdata0 : 0
[ 0.000000] * pl330_userdata1 : 1
[ 0.000000] * pl330_userdata2 : 2
[ 0.000000] * pl330_userdata3 : 3
[ 0.000000] * pl330_userdata4 : 4
[ 0.000000] * pl330_userdata5 : 5
[ 0.000000] * pl330_userdata6 : 6
[ 0.000000] * pl330_userdata7 : 7
[ 0.000000] * pl330_userstring0 : SIGMA-PL330B
[ 0.000000] * pl330_userstring1 : C4:01:42:00:86:1F
[ 0.000000] * pl330_userstring2 : userstring2
[ 0.000000] * pl330_userstring3 : userstring3
[ 0.000000] * pl330_userstring4 : userstring4
[ 0.000000] * pl330_userstring5 : userstring5
[ 0.000000] * pl330_userstring6 : userstring6
[ 0.000000] * pl330_userstring7 : userstring7
[ 0.000000] * pl330_mtd_partition : mtdparts=QL300_flash:640K(qcamboot),128K(nvram),5504K(linuxImage),1920K(custblk)
[ 0.000000] * pl330_GPIO_strap : 0x0000ffcf
[ 0.000000] ******************************************************
[ 0.000000]
[ 0.000000] vmalloc area is too big, limiting to 4MB
[ 0.000000] Memory policy: ECC disabled, Data cache writeback
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 7366
[ 0.000000] Kernel command line: console=ttyS0 vmalloc=7M [email protected] root=/nodev/rootfs mtdparts=QL300_flash:640K(qcamboot),128K(nvram),7040K(linuxImage),8576K(custblk) mtdparts=QL300_flash:640K(qcamboot),128K(nvram),5504K(linuxImage),1920K(custblk)
[ 0.000000] PID hash table entries: 128 (order: -3, 512 bytes)
[ 0.000000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.000000] Memory: 29MB = 29MB total
[ 0.000000] Memory: 19104k/19104k available, 10592k reserved, 0K highmem
[ 0.000000] Virtual kernel memory layout:
[ 0.000000] vector : 0xffff0000 - 0xffff1000 ( 4 kB)
[ 0.000000] fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
[ 0.000000] DMA : 0xffc00000 - 0xffe00000 ( 2 MB)
[ 0.000000] vmalloc : 0xc1e00000 - 0xc2400000 ( 6 MB)
[ 0.000000] lowmem : 0xc0000000 - 0xc1d00000 ( 29 MB)
[ 0.000000] modules : 0xbf000000 - 0xc0000000 ( 16 MB)
[ 0.000000] .init : 0xc0008000 - 0xc06fa000 (7112 kB)
[ 0.000000] .text : 0xc06fa000 - 0xc09bb000 (2820 kB)
[ 0.000000] .data : 0xc09d2000 - 0xc09e32a0 ( 69 kB)
[ 0.000000] Hierarchical RCU implementation.
[ 0.000000] RCU-based detection of stalled CPUs is disabled.
[ 0.000000] Verbose stalled-CPUs detection is disabled.
[ 0.000000] NR_IRQS:32
[ 0.000000] console [ttyS0] enabled
[ 0.030000] Calibrating delay loop... 129.84 BogoMIPS (lpj=649216)
[ 0.240000] pid_max: default: 4096 minimum: 301
[ 0.240000] Mount-cache hash table entries: 512
[ 0.250000] CPU: Testing write buffer coherency: ok
[ 0.260000] NET: Registered protocol family 16
[ 0.270000] ql300_init: res=0xc1832740
[ 0.280000]
[ 0.280000] ******************************************************
[ 0.290000] * plgpio_group0_cfg (input/output) : 0x00003000
[ 0.300000] * plgpio_group1_cfg (input only) : 0x0000000f
[ 0.300000] * plgpio_group2_cfg (output only) : 0x0000000e
[ 0.310000] * plgpio_group3_cfg (boot strap input only) : 0x000000c0
[ 0.320000] ******************************************************
[ 0.320000]
[ 0.360000] bio: create slab <bio-0> at 0
[ 0.370000] cfg80211: Calling CRDA to update world regulatory domain
[ 0.390000] NET: Registered protocol family 2
[ 0.390000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.400000] TCP established hash table entries: 1024 (order: 1, 8192 bytes)
[ 0.410000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.420000] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.430000] TCP reno registered
[ 0.430000] NET: Registered protocol family 1
[ 0.440000] RPC: Registered udp transport module.
[ 0.450000] RPC: Registered tcp transport module.
[ 0.450000] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 0.710000] Loading and setting up QPSOS ...
MAIN FIRMWARE
QPSOS shell
Type 'help' for help
[ 0.730000] Loading and setting up PL330 GPIO ...
[ 0.740000] Loading and setting up PL330 NVRAM ...
[ 0.750000] NTFS driver 2.1.29 [Flags: R/W].
[ 0.760000] JFFS2 version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc.
[ 0.770000] msgmni has been set to 37
[ 0.770000] io scheduler noop registered
[ 0.780000] io scheduler deadline registered
[ 0.780000] io scheduler cfq registered (default)
[ 0.810000] ttyS0 at I/O 0xf0000100 (irq = 17) is a builtin QL300 UART
[ 0.820000] nbd: registered device at major 43
[ 0.870000] init_ql_flash_mtd(),CFI=0,part_nums=3
[ 0.880000] m25p80 spi0.0: w25Q64 (8192 Kbytes)
[ 0.880000] 4 cmdlinepart partitions found on MTD device QL300_flash
[ 0.890000] Creating 4 MTD partitions on "QL300_flash":
[ 0.900000] 0x000000000000-0x0000000a0000 : "qcamboot"
[ 0.910000] 0x0000000a0000-0x0000000c0000 : "nvram"
[ 0.920000] 0x0000000c0000-0x000000620000 : "linuxImage"
[ 0.930000] 0x000000620000-0x000000800000 : "custblk"
0h00m00s007: (T)CODEC_Start HCI Thread
0h00m00s007: (T)CODEC_SYS config:10 SW1 isr
0h00m00s007: (T)CODEC_SYS config:1 dynamic mem alloc
0h00m00s007: (T)CODEC_Start M2M Thread
0h00m00s007: (T)CODEC_Start DTM Thread
0h00m00s007: (T)CODEC_Start VDCM Thread
[ 0.950000] Linux video capture interface: v2.00
[ 0.950000] sdhci: Secure Digital Host Controller Interface driver
[ 0.960000] sdhci: Copyright(c) Pierre Ossman
[ 0.970000] TCP cubic registered
[ 0.970000] NET: Registered protocol family 17
[ 0.980000] lib80211: common routines for IEEE802.11 drivers
[ 0.990000] Freeing init memory: 7112K
mounting proc
mounting sys
mounting pts
starting system loggers
vm.min_free_kbytes = 1024
starting status daemon
setup telnetd
plgpiod: 0x03300001
bring up lo interface
bring up sdio module
[ 1.720000] sdio_init: res=0xc0cc7920
[ 1.800000] sdio_init: SDIO-0 enabled
[ 1.810000] mem_log_init: exit
[ 1.870000] plnvram_data_load_mtd: magic(0x82312033)
[ 1.880000] plnvram_data_load_mtd: version_major(1)
[ 1.880000] plnvram_data_load_mtd: version_minor(0)
[ 1.890000] plnvram_data_load_mtd: checksum(0x00000000)
[ 1.890000] plnvram_data_load_mtd: nums(237)
success
mount: mounting /dev/mtdblock3 on /mnt/custblk failed: Invalid argument
[ 3.250000] JFFS2 notice: (201) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
bring up codec driver module
[ 3.480000] CDevice_Constructor()-> config to use Dynamic Memory Allocation for FW
[ 3.540000] CQLCodec_InitDevice() config to use internal Video FW
[ 3.550000] CQLCodec_InitDevice() config to use internal Audio FW
[ 4.610000] CComponent_Open AllocTask(0) hTask(0)
[ 4.610000] CComponent_Close ReleaseTask(0) hTask(0)
lookup_video_device_node()-> bus(4) inst(0) hTask(0) type(0)
lookup_video_device_node()-> Got 0:0
[ 4.640000] CComponent_Open AllocTask(0) hTask(0)
SetVideoFrontend()-> val=0
SetVideoFrontend()-> return 0
Working Mode:0,argc:2
Checking:0
[ 4.650000] CComponent_Close ReleaseTask(0) hTask(0)
do_whether_need_eth_driver: 1
bring up ethernet module (Wired)
[ 4.780000] AX88796C: Power saving disabled
[ 5.010000] ASIX AX88796C Fast Ethernet Adapter:v1.4.0-SDL0.93 16:31:34 Jul 19 2013
[ 5.010000] <6> http://www.asix.com.tw
[ 5.020000] Use random MAC address
[ 5.020000] AX88796C: MAC Address 76-f3-6c-e2-c3-c7
[ 5.040000] eth0: at 0x0 IRQ 4
[ 5.090000] ax88796c_init(): P1_OFFSET0x14=0x0000000f
[ 5.090000] ax88796c_init(): P1_OFFSET0x14=0x0000000e
ifconfig: ath0: error fetching interface information: Device not found
plnetworkchkd: ath0 is not existed or enabled, no need to enable connection backup. exit!
[ 6.870000] eth0: link up, 100Mbps, full-duplex
do_net_init: trying to init eth interface
do_eth_init: trying to load mac address from pl330_userstring1
do_eth_init: trying to use dynamic ip
udhcpc (v1.19.4) started
Setting IP address 0.0.0.0 on eth0
Sending discover...
Sending select for 192.168.1.110...
Lease of 192.168.1.110 obtained, lease time 86400
Setting IP address 192.168.1.110 on eth0
Deleting routers
route: SIOCDELRT: No such process
Adding router 192.168.1.1
Recreating /etc/resolv.conf
Adding DNS server 192.168.1.1
Adding DNS server 0.0.0.0
[ 8.080000] CComponent_Open AllocTask(0) hTask(0)
[ 8.090000] CComponent_Close ReleaseTask(0) hTask(0)
lookup_video_device_node()-> bus(4) inst(0) hTask(0) type(0)
lookup_video_device_node()-> Got 0:0
[ 8.110000] CComponent_Open AllocTask(0) hTask(0)
SetVideoFrontend()-> val=0
SetVideoFrontend()-> return 0
Working Mode:0,argc:1
name flag IP broadcastaddr
eth0 4163 192.168.1.110 192.168.1.255
Src:3,Res:12
recv:48,53,36,30,32
recv:43,6e,1,a8,c0
The client is: 192.168.1.40,2801a8c0
socket:8
Capture
[ 19.970000] CComponent_Open AllocTask(0) hTask(1)
[ 19.980000] CComponent_Close ReleaseTask(0) hTask(1)
lookup_video_device_node()-> bus(4) inst(0) hTask(1) type(0)
lookup_video_device_node()-> Got 0:0
[ 20.000000] CComponent_Open AllocTask(0) hTask(1)
****** Executing script file /plbin/hs_enc_ts.cfg
SystemControl-StreamType = ts
SystemControl-StreamData = video+audio
SystemControl-Profile = extended
SystemControl-Level = 4
SysFunction-Function = encode
SysFunction-Video = h264
SysFunction-Audio = audio
PictureResolution-InPicWidth = 1920
PictureResolution-InPicHeight = 1080
OutPictureResolution-OutPicWidth = 1920
OutPictureResolution-OutPicHeight = 1080
SystemControl-XferMode = frame
SystemControl-SpsrFreq = 1
SystemControl-FFMode = frame
SystemControl-VMode = cavlc
RateControl-Vbr = 0
RateControl-Mode = viu
RateControl-AvgBitRate = 15000
VbrBitRate-MinBitRate = 18000
VbrBitRate-MaxBitRate = 13000
GopLoopFilter-IntraPeriod = 30
GopLoopFilter-BNum = 0
GopLoopFilter-Idr = close
InputControl-ScanFormat = progressive
InputControl-SrcMode = hdmi
InputControl-SyncMode = 0
InputControl-DataType = raw
InputControl-InFrameRate = 60
InputControl-OutFrameRate = 30
InputControl-Fmt = progressive
InputControl-CkEdge = positive
DeInterlace-mode = none
FilterControl-StartPixel = 0
FilterControl-StartLine = 0
SysLink-VideoInput = viu
SysLink-VideoOutput = host
SysLink-AudioInput = aiu
SysLink-AudioOutput = host
AudioControlParam-AudioType = aac
AudioControlParam-SampleRate = 48k
AudioControlParam-ChNum = 2
AudioControlParam-LrclkI = high
AudioControlEx-AacVer = mpeg2
AudioControlEx-HType = adts
AudioControlEx-CutoffFreq = 18000
AudioControlEx-TNS = 1
AudioControlEx-IS = 1
AudioControlEx-PNS = 1
AudioControlEx-MS = 1
ioctl(PLDEV_STRM_IOCTL_PORT_OPEN) component(0) type(0) succeed
0h00m19s609: (T)CODEC_Start MUX Thread (channel 1)
0h00m19s609: (T)CODEC_Start VEN Thread (channel 1)
0h00m19s609: (T)AIO Record enter
acquire(0) hDev(11)
start(0) hDev(11)
0h00m19s722: (T)CODEC_Start VIU Thread (input channel 1)
0h00m19s722: (E)VIU OSD FontsStartAddr 34401500 !
0h00m19s722: (E)VIU OSD TextListStartAddr 34400100 !
0h00m19s722: (E)VIU OSD TimeInfoAddr 34401300 !
0h00m19s724: (E)CODEC_get misc_rate_control interval(80) activity_on/off(0)
0h00m19s724: (E)HCI: chInfo (0x10) phy_in(60) rec_in(30) outrate(30)
0h00m19s728: (E)VIU: (ch 1) (in 1920x1080) (out 1920x1080) (rate =30,30),(buf_num 3)
test_streamout() [
9024 t=20
VI-OSD 0
VI-OSD font_addr(0xd1005400) txtAddr(0xd1000400) timeAddr(0xd1004c00)
0h00m19s803: (E)VIU osd addr 0x34400100 0x34401500 0x34401300)
376 t=22
376 t=24
I've attached a screenshot of how I got the plnvram config to output (COM8 = serial connection).
---
I've also managed to build a test "hello world" binary & have it run on the box, so I might be able to build a better rtmp server. I may have to rely on the plstrm to get the output though :/
Some good news.. I think. I managed to "decompile" the android "Shareview" app source code using javadecompilers.com With any luck I should be able to figure it out!
If you're any good with java (I'm not) download the shareview apk from here: https://apkpure.com/shareview/com.asdfghjkl20203.hs602player/download?from=details.
And upload it to http://www.javadecompilers.com/.
mpmc said:
If you're any good with java
Click to expand...
Click to collapse
I'm also not, but I have a friend who does have some experience. Thanks for the idea.
The variable name thing threw me off, since it makes no sense to me, that it stores "password" and "username" straight to nvram, and the rest go through hs_enc_ts.cfg. I tried to manually change hs_enc_ts.cfg parameters, but they had no effect to the output stream, which is why I assumed, that it sends some other settings.
Could you save the whole putty printout somewhere? It does contain different parameters and variables than those in hs_enc_ts.cfg and plnvram_defaults.dat
EDIT:
Solved by flashing .tot from a Windows that is NOT a Virtual Machine.
---------------------------------------------------------------------------------------------
I need some help. I bricked my phone but this time I am unable to unbrick it.
I recently got a new F320L. I flashed it with CloudyG2 3.3 and it was working fine for a day, but I decided I don’t like lollipop so I wanted to downgrade to CloudyG2 2.2 KitKat.
Here’s what I did:
1.Installed and run AutoRec f320L apk. I figured that since this is KitKat recovery installer, it will downgrade the bootstack. By omission, I did not flash KitKat baseband linked the Cloudy 2.2 installation guide (which might be the cause of all this).
2.Rebooted into TWRP recovery, wiped System, Cache, Dalvik, Data.
3.Installed Cloudy 2.2
4.Rebooted.
Now, the phone gets stuck on the LG logo and does not go past it even when I leave it for an hour.
What I tried to do:
1.Return to stock with KDZ method (tried both KitKat and L KDZ files).
Result: Error at the beginning of flashing telling me to unplug the phone and plug it back again.
2.Return to stock with .TOT method.
Result: Error at the beginning of flashing.
Code:
[10:52: 1] CrossDL [] to [F320L]. SWversion[][10:52: 1] ¡Ú¡Ú ERROR REASON : LAF_ERROR_INVALID_INPUT_FILE
[10:52: 1] CComPort::ClosePort, Closed Port Successfully for COM 41
[10:52: 1] CBasicComControl::Close, the port(COM41) is closed successfully
[10:52: 1] [10:52: 1] CrossDL [] to [F320L]. SWversion[]
[10:52: 1] DoDownload() Exception
For some reason my phone lost its model name...?
2b. Hex-editing .tot file to replace “F320L” with zeros to get around the above error (but I don’t know if it would help at all with flashing higher stock roms because it would probably not restore the model name if I blanked it, would it?).
Result: at 6% process stops and I get this error:
Code:
[10:56:21] InitDiag is success.
[10:56:21] InitializeProcess() is success.
[10:56:21] CComPort::ClosePort, Closed Port Successfully for COM 41
[10:56:21] CBasicComControl::Close, the port(COM41) is closed successfully
[10:56:21] Start Download
[10:56:21] Port is already closed
[10:56:21] Port Open 41
[10:56:21] [T000032] 48 45 4C 4F 01 00 00 01 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 4C 3F 00 00 B7 BA B3 B0 HELO....................L?......
[10:56:22] RX Timeout : 1000 seconds
[10:56:22] LAF_Packet Error, Error reason is 0
[10:56:22] We can't communicate with Phone[HELO_Packet]
[10:56:22] Port Close
[10:56:22] Port Open 41
[10:56:22] Retry download 1 time(s)
[10:56:22] [T000032] 48 45 4C 4F 01 00 00 01 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 4C 3F 00 00 B7 BA B3 B0 HELO....................L?......
[10:56:23] RX Timeout : 1000 seconds
[10:56:23] LAF_Packet Error, Error reason is 0
[10:56:23] We can't communicate with Phone[HELO_Packet]
[10:56:23] Port Close
[10:56:23] Port Open 41
[10:56:23] Retry download 2 time(s)
[10:56:23] [T000032] 48 45 4C 4F 01 00 00 01 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 4C 3F 00 00 B7 BA B3 B0 HELO....................L?......
[10:56:24] RX Timeout : 1000 seconds
[10:56:24] LAF_Packet Error, Error reason is 0
[10:56:24] We can't communicate with Phone[HELO_Packet]
[10:56:27] [T000038] 45 58 45 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 F0 35 00 00 BA A7 BA BC EXEC.....................5......
64 6D 65 73 67 00 dmesg.
[10:56:57] RX Timeout : 30000 seconds
[10:56:57] LAF_Packet Error, Error reason is 0
[10:56:57] We can't communicate with Phone[EXEC_Packet]
[10:56:57] Port Close
[10:56:57] RefurbishProcess() Error.
[10:56:57] ¡Ú¡Ú ERROR REASON : LAF_ERROR_PACKET_TIMEOUT
[10:56:57] CBasicComControl::IsConnected, the port(COM41) connection is not detected
[10:56:57] RunProcess() is fail.
[10:56:57] CBasicComControl::IsConnected, the port(COM41) connection is not detected
[10:56:57] [10:56:57] We can't communicate with Phone[EXEC_Packet]
[10:56:57] DoDownload() Exception
Special notes:
My phone does not enter into Recovery mode when pressing Power+Vol Down, releasing on LG logo and pressing them again. It Never DID! I tried many times, when the phone was working fine on KitKat, JB and L stock roms, or on CloudyG2 3.3. And it doesn't work now.
This button combination never did anything. The phone powers on, the LG logo shows up, I release the buttons and press them again, the LG logo keeps showing up for some more seconds and the phone shutdown due to prolonged pressing of Power button.
So as far as I can tell, Download mode is all I have at the moment.
Is there anything left to try?
I'll take my lumps in advance, but I will say I've read a hell of a lot of threads on this and it's got me stumped.
In my modern existence I've been through quite a few phones (maybe 30-40 models), and I've gone pretty deep with the meddling with the help of kid people here of course and - have never once - truly bricked a phone so that I had to take it in a store or return it.
But I've got a Moto X Force, Unlocked version, and it's bricked. No screen, no lights, no sounds, not a single thing for 24 hours now no matter what i do to it.
I did have some hope earlier as I was able to consistently get the Qualcomm 9008 or whatever proper QC drivers shoud load, to load perfectly, for an RSD Lite flash. I noticed that strangely if my laptop had AC power to it, it would come up in dev mgt as a damaged device that couldnt start. Without AC power to my laptop, it came up just fine as the Qualcomm.
But no matter what I try, RSD Lite will not see the phone and populate any lines with details. Now, I have a couple packages from here that contain full roms and use the RSD file format and look to be very promising, but there's always something in my way. So, I humbly ask for assistance here.
All I need to do is get to a place where I can use fastboot or mfastboot one time and I'm good to go. Can anyone help me get there or give some advice in general? This was my daily driver btw...and probably shaping up to be one of my best phones of all time..
Cheers : )
unseen-forces said:
But I've got a Moto X Force, Unlocked version, and it's bricked. No screen, no lights, no sounds, not a single thing for 24 hours now no matter what i do to it.
I did have some hope earlier as I was able to consistently get the Qualcomm 9008 or whatever proper QC drivers should load, to load perfectly, for an RSD Lite flash. I noticed that strangely if my laptop had AC power to it, it would come up in dev mgt as a damaged device that couldn't start. Without AC power to my laptop, it came up just fine as the Qualcomm.
But no matter what I try, RSD Lite will not see the phone and populate any lines with details. Now, I have a couple packages from here that contain full roms and use the RSD file format and look to be very promising, but there's always something in my way. So, I humbly ask for assistance here.
Cheers : )
Click to expand...
Click to collapse
First and foremost, sorry that this won't be an answer.
I'm new to this forum, as I'm seriously considering a moto x force.
How old was it? Any prior damage that could have led to this?
Could you provide a few more details on what exactly you were up to before it bricked?
More information can only help at this point.
The connection of charging laptop vs disconnected laptop could definitely be part of the situation. Perhaps your usb port caused the brick? Seems like an unusual symptom when usb out should be 5v regardless of whether or not the laptop has power, so why would it show up differently in device manager.......
Cheers.
I found a website with the blankflash for unbrick the device.. Idk if works:
http://www.aryk.tech/2017/09/moto-x-force-unbrick-solutions.html
Unfortunately they're requesting $10,99 to release the blankflash.
Rawdog.dll said:
I found a website with the blankflash for unbrick the device.. Idk if works:
http://www.aryk.tech/2017/09/moto-x-force-unbrick-solutions.html
Unfortunately they're requesting $10,99 to release the blankflash.
Click to expand...
Click to collapse
I'll be testing out this method either later today or tomorrow. as soon as they get back to me with the files.
hopefully its a working solution =D
roweboat56 said:
I'll be testing out this method either later today or tomorrow. as soon as they get back to me with the files.
hopefully its a working solution =D
Click to expand...
Click to collapse
I paid about 44h ago to https://arky.tech, but they still don't send me a link to download, neither a e-mail.
Also they moderate the comments in their page, then I can't argue with they.
I am thinking to start to request a refund on paypal.
UPDATE: I finally got access to MEGA to the files. I run the qflash but it doesn't work. I am in touch with the ArykTech over MEGA to help me out.
gbschenkel said:
I paid about 44h ago to https://arky.tech, but they still don't send me a link to download, neither a e-mail.
Also they moderate the comments in their page, then I can't argue with they.
I am thinking to start to request a refund on paypal.
Click to expand...
Click to collapse
Yes I'm sill waiting as well. Someone from Arkytech did respond to my email saying i should see the link in my email, but response time seems very slow.
UPDATE: literally 2 seconds after writing this... I get the email to the files... LOL crazy.
UPDATE 2: need to wait for cryptography key from end user to access files....
Will keep you updated on progress
gbschenkel said:
UPDATE: I finally got access to MEGA to the files. I run the qflash but it doesn't work. I am in touch with the ArykTech over MEGA to help me out.
Click to expand...
Click to collapse
I am having the same problem.
opening device: \\.\COM9
OKAY [ 0.002s]
greeting device for command mode
OKAY [ 0.001s]
identifying device
...serial = 0x1B727FB
...chip-id = 0x940
...chip-rev = 0x0
...sv-sbl = 0x0
OKAY [ 0.006s]
finding files
...programmer = programmer.mbn
...singleimage = singleimage.bin
OKAY [ 0.003s]
validating files
OKAY [ 0.001s]
switching to download mode
OKAY [ 0.001s]
greeting device for image downloading
OKAY [ 0.002s]
sending programmer
OKAY [ 0.015s]
flashing singleimage
FAILED (blank-flash:sdl-transfer-image:sdl-hello:error sending packet)
---------- Post added at 08:19 PM ---------- Previous post was at 07:55 PM ----------
the author of Arky.tech says in the tutorial there is a second method. But those files aren't supplied.
We'll hopefully we can find a solution soon. Otherwise I'll have to send it in for repair.
I got stucked early...
Code:
**** Log buffer [000001] 2017-09-22_20:38:51 ****
[ 0.000] Opening device: \\.\COM3
[ 0.002] Detecting device
[ 4.007] ERROR: sahara_greet_device()->change_mode()->do_hello()->IO error
[ 4.007] Check qboot_log.txt for more details
[ 4.007] Total time: 4.008s
[ 4.007]
[ 4.007] qboot version 3.40
[ 4.007]
[ 4.007] DEVICE {
[ 4.007] name = "\\.\COM3",
[ 4.007] flags = "0x64",
[ 4.007] addr = "0x61FE5C",
[ 4.007] api.bnr = "0x11E2EF8",
[ 4.007] }
[ 4.007]
[ 4.007]
[ 4.007] Backup & Restore {
[ 4.007] num_entries = 0,
[ 4.008] restoring = "false",
[ 4.008] backup_error = "not started",
[ 4.008] restore_error = "not started",
[ 4.008] }
[ 4.008]
I am using Win10, and you?
gbschenkel said:
I got stucked early...
Code:
**** Log buffer [000001] 2017-09-22_20:38:51 ****
[ 0.000] Opening device: \\.\COM3
[ 0.002] Detecting device
[ 4.007] ERROR: sahara_greet_device()->change_mode()->do_hello()->IO error
[ 4.007] Check qboot_log.txt for more details
[ 4.007] Total time: 4.008s
[ 4.007]
[ 4.007] qboot version 3.40
[ 4.007]
[ 4.007] DEVICE {
[ 4.007] name = "\\.\COM3",
[ 4.007] flags = "0x64",
[ 4.007] addr = "0x61FE5C",
[ 4.007] api.bnr = "0x11E2EF8",
[ 4.007] }
[ 4.007]
[ 4.007]
[ 4.007] Backup & Restore {
[ 4.007] num_entries = 0,
[ 4.008] restoring = "false",
[ 4.008] backup_error = "not started",
[ 4.008] restore_error = "not started",
[ 4.008] }
[ 4.008]
I am using Win10, and you?
Click to expand...
Click to collapse
Windows 10 as well.
When i tried files from the "Moto X Force Blankflash.rar" I get same error as you.
When i used files from folder "Moto X Force Modded Blankflash.tar.gz", I get error shown in my previous post.
I'm not exactly sure how the "blankflash" files work, but it seems it is detecting the wrong bootloader version.
roweboat56 said:
Windows 10 as well.
When i tried files from the "Moto X Force Blankflash.rar" I get same error as you.
When i used files from folder "Moto X Force Modded Blankflash.tar.gz", I get error shown in my previous post.
I'm not exactly sure how the "blankflash" files work, but it seems it is detecting the wrong bootloader version.
Click to expand...
Click to collapse
The modded show this:
Code:
.\qboot.exe blank-flash
opening device: \\.\COM3
OKAY [ 0.002s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.004s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.004s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
FAILED (blank-flash:greet-device:error reading packet)
gbschenkel said:
The modded show this:
Code:
.\qboot.exe blank-flash
opening device: \\.\COM3
OKAY [ 0.002s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.004s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.004s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
FAILED (blank-flash:greet-device:error reading packet)
Click to expand...
Click to collapse
Unplug device then Hold POWER + VOL UP + VOL DOWN for a few seconds, then plug it back in.
It only seems to recognize it properly once, then has to be reset with the above actions every time the blank flash is run.
Can you share BlankFlash Files ?
roweboat56 said:
Unplug device then Hold POWER + VOL UP + VOL DOWN for a few seconds, then plug it back in.
It only seems to recognize it properly once, then has to be reset with the above actions every time the blank flash is run.
Click to expand...
Click to collapse
Oh, I didn't know that. I ran both again, doing the procedure you told before each run.
Code:
**** Log buffer [000001] 2017-09-23_09:14:32 ****
[ -0.000] Opening device: \\.\COM3
[ 0.001] Detecting device
[ 0.003] ...cpu.id = 2368 (0x940)
[ 0.004] ...cpu.sn = 19473500 (0x129245c)
[ 0.004] Opening singleimage
[ 0.004] ERROR: error opening singleimage
[ 0.004] Check qboot_log.txt for more details
[ 0.005] Total time: 0.007s
[ 0.005]
[ 0.005] qboot version 3.40
[ 0.005]
[ 0.005] DEVICE {
[ 0.005] name = "\\.\COM3",
[ 0.005] flags = "0x64",
[ 0.005] addr = "0x61FE5C",
[ 0.005] sahara.current_mode = "3",
[ 0.005] api.buffer = "0x2B05020",
[ 0.005] cpu.serial = "19473500",
[ 0.005] cpu.id = "2368",
[ 0.005] cpu.sv_sbl = "0",
[ 0.005] api.bnr = "0x8D2FE8",
[ 0.005] }
[ 0.005]
[ 0.005]
[ 0.005] Backup & Restore {
[ 0.005] num_entries = 0,
[ 0.005] restoring = "false",
[ 0.005] backup_error = "not started",
[ 0.005] restore_error = "not started",
[ 0.005] }
[ 0.005]
Code:
Moto X Force Modded Blankflash>.\qboot.exe blank-flash
opening device: \\.\COM3
OKAY [ 0.002s]
greeting device for command mode
OKAY [ 0.002s]
identifying device
...serial = 0x129245C
...chip-id = 0x940
...chip-rev = 0x0
...sv-sbl = 0x0
OKAY [ 0.006s]
finding files
...programmer = programmer.mbn
...singleimage = singleimage.bin
OKAY [ 0.005s]
validating files
OKAY [ 0.001s]
switching to download mode
OKAY [ 0.002s]
greeting device for image downloading
OKAY [ 0.003s]
sending programmer
OKAY [ 0.014s]
flashing singleimage
FAILED (blank-flash:sdl-transfer-image:sdl-hello:error sending packet)
gbschenkel said:
Oh, I didn't know that. I ran both again, doing the procedure you told before each run.
Code:
**** Log buffer [000001] 2017-09-23_09:14:32 ****
[ -0.000] Opening device: \\.\COM3
[ 0.001] Detecting device
[ 0.003] ...cpu.id = 2368 (0x940)
[ 0.004] ...cpu.sn = 19473500 (0x129245c)
[ 0.004] Opening singleimage
[ 0.004] ERROR: error opening singleimage
[ 0.004] Check qboot_log.txt for more details
[ 0.005] Total time: 0.007s
[ 0.005]
[ 0.005] qboot version 3.40
[ 0.005]
[ 0.005] DEVICE {
[ 0.005] name = "\\.\COM3",
[ 0.005] flags = "0x64",
[ 0.005] addr = "0x61FE5C",
[ 0.005] sahara.current_mode = "3",
[ 0.005] api.buffer = "0x2B05020",
[ 0.005] cpu.serial = "19473500",
[ 0.005] cpu.id = "2368",
[ 0.005] cpu.sv_sbl = "0",
[ 0.005] api.bnr = "0x8D2FE8",
[ 0.005] }
[ 0.005]
[ 0.005]
[ 0.005] Backup & Restore {
[ 0.005] num_entries = 0,
[ 0.005] restoring = "false",
[ 0.005] backup_error = "not started",
[ 0.005] restore_error = "not started",
[ 0.005] }
[ 0.005]
Code:
Moto X Force Modded Blankflash>.\qboot.exe blank-flash
opening device: \\.\COM3
OKAY [ 0.002s]
greeting device for command mode
OKAY [ 0.002s]
identifying device
...serial = 0x129245C
...chip-id = 0x940
...chip-rev = 0x0
...sv-sbl = 0x0
OKAY [ 0.006s]
finding files
...programmer = programmer.mbn
...singleimage = singleimage.bin
OKAY [ 0.005s]
validating files
OKAY [ 0.001s]
switching to download mode
OKAY [ 0.002s]
greeting device for image downloading
OKAY [ 0.003s]
sending programmer
OKAY [ 0.014s]
flashing singleimage
FAILED (blank-flash:sdl-transfer-image:sdl-hello:error sending packet)
Click to expand...
Click to collapse
Yes this is the same result I have
I've tried too, but it's appear that are so much things to be made to it work. Aryk toldme that.
I'm stucking on this part too...
A blankflash for our exactly phone model must be made.
In my case, i've a crashed Nougat installation.
According to Aryktech, must be created a way to clean this broken installation to run this blankflash.
I'm keeping looking for solutions yet. If i discover anything i'll post here.
Anphab said:
Can you share BlankFlash Files ?
Click to expand...
Click to collapse
once we have working ones, sure.
Hi, Can you share "Moto X Force Blankflash.rar" & "Moto X Force Modded Blankflash.tar.gz" ? I'll have a look and try to help you.
roweboat56 said:
Yes this is the same result I have
Click to expand...
Click to collapse
Did you try moto factory cable with blank flash?
Anphab said:
Did you try moto factory cable with blank flash?
Click to expand...
Click to collapse
I've tried multiple cables. same result.
With debug mode enabled on the blank-flash file, I get this from the Moto X Force blankflash folder one
Code:
**** Log buffer [000001] 2017-09-24_23:11:02 ****
[ 0.000] Opening device: \\.\COM5
[ 0.000] Opening serial device: \\.\COM5
[ 0.002] Detecting device
[ 0.002] Switching to command mode
[ 0.002] Receiving HELLO packet
[ 0.002] Dumping 48 bytes read
[ 0.002] 00000000 01 00 00 00 30 00 00 00 02 00 00 00 01 00 00 00 |....0...........|
[ 0.002] 00000010 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.002] 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.002] ...protocol version: 2
[ 0.002] ...compatible with: 1
[ 0.002] ...max. packet size: 1024
[ 0.002] ...current mode: Image transfer pending
[ 0.002] Sending HELLO_RESP packet
[ 0.002] Dumping 48 bytes written
[ 0.002] 00000000 02 00 00 00 30 00 00 00 02 00 00 00 02 00 00 00 |....0...........|
[ 0.002] 00000010 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.002] 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.002] Receiving COMMAND_READY packet
[ 0.002] Dumping 8 bytes read
[ 0.003] 00000000 0b 00 00 00 08 00 00 00 |........ |
[ 0.003] Identifying device
[ 0.003] Reading CPU serial number
[ 0.003] Sending CMD_EXEC packet, cmd=CMD_READ_SN
[ 0.003] Dumping 12 bytes written
[ 0.003] 00000000 0d 00 00 00 0c 00 00 00 01 00 00 00 |............ |
[ 0.003] Receiving CMD_EXEC_RESP packet
[ 0.003] Dumping 16 bytes read
[ 0.004] 00000000 0e 00 00 00 10 00 00 00 01 00 00 00 04 00 00 00 |................|
[ 0.004] ...payload: 4 byte(s)
[ 0.005] Receiving payload
[ 0.005] Dumping 12 bytes written
[ 0.007] 00000000 0f 00 00 00 0c 00 00 00 01 00 00 00 |............ |
[ 0.008] Dumping 4 bytes read
[ 0.008] 00000000 b2 a7 23 02 |..#. |
[ 0.011] Reading CPU id
[ 0.012] Sending CMD_EXEC packet, cmd=CMD_READ_HWID
[ 0.013] Dumping 12 bytes written
[ 0.014] 00000000 0d 00 00 00 0c 00 00 00 02 00 00 00 |............ |
[ 0.015] Receiving CMD_EXEC_RESP packet
[ 0.015] Dumping 16 bytes read
[ 0.017] 00000000 0e 00 00 00 10 00 00 00 02 00 00 00 18 00 00 00 |................|
[ 0.018] ...payload: 24 byte(s)
[ 0.018] Receiving payload
[ 0.019] Dumping 12 bytes written
[ 0.019] 00000000 0f 00 00 00 0c 00 00 00 02 00 00 00 |............ |
[ 0.020] Dumping 24 bytes read
[ 0.020] 00000000 00 00 68 02 e1 00 94 00 00 00 68 02 e1 00 94 00 |..h.......h.....|
[ 0.020] 00000010 00 00 68 02 e1 00 94 00 |..h..... |
[ 0.021] Reading SBL SV
[ 0.021] Sending CMD_EXEC packet, cmd=CMD_READ_SV_SBL
[ 0.022] Dumping 12 bytes written
[ 0.023] 00000000 0d 00 00 00 0c 00 00 00 07 00 00 00 |............ |
[ 0.023] Receiving CMD_EXEC_RESP packet
[ 0.024] Dumping 16 bytes read
[ 0.024] 00000000 0e 00 00 00 10 00 00 00 07 00 00 00 04 00 00 00 |................|
[ 0.025] ...payload: 4 byte(s)
[ 0.025] Receiving payload
[ 0.026] Dumping 12 bytes written
[ 0.027] 00000000 0f 00 00 00 0c 00 00 00 07 00 00 00 |............ |
[ 0.028] Dumping 4 bytes read
[ 0.029] 00000000 00 00 00 00 |.... |
[ 0.030] Reading debug data
[ 0.030] Sending CMD_EXEC packet, cmd=CMD_READ_DEBUG_DATA
[ 0.031] Dumping 12 bytes written
[ 0.031] 00000000 0d 00 00 00 0c 00 00 00 06 00 00 00 |............ |
[ 0.032] Receiving CMD_EXEC_RESP packet
[ 0.033] Dumping 16 bytes read
[ 0.034] 00000000 0e 00 00 00 10 00 00 00 06 00 00 00 40 0f 00 00 |[email protected]|
[ 0.035] ...payload: 3904 byte(s)
[ 0.035] Receiving payload
[ 0.036] Dumping 12 bytes written
[ 0.037] 00000000 0f 00 00 00 0c 00 00 00 06 00 00 00 |............ |
[ 0.038] Dumping 3904 bytes read
[ 0.038] 00000000 02 00 00 00 00 06 10 01 0b 00 0b ef fc b0 23 00 |..............#.|
[ 0.039] 00000010 94 4f 01 fc d0 00 00 00 00 06 10 01 04 06 01 ef |.O..............|
[ 0.039] 00000020 6f 75 26 00 84 68 01 fc eb 00 00 00 00 00 00 00 |ou&..h..........|
[ 0.040] 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.041] *
[ 0.041] 000000c0 2d 00 00 00 00 08 01 ef 86 4c 05 00 03 02 0f ef |-........L......|
[ 0.042] 000000d0 66 55 05 00 02 08 01 ef f5 9a 05 00 04 08 01 ef |fU..............|
[ 0.042] 000000e0 26 b9 05 00 06 08 01 ef 71 bc 05 00 08 08 01 ef |&.......q.......|
[ 0.043] 000000f0 79 c0 05 00 0a 08 01 ef 1a c2 05 00 00 03 0f ef |y...............|
[ 0.043] 00000100 07 c3 05 00 0c 08 01 ef 5a c3 05 00 00 02 5d ef |........Z.....].|
[ 0.044] 00000110 cd c4 05 00 06 04 5d ef b6 01 0e 00 00 06 5d ef |......].......].|
[ 0.045] 00000120 93 3e 0e 00 00 07 5d ef 4d 7b 0e 00 00 04 0f ef |.>....].M{......|
[ 0.046] 00000130 2a 7c 0e 00 00 0c 5d ef 2b 84 0e 00 00 0a 5d ef |*|....].+.....].|
[ 0.046] 00000140 ff 85 0e 00 00 10 5d ef 8b 8c 0e 00 01 13 5d ef |......].......].|
[ 0.047] 00000150 a4 eb 0f 00 00 15 5d ef 2d ec 0f 00 00 16 5d ef |......].-.....].|
[ 0.048] 00000160 7b ed 0f 00 0e 08 01 ef b0 00 10 00 00 03 1d ef |{...............|
[ 0.048] 00000170 2e 03 10 00 10 08 01 ef a8 1d 1c 00 00 05 0f ef |................|
[ 0.049] 00000180 5d 20 1c 00 0b 00 0b ef 8f b0 23 00 00 08 01 ef |] ........#.....|
[ 0.049] 00000190 0f b3 23 00 01 08 01 ef c3 b4 23 00 02 08 01 ef |..#.......#.....|
[ 0.050] 000001a0 ee d1 24 00 03 08 01 ef 78 d2 24 00 04 08 01 ef |..$.....x.$.....|
[ 0.051] 000001b0 08 d6 24 00 05 08 01 ef 73 d6 24 00 06 08 01 ef |..$.....s.$.....|
[ 0.051] 000001c0 31 da 24 00 07 08 01 ef 9c da 24 00 01 02 5d ef |1.$.......$...].|
[ 0.052] 000001d0 07 dc 24 00 04 06 01 ef 10 75 26 00 00 08 01 ef |..$......u&.....|
[ 0.052] 000001e0 70 77 26 00 01 08 01 ef 23 79 26 00 02 08 01 ef |pw&.....#y&.....|
[ 0.053] 000001f0 61 96 27 00 03 08 01 ef ec 96 27 00 04 08 01 ef |a.'.......'.....|
[ 0.053] 00000200 63 9a 27 00 05 08 01 ef cf 9a 27 00 06 08 01 ef |c.'.......'.....|
[ 0.055] 00000210 70 9e 27 00 07 08 01 ef db 9e 27 00 00 06 0f ef |p.'.......'.....|
[ 0.056] 00000220 6b db 28 00 00 05 0f ef 4d 40 54 1b 00 00 00 00 |k.([email protected]|
[ 0.057] 00000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.057] *
[ 0.058] 00000c00 00 08 01 ef 26 21 00 00 01 01 0f ef 46 23 00 00 |....&!......F#..|
[ 0.058] 00000c10 02 08 01 ef 4b 2c 00 00 00 02 06 ef 37 2f 00 00 |....K,......7/..|
[ 0.059] 00000c20 04 01 07 ef f1 3f 00 00 51 00 07 ef bd 40 00 00 |[email protected]|
[ 0.059] 00000c30 08 10 07 ef 24 44 00 00 51 00 07 ef f0 44 00 00 |....$D..Q....D..|
[ 0.060] 00000c40 04 01 07 ef 57 48 00 00 51 02 07 ef 23 49 00 00 |....WH..Q...#I..|
[ 0.060] 00000c50 08 10 07 ef 8d 4c 00 00 00 02 07 ef 59 4d 00 00 |.....L......YM..|
[ 0.061] 00000c60 0e 03 06 ef 64 4e 00 00 01 04 06 ef 30 4f 00 00 |....dN......0O..|
[ 0.061] 00000c70 42 71 07 ef 8f 52 00 00 01 0e 07 ef 5b 53 00 00 |Bq...R......[S..|
[ 0.062] 00000c80 00 09 06 ef 3b 62 02 00 04 08 01 ef b2 63 02 00 |....;b.......c..|
[ 0.062] 00000c90 06 08 01 ef 47 67 02 00 08 08 01 ef 99 6d 02 00 |....Gg.......m..|
[ 0.063] 00000ca0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.063] *
[ 0.063] Debug data dump follows
[ 0.065] 00000000 02 00 00 00 00 06 10 01 0b 00 0b ef fc b0 23 00 |..............#.|
[ 0.066] 00000010 94 4f 01 fc d0 00 00 00 00 06 10 01 04 06 01 ef |.O..............|
[ 0.067] 00000020 6f 75 26 00 84 68 01 fc eb 00 00 00 00 00 00 00 |ou&..h..........|
[ 0.067] 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.068] *
[ 0.068] 000000c0 2d 00 00 00 00 08 01 ef 86 4c 05 00 03 02 0f ef |-........L......|
[ 0.068] 000000d0 66 55 05 00 02 08 01 ef f5 9a 05 00 04 08 01 ef |fU..............|
[ 0.069] 000000e0 26 b9 05 00 06 08 01 ef 71 bc 05 00 08 08 01 ef |&.......q.......|
[ 0.069] 000000f0 79 c0 05 00 0a 08 01 ef 1a c2 05 00 00 03 0f ef |y...............|
[ 0.069] 00000100 07 c3 05 00 0c 08 01 ef 5a c3 05 00 00 02 5d ef |........Z.....].|
[ 0.070] 00000110 cd c4 05 00 06 04 5d ef b6 01 0e 00 00 06 5d ef |......].......].|
[ 0.071] 00000120 93 3e 0e 00 00 07 5d ef 4d 7b 0e 00 00 04 0f ef |.>....].M{......|
[ 0.071] 00000130 2a 7c 0e 00 00 0c 5d ef 2b 84 0e 00 00 0a 5d ef |*|....].+.....].|
[ 0.072] 00000140 ff 85 0e 00 00 10 5d ef 8b 8c 0e 00 01 13 5d ef |......].......].|
[ 0.072] 00000150 a4 eb 0f 00 00 15 5d ef 2d ec 0f 00 00 16 5d ef |......].-.....].|
[ 0.072] 00000160 7b ed 0f 00 0e 08 01 ef b0 00 10 00 00 03 1d ef |{...............|
[ 0.073] 00000170 2e 03 10 00 10 08 01 ef a8 1d 1c 00 00 05 0f ef |................|
[ 0.073] 00000180 5d 20 1c 00 0b 00 0b ef 8f b0 23 00 00 08 01 ef |] ........#.....|
[ 0.073] 00000190 0f b3 23 00 01 08 01 ef c3 b4 23 00 02 08 01 ef |..#.......#.....|
[ 0.075] 000001a0 ee d1 24 00 03 08 01 ef 78 d2 24 00 04 08 01 ef |..$.....x.$.....|
[ 0.075] 000001b0 08 d6 24 00 05 08 01 ef 73 d6 24 00 06 08 01 ef |..$.....s.$.....|
[ 0.076] 000001c0 31 da 24 00 07 08 01 ef 9c da 24 00 01 02 5d ef |1.$.......$...].|
[ 0.076] 000001d0 07 dc 24 00 04 06 01 ef 10 75 26 00 00 08 01 ef |..$......u&.....|
[ 0.076] 000001e0 70 77 26 00 01 08 01 ef 23 79 26 00 02 08 01 ef |pw&.....#y&.....|
[ 0.077] 000001f0 61 96 27 00 03 08 01 ef ec 96 27 00 04 08 01 ef |a.'.......'.....|
[ 0.077] 00000200 63 9a 27 00 05 08 01 ef cf 9a 27 00 06 08 01 ef |c.'.......'.....|
[ 0.077] 00000210 70 9e 27 00 07 08 01 ef db 9e 27 00 00 06 0f ef |p.'.......'.....|
[ 0.077] 00000220 6b db 28 00 00 05 0f ef 4d 40 54 1b 00 00 00 00 |k.([email protected]|
[ 0.078] 00000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.078] *
[ 0.079] 00000c00 00 08 01 ef 26 21 00 00 01 01 0f ef 46 23 00 00 |....&!......F#..|
[ 0.079] 00000c10 02 08 01 ef 4b 2c 00 00 00 02 06 ef 37 2f 00 00 |....K,......7/..|
[ 0.079] 00000c20 04 01 07 ef f1 3f 00 00 51 00 07 ef bd 40 00 00 |[email protected]|
[ 0.079] 00000c30 08 10 07 ef 24 44 00 00 51 00 07 ef f0 44 00 00 |....$D..Q....D..|
[ 0.080] 00000c40 04 01 07 ef 57 48 00 00 51 02 07 ef 23 49 00 00 |....WH..Q...#I..|
[ 0.080] 00000c50 08 10 07 ef 8d 4c 00 00 00 02 07 ef 59 4d 00 00 |.....L......YM..|
[ 0.080] 00000c60 0e 03 06 ef 64 4e 00 00 01 04 06 ef 30 4f 00 00 |....dN......0O..|
[ 0.081] 00000c70 42 71 07 ef 8f 52 00 00 01 0e 07 ef 5b 53 00 00 |Bq...R......[S..|
[ 0.081] 00000c80 00 09 06 ef 3b 62 02 00 04 08 01 ef b2 63 02 00 |....;b.......c..|
[ 0.081] 00000c90 06 08 01 ef 47 67 02 00 08 08 01 ef 99 6d 02 00 |....Gg.......m..|
[ 0.082] 00000ca0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.082] *
[ 0.083] ...cpu.id = 2368 (0x940)
[ 0.083] ...cpu.sn = 35891122 (0x223a7b2)
[ 0.083] Opening singleimage
[ 0.086] ERROR: error opening singleimage
[ 0.087] Check qboot_log.txt for more details
[ 0.087] Total time: 0.089s
[ 0.087]
[ 0.087] qboot version 3.40
[ 0.087]
[ 0.087] DEVICE {
[ 0.087] name = "\\.\COM5",
[ 0.087] flags = "0x67",
[ 0.087] addr = "0x61FE5C",
[ 0.087] sahara.current_mode = "3",
[ 0.087] api.buffer = "0x1068020",
[ 0.087] cpu.serial = "35891122",
[ 0.087] cpu.id = "2368",
[ 0.087] cpu.sv_sbl = "0",
[ 0.087] api.bnr = "0x1232FE8",
[ 0.087] }
[ 0.087]
[ 0.087]
[ 0.087] Backup & Restore {
[ 0.087] num_entries = 0,
[ 0.087] restoring = "false",
[ 0.087] backup_error = "not started",
[ 0.087] restore_error = "not started",
[ 0.087] }
[ 0.087]
The one for the Moto X Force Modded blankflash is attached to the post post
I'm looking for any information on the DMSS subsystem commands. I have a list of subsystem ids but none of the commands that correspond. My goal is to figure out how the Wireless Messaging Service (WMS) subsystem works. DCN 80-V1294-6 contains the information on building the payload packet but I can't find it anywhere. QXDM doesn't have any SMS controls as far as I know, so I can't spy on its communications. If anyone knows how to construct the proper packet request, I'd be very grateful.
Thanks
Doing some testing with the information I have, came up with the following responses. I spied on the Call Manager subsystem command and figured the structure would be similar to the rest of the subsystem payload markup.
STRUCTURE
Code:
4b 0e 01 ZEROED BUFFER df 80 7e
4b is DM command for subsystem
0e is subsystem id for Wireless Messaging System
Next is a sequence of 1 - 8 that I've sent. Anything after 8 results in response code of 13 which is an invalid command.
Zeroed buffer length of 258
The usual CRC high low
7e terminator
RESPONSES
Code:
4b 0e 01 00 bf 23 7e
4b 0e 02 00 d7 09 7e
4b 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 74 44 7e
4b 0e 04 00 00 00 00 00 63 d7 7e
4b 0e 05 00 df 44 7e
4b 0e 06 00 00 00 00 00 35df7e
4b 0e 07 00 6f 77 7e
4b 0e 08 00 a7 f4 7e
Looks like subsys commands of 3, 4, and 6 are interesting. Need to figure out what else to pass in the payload.
Quick question --> How did you spy on the Call Manager?
I built a blankflash for the amz variant of river following this guide by NetrixX: https://forum.xda-developers.com/moto-g7/how-to/blankflash-moto-g7-xt1962-5-river-reteu-t4020263 and it gets stuck at
[ 45.023] Dumping 16 bytes read
[ 45.023] 00000000 04 00 00 00 10 00 00 00 0d 00 00 00 01 00 00 00 |................|
Is there any fix for this?
Ask Syberhexen on Telegram as he's built several BlankFlash for Q for all variant
Thx