Related
Hi,
from the firmware upgrade of an ARM9 Windows Embedded CE 6.0 Device, I was able to extract a number of files, including the kernel image (NK.BIN.COMP).
However, with tools such as osnbtool, ImgfsToDump or ImgFsTools I was unable to decompress the image.
The image starts with:
Code:
00000000 58 50 52 53 e7 8b 26 01 16 89 00 00 05 00 01 00 |XPRS..&.........|
00000010 42 30 30 30 46 46 0a 00 10 36 80 50 10 2b 01 39 |B000FF...6.P.+.9|
00000020 00 04 00 00 00 eb 01 00 00 fe 03 00 ea 40 78 00 |[email protected]|
00000030 08 78 00 00 00 05 00 63 03 00 00 45 43 45 43 7c |.x.....c...ECEC||
00000040 f6 60 81 48 1c 01 8d 18 01 7c e6 2a 01 00 20 36 |.`.H.....|.*.. 6|
00000050 80 64 de 00 00 11 c5 47 00 02 04 00 00 d3 00 a0 |.d.....G........|
00000060 e3 00 f0 21 e1 0c 00 9f e5 10 0f 01 ee 87 15 00 |...!............|
00000070 eb 83 18 00 f8 37 00 ea 78 10 00 c0 b0 01 00 10 |.....7..x.......|
00000080 80 97 0a 7c 75 97 4e 39 00 02 18 00 20 18 00 08 |...|u.N9.... ...|
00000090 66 18 00 5a b8 00 d8 02 b9 00 07 00 0f 0f 6b 65 |f..Z..........ke|
000000a0 72 6e 65 6c 2e 64 6c 6c 7b 00 33 40 00 00 c4 04 |rnel.dll{[email protected]|
000000b0 4b 00 01 41 44 00 50 10 40 09 05 59 00 4c 53 5a |[email protected]|
000000c0 00 78 20 03 59 00 ec 10 29 80 f0 08 04 01 4b 5a |.x .Y...).....KZ|
000000d0 00 5a 03 04 52 54 58 00 39 81 00 00 81 24 0b 90 |.Z..RTX.9....$..|
000000e0 5f 00 c9 d0 5f 00 30 4c e0 5b 00 86 11 00 13 ba |_..._.0L.[......|
000000f0 50 58 00 44 4c 00 0b 10 20 00 cc a0 00 00 05 4e |PX.DL... ......N|
I suppose this is the Xpress compression format that is used in Win CE 6.0 ?
Are there any tools available that can decompress this image ?
Also, I would like to know which emulators you use to test out Win CE images.
I tried qemu-system-arm with the ARM926EJ-S core emulation, but it didn't work so far.
Ultimately, I would like to be able to boot into the image I extracted from the firmware upgrade and start a remote debugger inside the image, so that I can step through the code.
cheers,
knossos2
Hi,
as I already knew that the image was a Windows Embedded CE 6.0 image, I installed Platform Builder and other required development components.
My plan was to find out how the NK.BIN.COMP image is decompressed by the WinCE 6.0 loader.
It turned out, that the file had just been compressed with the WinCE 6.0 bincompress.exe tool (PUBLIC/COMMON/OAK/BIN/I386/bincompress.exe).
Although at least some of the tools I tried previously had compression support by using the WinCE libraries, it didn't work.
My best guess is that the libraries were for older versions of WinCE and thus it didn't work.
So, if you ever see "XPRS" at the start of a WinCE file, it has been compressed with bincompress.exe
I'm now trying to run the decompressed image either in qemu or in the MS Device Emulator.
I guess the Device Emulator will be the easier way.
Cheers,
knossos2
This looks like one of the most easily moddable/hackable boxes I have ever seen. It is sold by a UK company Maplin and is called a "Maplin Game Capture HD" .
(Sorry in order to get through the new user limitation on posting links I have had to horribly mangle my links)
world wide web dot maplin dot co dot uk /p/maplin-game-capture-hd-a84qu
It is a (cheap) HDMI capture box up to 1080p that has three modes capture to SD card, stream to network and capture to PC via USB. For game play, but can capture any HDMI input (non-HDCP).
The reason it's potentially easily moddable is that a telnet to port 23 in network mode gives you a root shell on it straight away. With a fully writeable root file system.
So far I have used this to start an FTP daemon that lets me FTP files straight from the SD Card though the NIC is a bit slow. Stole the command from their /plbin/start_ftpd.sh file and run "tcpsvd -vE 0.0.0.0 21 ftpd -w /".
There is a also a web interface for debug, that can be started with cd /plbin; ./test_web.sh. I may have had to set the WEBPAGE_LANGUAGE to "en" in nvram, to allow it to start. "/bin/plnvram wr WEBPAGE_LANGUAGE en"
The admin password for the web interface is just blank.
Very interestingly, if you use their app to display the streamed content from this device it allows you to see HDCP content, just not record it. I have so far had no need to look into this.
Lots of other functionality looks just commented out in the configs.
The web interface tells me this device is actually a SIGMA-PL330B,
world wide web marketwired dot com /press-release/sigma-designs-introduces-new-hd-video-encoder-technology-1518168.htm
And may well be the same (or a repackaged) version of this box
world wide web dot maxmediatek dot com pd-page/MM_V.htm
HS602 as they seem to use the same app to display the stream.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Here it is!
Your LINK
Ebay LINK
.
Did you come across anything that allowed you to record using software other than VivaStation?
I didn't but I haven't looked to hard, as recording to SD card was all I needed.
Hi - I've been looking for a way to start the streaming on this box by command line when logged into the box via telnet, but no real luck.
joemensor said:
Hi - I've been looking for a way to start the streaming on this box by command line when logged into the box via telnet, but no real luck.
Click to expand...
Click to collapse
I bought this from Maplin, but had to return the first one for a refund as I could not get the software to install on W10 (even with .net 3.5 installed), just kept throwing an error in Chinese! After looking online for replacements that do the same thing, costing between £80-250 (even the used ones, granted they do proper 1080 over Ethernet), I decided in the end to buy the box again, but from ebay...
This time I did manage to get the ShareView software installed on another machine after I spent a day installing windows 7 on it (it's an old machine + 235 updates!)..
Anyway, the commands the shareview software sends (via telnet) to get it to stream over ethernet seem quite straightforward..
First it "uploads" a config file with the contents..
Code:
SystemControl-StreamType ts
SystemControl-StreamData video+audio
SystemControl-Profile extended
SystemControl-Level 4
SysFunction-Function encode
SysFunction-Video h264
SysFunction-Audio audio
PictureResolution-InPicWidth 1920
PictureResolution-InPicHeight 1080
OutPictureResolution-OutPicWidth 640
OutPictureResolution-OutPicHeight 480
SystemControl-XferMode frame
SystemControl-SpsrFreq 1
SystemControl-FFMode frame
SystemControl-VMode cavlc
RateControl-Vbr 0
RateControl-Mode viu
RateControl-AvgBitRate 3000
VbrBitRate-MinBitRate 4285
VbrBitRate-MaxBitRate 3600
GopLoopFilter-IntraPeriod 30
GopLoopFilter-BNum 0
GopLoopFilter-Idr close
InputControl-ScanFormat progressive
InputControl-SrcMode hdmi
InputControl-SyncMode 0
InputControl-DataType raw
InputControl-InFrameRate 60
InputControl-OutFrameRate 30
InputControl-Fmt progressive
InputControl-CkEdge positive
DeInterlace-mode none
FilterControl-StartPixel 0
FilterControl-StartLine 0
SysLink-VideoInput viu
SysLink-VideoOutput host
SysLink-AudioInput aiu
SysLink-AudioOutput host
AudioControlParam-AudioType aac
AudioControlParam-SampleRate 48k
AudioControlParam-ChNum 2
AudioControlParam-LrclkI high
AudioControlEx-AacVer mpeg2
AudioControlEx-HType adts
AudioControlEx-CutoffFreq 18000
AudioControlEx-TNS 1
AudioControlEx-IS 1
AudioControlEx-PNS 1
AudioControlEx-MS 1
to /plbin/hs_enc_ts.cfg
And then launches the following command, three times, not sure why but it does., because when I run it, it only needs to be ran once..
Code:
/plbin/plstrm enc config /plbin/hs_enc_ts.cfg oudp <IP ADDRESS> oport 8085 reduceprintf nouserinput
That's all I know for now, will update if I find anything new to report =D
Hi mpmc - I think it does more than just uploads that file and runs the plstrm executable. Somehow it also passes the stream settings too. I feel I am getting somewhere, but still not able to kick off the streaming via the command line.
joemensor said:
Hi mpmc - I think it does more than just uploads that file and runs the plstrm executable. Somehow it also passes the stream settings too. I feel I am getting somewhere, but still not able to kick off the streaming via the command line.
Click to expand...
Click to collapse
Sorry for such a late reply.
I'm guessing by stream settings you mean the settings that upload to places like youtube? If so, I'm not sure myself as I don't need it for that function, but I will have a go & see if I can figure it out, but hopefully somebody has already worked it out by now.
Sorry for necroposting, but this thread hid me right on the spot. I got this box (in the form of Startech's overpriced variant), mainly for its standalone streaming to RTMP, but also as it has SD recording and HDMI capture (which I needed exactly, and nothing else).
The 720P streaming is horrible - bad codec settings (bitrates and gop probably), which means that 720P looks like 320x240 upscaled. So I opened the box to find a board number, so maybe some hack would pop up.. But telnet? - This is golden
Before I start reverse engineering (I don't really have any experience with telnet or *nix based stuff), maybe someone here worked out the details and would like to share?
TLDR. How do I set up the streaming codec settings via telnet and make them stick?
adomas said:
Sorry for necroposting, but this thread hid me right on the spot. I got this box (in the form of Startech's overpriced variant), mainly for its standalone streaming to RTMP, but also as it has SD recording and HDMI capture (which I needed exactly, and nothing else).
The 720P streaming is horrible - bad codec settings (bitrates and gop probably), which means that 720P looks like 320x240 upscaled. So I opened the box to find a board number, so maybe some hack would pop up.. But telnet? - This is golden
Before I start reverse engineering (I don't really have any experience with telnet or *nix based stuff), maybe someone here worked out the details and would like to share?
TLDR. How do I set up the streaming codec settings via telnet and make them stick?
Click to expand...
Click to collapse
Glad I'm not the only one still playing with this box.
I did have a go at working out the protocol used between the box and the software, I got as far as understanding how they find each other. The software makes a UDP broadcast to 255.255.255.255 on port 8086 with the message "HS602". The box then sends a UDP message ("YES") back, direct to the caller on the same port. The box then opens tcp port 8087 to which the software connects & they converse..
Sample of their conversation goes like this..
Client to box..
Code:
00000000 38 01 af 00 8c e0 af 00 68 54 d1 6b ff ff ff 8....... hT.k...
0000000F 32 01 af 00 00 00 00 00 50 df af 00 8c e0 af 2....... P......
0000001E 01 00 03 00 4c d5 af 00 8c e0 af 00 68 54 d1 ....L... ....hT.
0000002D 32 01 db 02 7c df af 00 3e ee 73 6a 00 00 00 2...|... >.sj...
0000003C 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000004B 0f 01 00 00 f0 e6 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
0000005A 04 01 00 00 0c e7 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
00000069 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000078 0f 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000087 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000096 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000000A5 0f 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000B4 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000C3 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000000D2 0f 01 ef 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000E1 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000F0 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000000FF 0f 01 f0 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000010E 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000011D 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000012C 0f 01 f2 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000013B 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000014A 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000159 0f 01 f3 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000168 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000177 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000186 0f 01 f4 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000195 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001A4 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000001B3 0f 01 f5 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001C2 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001D1 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000001E0 0f 01 f6 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001EF 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001FE 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000020D 0f 01 f7 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000021C 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000022B 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000023A 0f 01 f8 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000249 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000258 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000267 0f 01 f9 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000276 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000285 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000294 0f 01 fa 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002A3 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002B2 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000002C1 0f 01 fb 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002D0 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002DF 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000002EE 0f 01 fe 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002FD 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000030C 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000031B 0f 01 ff 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000032A 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000339 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000348 0f 01 00 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000357 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000366 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000375 0f 01 01 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000384 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000393 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000003A2 0f 01 02 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003B1 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003C0 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000003CF 0f 01 03 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003DE 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003ED 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000003FC 0f 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000040B 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000041A 32 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000429 0f 01 ed 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000438 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000447 32 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000456 0f 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
box to client
Code:
00000000 38 01 af 00 8c e0 af 00 68 54 d1 6b ff ff ff 8....... hT.k...
0000000F 01 01 af 00 00 00 00 00 50 df af 00 8c e0 af ........ P......
0000001E 01 00 03 1b 4c d5 af 00 8c e0 af 00 68 54 d1 ....L... ....hT.
0000002D 01 01 db 02 7c df af 00 3e ee 73 6a 00 00 00 ....|... >.sj...
0000003C 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000004B 00 01 00 00 f0 e6 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
0000005A 1b 01 00 00 0c e7 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
00000069 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000078 00 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000087 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000096 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000000A5 00 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000B4 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000C3 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000000D2 00 01 ef 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000E1 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000F0 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000000FF 00 01 f0 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000010E 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000011D 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000012C 00 01 f2 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000013B 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000014A 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000159 00 01 f3 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000168 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000177 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000186 00 01 f4 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000195 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001A4 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000001B3 00 01 f5 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001C2 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001D1 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000001E0 00 01 f6 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001EF 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001FE 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000020D 00 01 f7 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000021C 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000022B 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000023A 00 01 f8 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000249 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000258 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000267 00 01 f9 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000276 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000285 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000294 00 01 fa 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002A3 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002B2 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000002C1 00 01 fb 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002D0 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002DF 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000002EE 00 01 fe 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002FD 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000030C 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000031B 00 01 ff 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000032A 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000339 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000348 00 01 00 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000357 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000366 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000375 00 01 01 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000384 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000393 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000003A2 00 01 02 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003B1 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003C0 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000003CF 00 01 03 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003DE 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003ED 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000003FC 00 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000040B 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000041A 01 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000429 00 01 ed 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000438 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000447 01 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000456 00 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
I have no clue as to what this is! Hopefully you'll have better luck trying to decode it!
What I found so far, is that when I set up FTP the way OP posted, I can access the whole file system. I have copied it all, and am trying to find where the stream settings are stored. The mentioned cfg file does not exist though. If that works, I'll just make some custom app, that will telnet to open ftp, and upload my settings every time. However I am currently trying to just work out the basics of telnet controlling a linux system. None of the tutorials online help at all, but I found, that I can execute commands that are compiled packages in the operating folder. So far that helped for nothing I found a qzip thing in it, so maybe I will image the filesystem a little more properly than over ftp.
How could I listen the telnet communication between ShareView and the HS602? Btw - both of your pasted pieces are the same - intentional or mistake?
It also seems, that there is a whole settings web interface in plbin\www\, but I don't yet understand how to set up the webserver.
After finally launching the webserver I found that the website is some sample design and while it saves it's settings, they have no relation to the operation of the device. Going back to searching where ShareView puts it's settings and how to change them.
adomas said:
What I found so far, is that when I set up FTP the way OP posted, I can access the whole file system. I have copied it all, and am trying to find where the stream settings are stored. The mentioned cfg file does not exist though. If that works, I'll just make some custom app, that will telnet to open ftp, and upload my settings every time. However I am currently trying to just work out the basics of telnet controlling a linux system. None of the tutorials online help at all, but I found, that I can execute commands that are compiled packages in the operating folder. So far that helped for nothing I found a qzip thing in it, so maybe I will image the filesystem a little more properly than over ftp.
How could I listen the telnet communication between ShareView and the HS602? Btw - both of your pasted pieces are the same - intentional or mistake?
It also seems, that there is a whole settings web interface in plbin\www\, but I don't yet understand how to set up the webserver.
Click to expand...
Click to collapse
The stream settings aren't stored anywhere as far as I can tell, it gets sent to the running plkw binary, which appears to be the "server" for the software. This is what handles the upload to the receiving rtmp server, receiving of the encoder config, etc.
I used Wireshark to intercept the chatter between the software & the box. Yes, I know they're the same, I'm assuming it's just an echo.
I'd actually bricked mine by disabling the auto.sh scripts & ended up with no network. Thankfully mine has serial/uart pins populated & I was able to reverse the changes! Took me a while to figure the pinout (no meter) and why some chars weren't registering (needs parity set to EVEN).
Code:
Pinout starting from back of the SD card slot (Look underneath for the square pin).
[ 1 ][ 2 ][ 3 ][ 4 ]
1 = VCC (5v) - If not powered by usb it'll crash if ethernet is connected shortly after boot.
2 = TX
3 = RX
4 = GND
Will update if I find anything else out.
mpmc said:
The stream settings aren't stored anywhere as far as I can tell
Click to expand...
Click to collapse
The thing is that it does work as the manual says - set it up, and then it can be used standalone, even after a reboot. Some kind of settings seem to be in the binaries plkw, plstrm and quite a few others, stored in plain text (echo texts maybe?)
mpmc said:
Thankfully mine has serial/uart pins populated & I was able to reverse the changes!
Click to expand...
Click to collapse
Good to know. I thought that looked like some JTAG.. Did you go via telnet there as well?
Could you elaborate on how did you find what file and what command it sends over telnet? (The ones mentioned in #6)
Could you elaborate on how did you find what file and what command it sends over telnet? (The ones mentioned in #6)
Click to expand...
Click to collapse
By killing the already running plkw process on the box & running it again, you get to see what it outputs when they talk. That output is from wireshark.
adomas said:
The thing is that it does work as the manual says - set it up, and then it can be used standalone, even after a reboot. Some kind of settings seem to be in the binaries plkw, plstrm and quite a few others, stored in plain text (echo texts maybe?)
Click to expand...
Click to collapse
Yes, it appears that I was wrong, it does in fact store them, it writes them to memory (I'm guessing to the nvram block (see cat /proc/mtd)). I only found this out after watching the plkw binary via serial & by chance running "plnvram list" which makes the running plkw (not plnvram) print out it's current config.
The values set are
Code:
rd = read
/bin # plnvram rd username
username = http://foo.com
/bin # plnvram rd password
password = ONETWO
Good to know. I thought that looked like some JTAG.. Did you go via telnet there as well?
Click to expand...
Click to collapse
I'm not sure what you mean via telnet. you connect the pins to your ttl/uart serial converter (I used this one) & which drops into sh on tty0.
mpmc said:
Yes, it appears that I was wrong, it does in fact store them, it writes them to memory (I'm guessing to the nvram block (see cat /proc/mtd)). I only found this out after watching the plkw binary via serial & by chance running "plnvram list" which makes the running plkw (not plnvram) print out it's current config.
The values set are
Code:
rd = read
/bin # plnvram rd username
username = http://foo.com
/bin # plnvram rd password
password = ONETWO
Click to expand...
Click to collapse
To be fair, I actually don't really understand what you did here exactly. I don't have an uart usb adapter handy to try. But it brought me some (a lot actually) random pieces of understanding
I am unable to make it list out plnvram contents, only rd exact variables. I found a lot of those in plnvram_default.dat, but those appear to be useless. They are the values stored by the web interface and have nothing to do with ShareView settings, or how the box encodes the stream when its button is pressed. What I really want to find, is what variable names are used for ShareView settings (other than password, username, which are the places I can put RTMP link into).
ShareView has two dropboxes "Outputsize" and "bitrate", which I assume generates a quite few lines to plnvram that include exact encoding settings. Could you by any chance find where those fall into?
adomas said:
To be fair, I actually don't really understand what you did here exactly. I don't have an uart usb adapter handy to try. But it brought me some (a lot actually) random pieces of understanding
I am unable to make it list out plnvram contents, only rd exact variables. I found a lot of those in plnvram_default.dat, but those appear to be useless. They are the values stored by the web interface and have nothing to do with ShareView settings, or how the box encodes the stream when its button is pressed. What I really want to find, is what variable names are used for ShareView settings (other than password, username, which are the places I can put RTMP link into).
ShareView has two dropboxes "Outputsize" and "bitrate", which I assume generates a quite few lines to plnvram that include exact encoding settings. Could you by any chance find where those fall into?
Click to expand...
Click to collapse
As I already said , the plkw binary handles communicating with the software & this is what sets everything up, streamurl, streamkey etc, it is also what does the streaming when triggered by the button or software, unfortunately I've yet to figure out how it actually triggers! When the software connects it sends the encode config (creates the hs_enc_ts.cfg file and client.cfg in /plbin). The plkw then launches the plstrm binary three times (no idea why as one is enough from what I've found).
The outputsize & bitrate are set in the hs_enc_ts.cfg.
Code:
RateControl-AvgBitRate 8000
VbrBitRate-MinBitRate 11428
VbrBitRate-MaxBitRate 10400
Boot from serial.
Code:
Boot loader started
QL330-B0 detected
Entered diagnostic mode
Branching to external diagnostic code
Loading boot loader .....................................done
[ 0.000000] Linux version 2.6.35.8-arm1ql300 ([email protected]) (gcc version 4.3.2 (Sourcery G++ Lite 2008q3-72) ) #994 PREEMPT Tue Jul 29 10:58:16 CST 2014 v1.21
[ 0.000000] CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
[ 0.000000] CPU: VIVT data cache, VIVT instruction cache
[ 0.000000] Machine: 0xc097f798,QL300-EVB Qpixel Artesa Evaluation Board
[ 0.000000]
[ 0.000000] ******************************************************
[ 0.000000] * pl330_ofc_en : 0
[ 0.000000] * pl330_cmos_reset_en : 0
[ 0.000000] * pl330_devid : 0x03300001
[ 0.000000] * pl330_sdio0_en : 1
[ 0.000000] * pl330_sdio1_en : 0
[ 0.000000] * pl330_gpiogrp1_en : 0
[ 0.000000] * pl330_gpiogrp2_en : 0
[ 0.000000] * pl330_swi2c_en : 1
[ 0.000000] * pl330_local_bus_mutex_type : 1
[ 0.000000] * pl330_eth_en : 1
[ 0.000000] * pl330_frondend_type : 14
[ 0.000000] * pl330_userdata0 : 0
[ 0.000000] * pl330_userdata1 : 1
[ 0.000000] * pl330_userdata2 : 2
[ 0.000000] * pl330_userdata3 : 3
[ 0.000000] * pl330_userdata4 : 4
[ 0.000000] * pl330_userdata5 : 5
[ 0.000000] * pl330_userdata6 : 6
[ 0.000000] * pl330_userdata7 : 7
[ 0.000000] * pl330_userstring0 : SIGMA-PL330B
[ 0.000000] * pl330_userstring1 : C4:01:42:00:86:1F
[ 0.000000] * pl330_userstring2 : userstring2
[ 0.000000] * pl330_userstring3 : userstring3
[ 0.000000] * pl330_userstring4 : userstring4
[ 0.000000] * pl330_userstring5 : userstring5
[ 0.000000] * pl330_userstring6 : userstring6
[ 0.000000] * pl330_userstring7 : userstring7
[ 0.000000] * pl330_mtd_partition : mtdparts=QL300_flash:640K(qcamboot),128K(nvram),5504K(linuxImage),1920K(custblk)
[ 0.000000] * pl330_GPIO_strap : 0x0000ffcf
[ 0.000000] ******************************************************
[ 0.000000]
[ 0.000000] vmalloc area is too big, limiting to 4MB
[ 0.000000] Memory policy: ECC disabled, Data cache writeback
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 7366
[ 0.000000] Kernel command line: console=ttyS0 vmalloc=7M [email protected] root=/nodev/rootfs mtdparts=QL300_flash:640K(qcamboot),128K(nvram),7040K(linuxImage),8576K(custblk) mtdparts=QL300_flash:640K(qcamboot),128K(nvram),5504K(linuxImage),1920K(custblk)
[ 0.000000] PID hash table entries: 128 (order: -3, 512 bytes)
[ 0.000000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.000000] Memory: 29MB = 29MB total
[ 0.000000] Memory: 19104k/19104k available, 10592k reserved, 0K highmem
[ 0.000000] Virtual kernel memory layout:
[ 0.000000] vector : 0xffff0000 - 0xffff1000 ( 4 kB)
[ 0.000000] fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
[ 0.000000] DMA : 0xffc00000 - 0xffe00000 ( 2 MB)
[ 0.000000] vmalloc : 0xc1e00000 - 0xc2400000 ( 6 MB)
[ 0.000000] lowmem : 0xc0000000 - 0xc1d00000 ( 29 MB)
[ 0.000000] modules : 0xbf000000 - 0xc0000000 ( 16 MB)
[ 0.000000] .init : 0xc0008000 - 0xc06fa000 (7112 kB)
[ 0.000000] .text : 0xc06fa000 - 0xc09bb000 (2820 kB)
[ 0.000000] .data : 0xc09d2000 - 0xc09e32a0 ( 69 kB)
[ 0.000000] Hierarchical RCU implementation.
[ 0.000000] RCU-based detection of stalled CPUs is disabled.
[ 0.000000] Verbose stalled-CPUs detection is disabled.
[ 0.000000] NR_IRQS:32
[ 0.000000] console [ttyS0] enabled
[ 0.030000] Calibrating delay loop... 129.84 BogoMIPS (lpj=649216)
[ 0.240000] pid_max: default: 4096 minimum: 301
[ 0.240000] Mount-cache hash table entries: 512
[ 0.250000] CPU: Testing write buffer coherency: ok
[ 0.260000] NET: Registered protocol family 16
[ 0.270000] ql300_init: res=0xc1832740
[ 0.280000]
[ 0.280000] ******************************************************
[ 0.290000] * plgpio_group0_cfg (input/output) : 0x00003000
[ 0.300000] * plgpio_group1_cfg (input only) : 0x0000000f
[ 0.300000] * plgpio_group2_cfg (output only) : 0x0000000e
[ 0.310000] * plgpio_group3_cfg (boot strap input only) : 0x000000c0
[ 0.320000] ******************************************************
[ 0.320000]
[ 0.360000] bio: create slab <bio-0> at 0
[ 0.370000] cfg80211: Calling CRDA to update world regulatory domain
[ 0.390000] NET: Registered protocol family 2
[ 0.390000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.400000] TCP established hash table entries: 1024 (order: 1, 8192 bytes)
[ 0.410000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.420000] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.430000] TCP reno registered
[ 0.430000] NET: Registered protocol family 1
[ 0.440000] RPC: Registered udp transport module.
[ 0.450000] RPC: Registered tcp transport module.
[ 0.450000] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 0.710000] Loading and setting up QPSOS ...
MAIN FIRMWARE
QPSOS shell
Type 'help' for help
[ 0.730000] Loading and setting up PL330 GPIO ...
[ 0.740000] Loading and setting up PL330 NVRAM ...
[ 0.750000] NTFS driver 2.1.29 [Flags: R/W].
[ 0.760000] JFFS2 version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc.
[ 0.770000] msgmni has been set to 37
[ 0.770000] io scheduler noop registered
[ 0.780000] io scheduler deadline registered
[ 0.780000] io scheduler cfq registered (default)
[ 0.810000] ttyS0 at I/O 0xf0000100 (irq = 17) is a builtin QL300 UART
[ 0.820000] nbd: registered device at major 43
[ 0.870000] init_ql_flash_mtd(),CFI=0,part_nums=3
[ 0.880000] m25p80 spi0.0: w25Q64 (8192 Kbytes)
[ 0.880000] 4 cmdlinepart partitions found on MTD device QL300_flash
[ 0.890000] Creating 4 MTD partitions on "QL300_flash":
[ 0.900000] 0x000000000000-0x0000000a0000 : "qcamboot"
[ 0.910000] 0x0000000a0000-0x0000000c0000 : "nvram"
[ 0.920000] 0x0000000c0000-0x000000620000 : "linuxImage"
[ 0.930000] 0x000000620000-0x000000800000 : "custblk"
0h00m00s007: (T)CODEC_Start HCI Thread
0h00m00s007: (T)CODEC_SYS config:10 SW1 isr
0h00m00s007: (T)CODEC_SYS config:1 dynamic mem alloc
0h00m00s007: (T)CODEC_Start M2M Thread
0h00m00s007: (T)CODEC_Start DTM Thread
0h00m00s007: (T)CODEC_Start VDCM Thread
[ 0.950000] Linux video capture interface: v2.00
[ 0.950000] sdhci: Secure Digital Host Controller Interface driver
[ 0.960000] sdhci: Copyright(c) Pierre Ossman
[ 0.970000] TCP cubic registered
[ 0.970000] NET: Registered protocol family 17
[ 0.980000] lib80211: common routines for IEEE802.11 drivers
[ 0.990000] Freeing init memory: 7112K
mounting proc
mounting sys
mounting pts
starting system loggers
vm.min_free_kbytes = 1024
starting status daemon
setup telnetd
plgpiod: 0x03300001
bring up lo interface
bring up sdio module
[ 1.720000] sdio_init: res=0xc0cc7920
[ 1.800000] sdio_init: SDIO-0 enabled
[ 1.810000] mem_log_init: exit
[ 1.870000] plnvram_data_load_mtd: magic(0x82312033)
[ 1.880000] plnvram_data_load_mtd: version_major(1)
[ 1.880000] plnvram_data_load_mtd: version_minor(0)
[ 1.890000] plnvram_data_load_mtd: checksum(0x00000000)
[ 1.890000] plnvram_data_load_mtd: nums(237)
success
mount: mounting /dev/mtdblock3 on /mnt/custblk failed: Invalid argument
[ 3.250000] JFFS2 notice: (201) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
bring up codec driver module
[ 3.480000] CDevice_Constructor()-> config to use Dynamic Memory Allocation for FW
[ 3.540000] CQLCodec_InitDevice() config to use internal Video FW
[ 3.550000] CQLCodec_InitDevice() config to use internal Audio FW
[ 4.610000] CComponent_Open AllocTask(0) hTask(0)
[ 4.610000] CComponent_Close ReleaseTask(0) hTask(0)
lookup_video_device_node()-> bus(4) inst(0) hTask(0) type(0)
lookup_video_device_node()-> Got 0:0
[ 4.640000] CComponent_Open AllocTask(0) hTask(0)
SetVideoFrontend()-> val=0
SetVideoFrontend()-> return 0
Working Mode:0,argc:2
Checking:0
[ 4.650000] CComponent_Close ReleaseTask(0) hTask(0)
do_whether_need_eth_driver: 1
bring up ethernet module (Wired)
[ 4.780000] AX88796C: Power saving disabled
[ 5.010000] ASIX AX88796C Fast Ethernet Adapter:v1.4.0-SDL0.93 16:31:34 Jul 19 2013
[ 5.010000] <6> http://www.asix.com.tw
[ 5.020000] Use random MAC address
[ 5.020000] AX88796C: MAC Address 76-f3-6c-e2-c3-c7
[ 5.040000] eth0: at 0x0 IRQ 4
[ 5.090000] ax88796c_init(): P1_OFFSET0x14=0x0000000f
[ 5.090000] ax88796c_init(): P1_OFFSET0x14=0x0000000e
ifconfig: ath0: error fetching interface information: Device not found
plnetworkchkd: ath0 is not existed or enabled, no need to enable connection backup. exit!
[ 6.870000] eth0: link up, 100Mbps, full-duplex
do_net_init: trying to init eth interface
do_eth_init: trying to load mac address from pl330_userstring1
do_eth_init: trying to use dynamic ip
udhcpc (v1.19.4) started
Setting IP address 0.0.0.0 on eth0
Sending discover...
Sending select for 192.168.1.110...
Lease of 192.168.1.110 obtained, lease time 86400
Setting IP address 192.168.1.110 on eth0
Deleting routers
route: SIOCDELRT: No such process
Adding router 192.168.1.1
Recreating /etc/resolv.conf
Adding DNS server 192.168.1.1
Adding DNS server 0.0.0.0
[ 8.080000] CComponent_Open AllocTask(0) hTask(0)
[ 8.090000] CComponent_Close ReleaseTask(0) hTask(0)
lookup_video_device_node()-> bus(4) inst(0) hTask(0) type(0)
lookup_video_device_node()-> Got 0:0
[ 8.110000] CComponent_Open AllocTask(0) hTask(0)
SetVideoFrontend()-> val=0
SetVideoFrontend()-> return 0
Working Mode:0,argc:1
name flag IP broadcastaddr
eth0 4163 192.168.1.110 192.168.1.255
Src:3,Res:12
recv:48,53,36,30,32
recv:43,6e,1,a8,c0
The client is: 192.168.1.40,2801a8c0
socket:8
Capture
[ 19.970000] CComponent_Open AllocTask(0) hTask(1)
[ 19.980000] CComponent_Close ReleaseTask(0) hTask(1)
lookup_video_device_node()-> bus(4) inst(0) hTask(1) type(0)
lookup_video_device_node()-> Got 0:0
[ 20.000000] CComponent_Open AllocTask(0) hTask(1)
****** Executing script file /plbin/hs_enc_ts.cfg
SystemControl-StreamType = ts
SystemControl-StreamData = video+audio
SystemControl-Profile = extended
SystemControl-Level = 4
SysFunction-Function = encode
SysFunction-Video = h264
SysFunction-Audio = audio
PictureResolution-InPicWidth = 1920
PictureResolution-InPicHeight = 1080
OutPictureResolution-OutPicWidth = 1920
OutPictureResolution-OutPicHeight = 1080
SystemControl-XferMode = frame
SystemControl-SpsrFreq = 1
SystemControl-FFMode = frame
SystemControl-VMode = cavlc
RateControl-Vbr = 0
RateControl-Mode = viu
RateControl-AvgBitRate = 15000
VbrBitRate-MinBitRate = 18000
VbrBitRate-MaxBitRate = 13000
GopLoopFilter-IntraPeriod = 30
GopLoopFilter-BNum = 0
GopLoopFilter-Idr = close
InputControl-ScanFormat = progressive
InputControl-SrcMode = hdmi
InputControl-SyncMode = 0
InputControl-DataType = raw
InputControl-InFrameRate = 60
InputControl-OutFrameRate = 30
InputControl-Fmt = progressive
InputControl-CkEdge = positive
DeInterlace-mode = none
FilterControl-StartPixel = 0
FilterControl-StartLine = 0
SysLink-VideoInput = viu
SysLink-VideoOutput = host
SysLink-AudioInput = aiu
SysLink-AudioOutput = host
AudioControlParam-AudioType = aac
AudioControlParam-SampleRate = 48k
AudioControlParam-ChNum = 2
AudioControlParam-LrclkI = high
AudioControlEx-AacVer = mpeg2
AudioControlEx-HType = adts
AudioControlEx-CutoffFreq = 18000
AudioControlEx-TNS = 1
AudioControlEx-IS = 1
AudioControlEx-PNS = 1
AudioControlEx-MS = 1
ioctl(PLDEV_STRM_IOCTL_PORT_OPEN) component(0) type(0) succeed
0h00m19s609: (T)CODEC_Start MUX Thread (channel 1)
0h00m19s609: (T)CODEC_Start VEN Thread (channel 1)
0h00m19s609: (T)AIO Record enter
acquire(0) hDev(11)
start(0) hDev(11)
0h00m19s722: (T)CODEC_Start VIU Thread (input channel 1)
0h00m19s722: (E)VIU OSD FontsStartAddr 34401500 !
0h00m19s722: (E)VIU OSD TextListStartAddr 34400100 !
0h00m19s722: (E)VIU OSD TimeInfoAddr 34401300 !
0h00m19s724: (E)CODEC_get misc_rate_control interval(80) activity_on/off(0)
0h00m19s724: (E)HCI: chInfo (0x10) phy_in(60) rec_in(30) outrate(30)
0h00m19s728: (E)VIU: (ch 1) (in 1920x1080) (out 1920x1080) (rate =30,30),(buf_num 3)
test_streamout() [
9024 t=20
VI-OSD 0
VI-OSD font_addr(0xd1005400) txtAddr(0xd1000400) timeAddr(0xd1004c00)
0h00m19s803: (E)VIU osd addr 0x34400100 0x34401500 0x34401300)
376 t=22
376 t=24
I've attached a screenshot of how I got the plnvram config to output (COM8 = serial connection).
---
I've also managed to build a test "hello world" binary & have it run on the box, so I might be able to build a better rtmp server. I may have to rely on the plstrm to get the output though :/
Some good news.. I think. I managed to "decompile" the android "Shareview" app source code using javadecompilers.com With any luck I should be able to figure it out!
If you're any good with java (I'm not) download the shareview apk from here: https://apkpure.com/shareview/com.asdfghjkl20203.hs602player/download?from=details.
And upload it to http://www.javadecompilers.com/.
mpmc said:
If you're any good with java
Click to expand...
Click to collapse
I'm also not, but I have a friend who does have some experience. Thanks for the idea.
The variable name thing threw me off, since it makes no sense to me, that it stores "password" and "username" straight to nvram, and the rest go through hs_enc_ts.cfg. I tried to manually change hs_enc_ts.cfg parameters, but they had no effect to the output stream, which is why I assumed, that it sends some other settings.
Could you save the whole putty printout somewhere? It does contain different parameters and variables than those in hs_enc_ts.cfg and plnvram_defaults.dat
Hi guys,
I bricked my LG G2 D802 a while ago. I got continious bootloops when I turned the phone on and when i tried to get my phone in download mode it went in fastboot mode. So i found this ( uncle-yakuza.jouwweb.nl/lg-g2-fast-boot-menu-fix ) guide and downloaded the files and flashed the .laf and recovery.img and all went well. I got my phone in download mode. But when i tried to flash the stock rom, it could not finish and gave me an error.
I found out that the .laf and recovery.img I downloaded on that website were for a 32GB version of the D802 and mine is a 16GB.
I tried flashing the 32GB rom and the 16GB rom, both ways the tot way and the kdz way, but it ends up in an error.
I searched google but I couldn't find a sollution.
If i could only get in fastboot mode and flash the correct files.....
Can somebody please help me.
Use lg flashtool: http://forum.xda-developers.com/showthread.php?t=2797190
Sent from my LG-D802 using XDA Free mobile app
abbek1008 said:
Use lg flashtool: http://forum.xda-developers.com/showthread.php?t=2797190
Sent from my LG-D802 using XDA Free mobile app
Click to expand...
Click to collapse
Thnx, but i already tried that, both methods: the kdz method and the tot method.
I posted the log file of the tot method below:
[ 2:59: 8] ¡Ú Tool : 1, 5, 10, 1120 : C:\LG\LGFLASHTOOL\LGFLASHTOOL.EXE
[ 2:59: 8] ¡Ú DLL : 1.0.0.3 : C:\Users\H4K1M\Desktop\BIN files LG G2\LGD802_20130912_LGFLASHv160.dll
[ 2:59: 8] Process :
[ 2:59: 8] BIN : C:\Users\H4K1M\Desktop\BIN files LG G2\BIN_LGD802AT-00-V10a-425-02-SEP-05-2013-16G+0\BIN_LGD802AT-00-V10a-425-02-SEP-05-2013-16G+0.tot
[ 2:59: 8] SCR :
[ 2:59: 8] PRL : ;;;;;;;;;;
[ 2:59: 8] ERI :
[ 2:59: 8] + 1. Web Download Mode = -1
[ 2:59: 8] + 4. Web param-Bin Version =
[ 2:59: 8] Frmae Type : LGFlashTool
[ 2:59: 8] Load : 29 Total : 4094756KB Avail : 2873220KB
[ 2:59: 8] AvailPage : 3540452KB AvailVirtual : 1888004KB
[ 2:59: 8] Total/Free of C:\ : 429600 MB / 366508 MB
[ 2:59: 8]
¡Ú¡Ú¡Ú Factory Information ¡Ú¡Ú¡Ú
[ 2:59: 8] 1. Model Name : LG-D802
[ 2:59: 8] 2. SWV : LGD800AT-01-V10q-310-410-JAN-23-2014+0
[ 2:59: 8] 3. SWOV : LGD800AT-00-V10q-ATT-US-JAN-23-2014+0
[ 2:59: 8] 4. PID : BS10S130902000056
[ 2:59: 8] 5. IMEI : ***
[ 2:59: 8]
[ 2:59: 9] CBasicComControl::IsConnected, the port(COM41) connection is not detected
[ 2:59: 9] CBasicComControl:pen, the port(COM 41) is constructed successfully => HANDLE : 0x47c
[ 2:59: 9] CPort:penPort() Success. Port number is 41
[ 2:59: 9] ---------------------------------------------------------------------------------
[ 2:59: 9] SubProcess Name : NoOperationCmd
[ 2:59: 9] [T000004] 06 4E 95 7E .N..
[ 2:59:10] [R000004] 02 6A D3 7E .j..
[ 2:59:10] Current Process : PROCESS_FAC_UPGRADE
[ 2:59:10] Binary Path : C:\Users\H4K1M\Desktop\BIN files LG G2\BIN_LGD802AT-00-V10a-425-02-SEP-05-2013-16G+0\BIN_LGD802AT-00-V10a-425-02-SEP-05-2013-16G+0.tot
[ 2:59:10] Try opening C:\Users\H4K1M\Desktop\BIN files LG G2\BIN_LGD802AT-00-V10a-425-02-SEP-05-2013-16G+0\BIN_LGD802AT-00-V10a-425-02-SEP-05-2013-16G+0.tot file
[ 2:59:10] Crc32OfTot : 0x832D52B3
[ 2:59:10] Tot File length verify : PASS 2779250688 / 2779250688
[ 2:59:10] #### [EXTENDED SUPER BOOST] ####
[ 2:59:10] *****************************************************************************
[ 2:59:10] *- LG-D802 PartitionTable Info -*
[ 2:59:10] *- SW Version : D80210a
[ 2:59:10] *- SWFV : D802-APf81ffda9.1378380281-CP29b8647a.1378383744
[ 2:59:10] *- Build Type : user
[ 2:59:10] *- Binary Size: 2779250688 Bytes
[ 2:59:10] *****************************************************************************
[ 2:59:10] Index | Part Name | Start Sector | FileSize | No Of Sectors
[ 2:59:10] 0/ 0 | PrimaryGPT | 0x00000000 | 0x0000000000080000 | 0x00008000
[ 2:59:10] 0/ 1 | modem | 0x00008000 | 0x0000000003480000 | 0x00020000
[ 2:59:10] 0/ 2 | sbl1 | 0x00028000 | 0x0000000000080000 | 0x00000800
[ 2:59:10] 0/ 3 | dbi | 0x00028800 | 0x0000000000080000 | 0x0000F800
[ 2:59:10] 0/ 4 | aboot | 0x00038000 | 0x0000000000100000 | 0x00000800
[ 2:59:10] 0/ 5 | rpm | 0x00038800 | 0x0000000000080000 | 0x00007800
[ 2:59:10] 0/ 6 | boot | 0x00040000 | 0x0000000000A80000 | 0x00008000
[ 2:59:10] 0/ 7 | tz | 0x00048000 | 0x0000000000080000 | 0x00010000
[ 2:59:10] 0/ 8 | misc | 0x00058000 | 0x0000000000800000 | 0x00008000
[ 2:59:10] 0/ 9 | persist | 0x00060000 | 0x0000000000500000 | 0x00010000
[ 2:59:10] 0/ 10 | recovery | 0x00070000 | 0x0000000000C00000 | 0x00020000
[ 2:59:10] 0/ 11 | laf | 0x00090000 | 0x0000000000F80000 | 0x00038000
[ 2:59:10] 0/ 12 | system | 0x000C8000 | 0x0000000008000000 | 0x00040000
[ 2:59:10] 0/ 13 | system | 0x00108000 | 0x0000000000080000 | 0x00000588
[ 2:59:10] 0/ 14 | system | 0x00108588 | 0x0000000000080000 | 0x00000FD0
[ 2:59:10] 0/ 15 | system | 0x00109558 | 0x0000000007D80000 | 0x0003FA78
[ 2:59:10] 0/ 16 | system | 0x00148FD0 | 0x0000000007E80000 | 0x0003F5B8
[ 2:59:10] 0/ 17 | system | 0x00188588 | 0x0000000000080000 | 0x00000FD0
[ 2:59:10] 0/ 18 | system | 0x00189558 | 0x0000000007D80000 | 0x0003FA78
[ 2:59:10] 0/ 19 | system | 0x001C8FD0 | 0x0000000007E80000 | 0x0003F5B8
[ 2:59:10] 0/ 20 | system | 0x00208588 | 0x0000000000080000 | 0x00000FD0
[ 2:59:10] 0/ 21 | system | 0x00209558 | 0x0000000007D80000 | 0x0003FA78
[ 2:59:10] 0/ 22 | system | 0x00248FD0 | 0x0000000007E80000 | 0x0003F5B8
[ 2:59:10] 0/ 23 | system | 0x00288588 | 0x0000000000080000 | 0x00000FD0
[ 2:59:10] 0/ 24 | system | 0x00289558 | 0x0000000007D80000 | 0x0003FA78
[ 2:59:10] 0/ 25 | system | 0x002C8FD0 | 0x0000000007E80000 | 0x0003F5B8
[ 2:59:10] 0/ 26 | system | 0x00308588 | 0x0000000000080000 | 0x00000FD0
[ 2:59:10] 0/ 27 | system | 0x00309558 | 0x0000000007D80000 | 0x0003FA78
[ 2:59:10] 0/ 28 | system | 0x00348FD0 | 0x0000000007E80000 | 0x00040000
[ 2:59:10] 0/ 29 | system | 0x00388FD0 | 0x0000000007E80000 | 0x00040000
[ 2:59:10] 0/ 30 | system | 0x003C8FD0 | 0x0000000007E80000 | 0x00040000
[ 2:59:10] 0/ 31 | system | 0x00408FD0 | 0x0000000007E80000 | 0x00040000
[ 2:59:10] 0/ 32 | system | 0x00448FD0 | 0x0000000007E80000 | 0x00040000
[ 2:59:10] 0/ 33 | system | 0x00488FD0 | 0x0000000007E80000 | 0x00040000
[ 2:59:10] 0/ 34 | system | 0x004C8FD0 | 0x0000000007E80000 | 0x00040000
[ 2:59:10] 0/ 35 | system | 0x00508FD0 | 0x0000000007E80000 | 0x00040000
[ 2:59:10] 0/ 36 | system | 0x00548FD0 | 0x0000000007E80000 | 0x00040000
[ 2:59:10] 0/ 37 | system | 0x00588FD0 | 0x0000000004D00000 | 0x0003F030
[ 2:59:10] 0/ 38 | system | 0x005C8000 | 0x0000000000080000 | 0x00040000
[ 2:59:10] 0/ 39 | system | 0x00608000 | 0x0000000000080000 | 0x00028000
[ 2:59:10] 0/ 40 | cache | 0x00630000 | 0x0000000000C00000 | 0x00040000
[ 2:59:10] 0/ 41 | cache | 0x00670000 | 0x0000000000080000 | 0x00040000
[ 2:59:10] 0/ 42 | cache | 0x006B0000 | 0x0000000000080000 | 0x00040000
[ 2:59:10] 0/ 43 | cache | 0x006F0000 | 0x0000000000080000 | 0x00040000
[ 2:59:10] 0/ 44 | cache | 0x00730000 | 0x0000000000080000 | 0x00060000
[ 2:59:10] 0/ 45 | cust | 0x00790000 | 0x0000000002F00000 | 0x015C9C00
[ 2:59:10] 0/ 46 | BackupGPT | 0x01D59C00 | 0x0000000000080000 | 0x00000400
[ 2:59:10] InitDiag is success.
[ 2:59:10] InitializeProcess() is success.
[ 2:59:10] CComPort::ClosePort, Closed Port Successfully for COM 41
[ 2:59:10] CBasicComControl::Close, the port(COM41) is closed successfully
[ 2:59:11] Start Download
[ 2:59:11] Port is already closed
[ 2:59:11] Port Open 41
[ 2:59:11] [T000032] 48 45 4C 4F 01 00 00 01 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 4C 3F 00 00 B7 BA B3 B0 HELO....................L?......
[ 2:59:11] [R000032] 48 45 4C 4F 01 00 00 01 01 00 00 10 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 B7 BA B3 B0 HELO............................
[ 2:59:11] [T000032] 4F 50 45 4E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8E 36 00 00 B0 AF BA B1 OPEN.....................6......
[ 2:59:11] Queue is empty Waiting for Events
[ 2:59:11] [R000032] 4F 50 45 4E 0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B0 AF BA B1 OPEN............................
[ 2:59:11] [T002856] 49 4E 46 4F 47 50 52 4F 00 00 00 00 00 00 00 00 00 00 00 00 08 0B 00 00 3D BC 00 00 B6 B1 B9 B0 INFOGPRO................=.......
[ 2:59:11] [R002856] 49 4E 46 4F 47 50 52 4F 00 00 00 00 00 00 00 00 00 00 00 00 08 0B 00 00 00 00 00 00 B6 B1 B9 B0 INFOGPRO........................
[ 2:59:11] prog size = 2824, receive size = 2824
[ 2:59:11] == PROPERTY INFO
[ 2:59:11] 1. download cable = USER
[ 2:59:11] 2. battery level = 14
[ 2:59:11] 3. download type =
[ 2:59:11] 4. download speed = 0
[ 2:59:11] 5. usb version = UHS
[ 2:59:11] 6. hardware revision = rev_10
[ 2:59:11] 7. download sw version =
[ 2:59:11] 8. device sw version = D80210b
[ 2:59:11] 9. secure device = S
[ 2:59:11] 10. laf sw version = 1.0
[ 2:59:11] 11. device factory version = LGD800AT-01-V10q-310-410-JAN-23-2014+0
[ 2:59:11] 12. device factory out version = LGD800AT-00-V10q-ATT-US-JAN-23-2014+0
[ 2:59:11] 13. pid = BS10S130902000056
[ 2:59:11] 14. imei = ***
[ 2:59:11] 15. model name = LG-D802
[ 2:59:11] 16. device build type = U
[ 2:59:11] 17. chipset platform = msm8974
[ 2:59:11] 18. target_operator = OPEN
[ 2:59:11] 19. target_country = COM
[ 2:59:11] 20. ap_factory_reset_status = 3
[ 2:59:11] 21. cp_factory_reset_status = 1
[ 2:59:11] 22. isDownloadNotFinish = 0
[ 2:59:11] 23. qem = 0
[ 2:59:11] 24. cupss swfv =
[ 2:59:11] 25. is one binary dual plan = 1
[ 2:59:11] 26. memroy size = 61071360
[ 2:59:11] 27. memory_id = 032G96
[ 2:59:11] LAF : Bin_User_Mode
[ 2:59:11] LAF : Bin_User_Mode
[ 2:59:11] CBasicFlash::isValidateSecureImage Device is a qfused.
[ 2:59:11] found sbl1 Partition for secure image check
[ 2:59:11] Secure Image
[ 2:59:11] found aboot Partition for secure image check
[ 2:59:11] Secure Image
[ 2:59:11] found rpm Partition for secure image check
[ 2:59:11] Secure Image
[ 2:59:11] found tz Partition for secure image check
[ 2:59:11] Secure Image
[ 2:59:11] QFUSE Status Check OK.
[ 2:59:11] Laf memory size: 32G!
[ 2:59:11] Memory size is not matched!
[ 2:59:11] Memory size: 32G, File name: BIN_LGD802AT-00-V10A-425-02-SEP-05-2013-16G+0.TOT
[ 2:59:11] [T000032] 43 4C 53 45 0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 75 00 00 BC B3 AC BA CLSE....................xu......
[ 2:59:11] [R000032] 43 4C 53 45 0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BC B3 AC BA CLSE............................
[ 2:59:11] *********************************************************************************************
[ 2:59:11] *********************************************************************************************
[ 2:59:11] Port Close
[ 2:59:12] Port Open 41
[ 2:59:12] Retry download 1 time(s)
[ 2:59:12] [T000032] 48 45 4C 4F 01 00 00 01 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 4C 3F 00 00 B7 BA B3 B0 HELO....................L?......
[ 2:59:13] [R000032] 48 45 4C 4F 01 00 00 01 01 00 00 10 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 B7 BA B3 B0 HELO............................
[ 2:59:13] [T000032] 4F 50 45 4E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8E 36 00 00 B0 AF BA B1 OPEN.....................6......
[ 2:59:13] Queue is empty Waiting for Events
[ 2:59:13] [R000032] 4F 50 45 4E 0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B0 AF BA B1 OPEN............................
[ 2:59:13] [T002856] 49 4E 46 4F 47 50 52 4F 00 00 00 00 00 00 00 00 00 00 00 00 08 0B 00 00 12 86 00 00 B6 B1 B9 B0 INFOGPRO........................
[ 2:59:13] [R002856] 49 4E 46 4F 47 50 52 4F 00 00 00 00 00 00 00 00 00 00 00 00 08 0B 00 00 00 00 00 00 B6 B1 B9 B0 INFOGPRO........................
[ 2:59:13] prog size = 2824, receive size = 2824
[ 2:59:13] == PROPERTY INFO
[ 2:59:13] 1. download cable = USER
[ 2:59:13] 2. battery level = 14
[ 2:59:13] 3. download type =
[ 2:59:13] 4. download speed = 0
[ 2:59:13] 5. usb version = UHS
[ 2:59:13] 6. hardware revision = rev_10
[ 2:59:13] 7. download sw version =
[ 2:59:13] 8. device sw version = D80210b
[ 2:59:13] 9. secure device = S
[ 2:59:13] 10. laf sw version = 1.0
[ 2:59:13] 11. device factory version = LGD800AT-01-V10q-310-410-JAN-23-2014+0
[ 2:59:13] 12. device factory out version = LGD800AT-00-V10q-ATT-US-JAN-23-2014+0
[ 2:59:13] 13. pid = BS10S130902000056
[ 2:59:13] 14. imei = ***
[ 2:59:13] 15. model name = LG-D802
[ 2:59:13] 16. device build type = U
[ 2:59:13] 17. chipset platform = msm8974
[ 2:59:13] 18. target_operator = OPEN
[ 2:59:13] 19. target_country = COM
[ 2:59:13] 20. ap_factory_reset_status = 3
[ 2:59:13] 21. cp_factory_reset_status = 1
[ 2:59:13] 22. isDownloadNotFinish = 0
[ 2:59:13] 23. qem = 0
[ 2:59:13] 24. cupss swfv =
[ 2:59:13] 25. is one binary dual plan = 1
[ 2:59:13] 26. memroy size = 61071360
[ 2:59:13] 27. memory_id = 032G96
[ 2:59:13] LAF : Bin_User_Mode
[ 2:59:13] LAF : Bin_User_Mode
[ 2:59:13] CBasicFlash::isValidateSecureImage Device is a qfused.
[ 2:59:13] found sbl1 Partition for secure image check
[ 2:59:13] Secure Image
[ 2:59:13] found aboot Partition for secure image check
[ 2:59:13] Secure Image
[ 2:59:13] found rpm Partition for secure image check
[ 2:59:13] Secure Image
[ 2:59:13] found tz Partition for secure image check
[ 2:59:13] Secure Image
[ 2:59:13] QFUSE Status Check OK.
[ 2:59:13] Laf memory size: 32G!
[ 2:59:13] Memory size is not matched!
[ 2:59:13] Memory size: 32G, File name: BIN_LGD802AT-00-V10A-425-02-SEP-05-2013-16G+0.TOT
[ 2:59:13] [T000032] 43 4C 53 45 0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 75 00 00 BC B3 AC BA CLSE....................xu......
[ 2:59:13] [R000032] 43 4C 53 45 0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BC B3 AC BA CLSE............................
[ 2:59:13] *********************************************************************************************
[ 2:59:13] *********************************************************************************************
[ 2:59:13] Port Close
[ 2:59:14] Port Open 41
[ 2:59:14] Retry download 2 time(s)
[ 2:59:14] [T000032] 48 45 4C 4F 01 00 00 01 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 4C 3F 00 00 B7 BA B3 B0 HELO....................L?......
[ 2:59:14] [R000032] 48 45 4C 4F 01 00 00 01 01 00 00 10 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 B7 BA B3 B0 HELO............................
[ 2:59:14] [T000032] 4F 50 45 4E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8E 36 00 00 B0 AF BA B1 OPEN.....................6......
[ 2:59:14] Queue is empty Waiting for Events
[ 2:59:14] [R000032] 4F 50 45 4E 0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B0 AF BA B1 OPEN............................
[ 2:59:14] [T002856] 49 4E 46 4F 47 50 52 4F 00 00 00 00 00 00 00 00 00 00 00 00 08 0B 00 00 13 47 00 00 B6 B1 B9 B0 INFOGPRO.................G......
[ 2:59:14] [R002856] 49 4E 46 4F 47 50 52 4F 00 00 00 00 00 00 00 00 00 00 00 00 08 0B 00 00 00 00 00 00 B6 B1 B9 B0 INFOGPRO........................
[ 2:59:14] prog size = 2824, receive size = 2824
[ 2:59:14] == PROPERTY INFO
[ 2:59:14] 1. download cable = USER
[ 2:59:14] 2. battery level = 14
[ 2:59:14] 3. download type =
[ 2:59:14] 4. download speed = 0
[ 2:59:14] 5. usb version = UHS
[ 2:59:14] 6. hardware revision = rev_10
[ 2:59:14] 7. download sw version =
[ 2:59:14] 8. device sw version = D80210b
[ 2:59:14] 9. secure device = S
[ 2:59:14] 10. laf sw version = 1.0
[ 2:59:14] 11. device factory version = LGD800AT-01-V10q-310-410-JAN-23-2014+0
[ 2:59:14] 12. device factory out version = LGD800AT-00-V10q-ATT-US-JAN-23-2014+0
[ 2:59:14] 13. pid = BS10S130902000056
[ 2:59:14] 14. imei = ***
[ 2:59:14] 15. model name = LG-D802
[ 2:59:14] 16. device build type = U
[ 2:59:14] 17. chipset platform = msm8974
[ 2:59:14] 18. target_operator = OPEN
[ 2:59:14] 19. target_country = COM
[ 2:59:14] 20. ap_factory_reset_status = 3
[ 2:59:14] 21. cp_factory_reset_status = 1
[ 2:59:14] 22. isDownloadNotFinish = 0
[ 2:59:14] 23. qem = 0
[ 2:59:14] 24. cupss swfv =
[ 2:59:14] 25. is one binary dual plan = 1
[ 2:59:14] 26. memroy size = 61071360
[ 2:59:14] 27. memory_id = 032G96
[ 2:59:14] LAF : Bin_User_Mode
[ 2:59:14] LAF : Bin_User_Mode
[ 2:59:14] CBasicFlash::isValidateSecureImage Device is a qfused.
[ 2:59:14] found sbl1 Partition for secure image check
[ 2:59:14] Secure Image
[ 2:59:14] found aboot Partition for secure image check
[ 2:59:14] Secure Image
[ 2:59:14] found rpm Partition for secure image check
[ 2:59:14] Secure Image
[ 2:59:14] found tz Partition for secure image check
[ 2:59:14] Secure Image
[ 2:59:14] QFUSE Status Check OK.
[ 2:59:14] Laf memory size: 32G!
[ 2:59:14] Memory size is not matched!
[ 2:59:14] Memory size: 32G, File name: BIN_LGD802AT-00-V10A-425-02-SEP-05-2013-16G+0.TOT
[ 2:59:14] [T000032] 43 4C 53 45 0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 75 00 00 BC B3 AC BA CLSE....................xu......
[ 2:59:14] [R000032] 43 4C 53 45 0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BC B3 AC BA CLSE............................
[ 2:59:14] *********************************************************************************************
[ 2:59:14] *********************************************************************************************
[ 2:59:19] [T000038] 45 58 45 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 F0 35 00 00 BA A7 BA BC EXEC.....................5......
64 6D 65 73 67 00 dmesg.
[ 2:59:19] [R000032] 45 58 45 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BA A7 BA BC EXEC............................
[ 2:59:19] Port Close
[ 2:59:20] RefurbishProcess() Error.
[ 2:59:20] ¡Ú¡Ú ERROR REASON : LAF_ERROR_INVALID_LAF_PROTOCOL
[ 2:59:20] CBasicComControl::IsConnected, the port(COM41) connection is not detected
[ 2:59:20] RunProcess() is fail.
[ 2:59:20] CBasicComControl::IsConnected, the port(COM41) connection is not detected
[ 2:59:20] [ 2:59:14] Memory size: 32G, File name: BIN_LGD802AT-00-V10A-425-02-SEP-05-2013-16G+0.TOT
[ 2:59:20] DoDownload() Exception
Flash the correct images in fastboot.
_____________________________________Read more write less and be smart
siggey said:
Flash the correct images in fastboot.
_____________________________________Read more write less and be smart
Click to expand...
Click to collapse
Hi siggey,
I can't get in to fastboot. The phone goes in download mode only.
If somebody knows a way how to get in to fasrboot, please let me know. So i can flash the right images.
I'll take my lumps in advance, but I will say I've read a hell of a lot of threads on this and it's got me stumped.
In my modern existence I've been through quite a few phones (maybe 30-40 models), and I've gone pretty deep with the meddling with the help of kid people here of course and - have never once - truly bricked a phone so that I had to take it in a store or return it.
But I've got a Moto X Force, Unlocked version, and it's bricked. No screen, no lights, no sounds, not a single thing for 24 hours now no matter what i do to it.
I did have some hope earlier as I was able to consistently get the Qualcomm 9008 or whatever proper QC drivers shoud load, to load perfectly, for an RSD Lite flash. I noticed that strangely if my laptop had AC power to it, it would come up in dev mgt as a damaged device that couldnt start. Without AC power to my laptop, it came up just fine as the Qualcomm.
But no matter what I try, RSD Lite will not see the phone and populate any lines with details. Now, I have a couple packages from here that contain full roms and use the RSD file format and look to be very promising, but there's always something in my way. So, I humbly ask for assistance here.
All I need to do is get to a place where I can use fastboot or mfastboot one time and I'm good to go. Can anyone help me get there or give some advice in general? This was my daily driver btw...and probably shaping up to be one of my best phones of all time..
Cheers : )
unseen-forces said:
But I've got a Moto X Force, Unlocked version, and it's bricked. No screen, no lights, no sounds, not a single thing for 24 hours now no matter what i do to it.
I did have some hope earlier as I was able to consistently get the Qualcomm 9008 or whatever proper QC drivers should load, to load perfectly, for an RSD Lite flash. I noticed that strangely if my laptop had AC power to it, it would come up in dev mgt as a damaged device that couldn't start. Without AC power to my laptop, it came up just fine as the Qualcomm.
But no matter what I try, RSD Lite will not see the phone and populate any lines with details. Now, I have a couple packages from here that contain full roms and use the RSD file format and look to be very promising, but there's always something in my way. So, I humbly ask for assistance here.
Cheers : )
Click to expand...
Click to collapse
First and foremost, sorry that this won't be an answer.
I'm new to this forum, as I'm seriously considering a moto x force.
How old was it? Any prior damage that could have led to this?
Could you provide a few more details on what exactly you were up to before it bricked?
More information can only help at this point.
The connection of charging laptop vs disconnected laptop could definitely be part of the situation. Perhaps your usb port caused the brick? Seems like an unusual symptom when usb out should be 5v regardless of whether or not the laptop has power, so why would it show up differently in device manager.......
Cheers.
I found a website with the blankflash for unbrick the device.. Idk if works:
http://www.aryk.tech/2017/09/moto-x-force-unbrick-solutions.html
Unfortunately they're requesting $10,99 to release the blankflash.
Rawdog.dll said:
I found a website with the blankflash for unbrick the device.. Idk if works:
http://www.aryk.tech/2017/09/moto-x-force-unbrick-solutions.html
Unfortunately they're requesting $10,99 to release the blankflash.
Click to expand...
Click to collapse
I'll be testing out this method either later today or tomorrow. as soon as they get back to me with the files.
hopefully its a working solution =D
roweboat56 said:
I'll be testing out this method either later today or tomorrow. as soon as they get back to me with the files.
hopefully its a working solution =D
Click to expand...
Click to collapse
I paid about 44h ago to https://arky.tech, but they still don't send me a link to download, neither a e-mail.
Also they moderate the comments in their page, then I can't argue with they.
I am thinking to start to request a refund on paypal.
UPDATE: I finally got access to MEGA to the files. I run the qflash but it doesn't work. I am in touch with the ArykTech over MEGA to help me out.
gbschenkel said:
I paid about 44h ago to https://arky.tech, but they still don't send me a link to download, neither a e-mail.
Also they moderate the comments in their page, then I can't argue with they.
I am thinking to start to request a refund on paypal.
Click to expand...
Click to collapse
Yes I'm sill waiting as well. Someone from Arkytech did respond to my email saying i should see the link in my email, but response time seems very slow.
UPDATE: literally 2 seconds after writing this... I get the email to the files... LOL crazy.
UPDATE 2: need to wait for cryptography key from end user to access files....
Will keep you updated on progress
gbschenkel said:
UPDATE: I finally got access to MEGA to the files. I run the qflash but it doesn't work. I am in touch with the ArykTech over MEGA to help me out.
Click to expand...
Click to collapse
I am having the same problem.
opening device: \\.\COM9
OKAY [ 0.002s]
greeting device for command mode
OKAY [ 0.001s]
identifying device
...serial = 0x1B727FB
...chip-id = 0x940
...chip-rev = 0x0
...sv-sbl = 0x0
OKAY [ 0.006s]
finding files
...programmer = programmer.mbn
...singleimage = singleimage.bin
OKAY [ 0.003s]
validating files
OKAY [ 0.001s]
switching to download mode
OKAY [ 0.001s]
greeting device for image downloading
OKAY [ 0.002s]
sending programmer
OKAY [ 0.015s]
flashing singleimage
FAILED (blank-flash:sdl-transfer-image:sdl-hello:error sending packet)
---------- Post added at 08:19 PM ---------- Previous post was at 07:55 PM ----------
the author of Arky.tech says in the tutorial there is a second method. But those files aren't supplied.
We'll hopefully we can find a solution soon. Otherwise I'll have to send it in for repair.
I got stucked early...
Code:
**** Log buffer [000001] 2017-09-22_20:38:51 ****
[ 0.000] Opening device: \\.\COM3
[ 0.002] Detecting device
[ 4.007] ERROR: sahara_greet_device()->change_mode()->do_hello()->IO error
[ 4.007] Check qboot_log.txt for more details
[ 4.007] Total time: 4.008s
[ 4.007]
[ 4.007] qboot version 3.40
[ 4.007]
[ 4.007] DEVICE {
[ 4.007] name = "\\.\COM3",
[ 4.007] flags = "0x64",
[ 4.007] addr = "0x61FE5C",
[ 4.007] api.bnr = "0x11E2EF8",
[ 4.007] }
[ 4.007]
[ 4.007]
[ 4.007] Backup & Restore {
[ 4.007] num_entries = 0,
[ 4.008] restoring = "false",
[ 4.008] backup_error = "not started",
[ 4.008] restore_error = "not started",
[ 4.008] }
[ 4.008]
I am using Win10, and you?
gbschenkel said:
I got stucked early...
Code:
**** Log buffer [000001] 2017-09-22_20:38:51 ****
[ 0.000] Opening device: \\.\COM3
[ 0.002] Detecting device
[ 4.007] ERROR: sahara_greet_device()->change_mode()->do_hello()->IO error
[ 4.007] Check qboot_log.txt for more details
[ 4.007] Total time: 4.008s
[ 4.007]
[ 4.007] qboot version 3.40
[ 4.007]
[ 4.007] DEVICE {
[ 4.007] name = "\\.\COM3",
[ 4.007] flags = "0x64",
[ 4.007] addr = "0x61FE5C",
[ 4.007] api.bnr = "0x11E2EF8",
[ 4.007] }
[ 4.007]
[ 4.007]
[ 4.007] Backup & Restore {
[ 4.007] num_entries = 0,
[ 4.008] restoring = "false",
[ 4.008] backup_error = "not started",
[ 4.008] restore_error = "not started",
[ 4.008] }
[ 4.008]
I am using Win10, and you?
Click to expand...
Click to collapse
Windows 10 as well.
When i tried files from the "Moto X Force Blankflash.rar" I get same error as you.
When i used files from folder "Moto X Force Modded Blankflash.tar.gz", I get error shown in my previous post.
I'm not exactly sure how the "blankflash" files work, but it seems it is detecting the wrong bootloader version.
roweboat56 said:
Windows 10 as well.
When i tried files from the "Moto X Force Blankflash.rar" I get same error as you.
When i used files from folder "Moto X Force Modded Blankflash.tar.gz", I get error shown in my previous post.
I'm not exactly sure how the "blankflash" files work, but it seems it is detecting the wrong bootloader version.
Click to expand...
Click to collapse
The modded show this:
Code:
.\qboot.exe blank-flash
opening device: \\.\COM3
OKAY [ 0.002s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.004s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.004s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
FAILED (blank-flash:greet-device:error reading packet)
gbschenkel said:
The modded show this:
Code:
.\qboot.exe blank-flash
opening device: \\.\COM3
OKAY [ 0.002s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.004s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.004s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
opening device: \\.\COM3
OKAY [ 0.003s]
greeting device for command mode
FAILED (blank-flash:greet-device:error reading packet)
Click to expand...
Click to collapse
Unplug device then Hold POWER + VOL UP + VOL DOWN for a few seconds, then plug it back in.
It only seems to recognize it properly once, then has to be reset with the above actions every time the blank flash is run.
Can you share BlankFlash Files ?
roweboat56 said:
Unplug device then Hold POWER + VOL UP + VOL DOWN for a few seconds, then plug it back in.
It only seems to recognize it properly once, then has to be reset with the above actions every time the blank flash is run.
Click to expand...
Click to collapse
Oh, I didn't know that. I ran both again, doing the procedure you told before each run.
Code:
**** Log buffer [000001] 2017-09-23_09:14:32 ****
[ -0.000] Opening device: \\.\COM3
[ 0.001] Detecting device
[ 0.003] ...cpu.id = 2368 (0x940)
[ 0.004] ...cpu.sn = 19473500 (0x129245c)
[ 0.004] Opening singleimage
[ 0.004] ERROR: error opening singleimage
[ 0.004] Check qboot_log.txt for more details
[ 0.005] Total time: 0.007s
[ 0.005]
[ 0.005] qboot version 3.40
[ 0.005]
[ 0.005] DEVICE {
[ 0.005] name = "\\.\COM3",
[ 0.005] flags = "0x64",
[ 0.005] addr = "0x61FE5C",
[ 0.005] sahara.current_mode = "3",
[ 0.005] api.buffer = "0x2B05020",
[ 0.005] cpu.serial = "19473500",
[ 0.005] cpu.id = "2368",
[ 0.005] cpu.sv_sbl = "0",
[ 0.005] api.bnr = "0x8D2FE8",
[ 0.005] }
[ 0.005]
[ 0.005]
[ 0.005] Backup & Restore {
[ 0.005] num_entries = 0,
[ 0.005] restoring = "false",
[ 0.005] backup_error = "not started",
[ 0.005] restore_error = "not started",
[ 0.005] }
[ 0.005]
Code:
Moto X Force Modded Blankflash>.\qboot.exe blank-flash
opening device: \\.\COM3
OKAY [ 0.002s]
greeting device for command mode
OKAY [ 0.002s]
identifying device
...serial = 0x129245C
...chip-id = 0x940
...chip-rev = 0x0
...sv-sbl = 0x0
OKAY [ 0.006s]
finding files
...programmer = programmer.mbn
...singleimage = singleimage.bin
OKAY [ 0.005s]
validating files
OKAY [ 0.001s]
switching to download mode
OKAY [ 0.002s]
greeting device for image downloading
OKAY [ 0.003s]
sending programmer
OKAY [ 0.014s]
flashing singleimage
FAILED (blank-flash:sdl-transfer-image:sdl-hello:error sending packet)
gbschenkel said:
Oh, I didn't know that. I ran both again, doing the procedure you told before each run.
Code:
**** Log buffer [000001] 2017-09-23_09:14:32 ****
[ -0.000] Opening device: \\.\COM3
[ 0.001] Detecting device
[ 0.003] ...cpu.id = 2368 (0x940)
[ 0.004] ...cpu.sn = 19473500 (0x129245c)
[ 0.004] Opening singleimage
[ 0.004] ERROR: error opening singleimage
[ 0.004] Check qboot_log.txt for more details
[ 0.005] Total time: 0.007s
[ 0.005]
[ 0.005] qboot version 3.40
[ 0.005]
[ 0.005] DEVICE {
[ 0.005] name = "\\.\COM3",
[ 0.005] flags = "0x64",
[ 0.005] addr = "0x61FE5C",
[ 0.005] sahara.current_mode = "3",
[ 0.005] api.buffer = "0x2B05020",
[ 0.005] cpu.serial = "19473500",
[ 0.005] cpu.id = "2368",
[ 0.005] cpu.sv_sbl = "0",
[ 0.005] api.bnr = "0x8D2FE8",
[ 0.005] }
[ 0.005]
[ 0.005]
[ 0.005] Backup & Restore {
[ 0.005] num_entries = 0,
[ 0.005] restoring = "false",
[ 0.005] backup_error = "not started",
[ 0.005] restore_error = "not started",
[ 0.005] }
[ 0.005]
Code:
Moto X Force Modded Blankflash>.\qboot.exe blank-flash
opening device: \\.\COM3
OKAY [ 0.002s]
greeting device for command mode
OKAY [ 0.002s]
identifying device
...serial = 0x129245C
...chip-id = 0x940
...chip-rev = 0x0
...sv-sbl = 0x0
OKAY [ 0.006s]
finding files
...programmer = programmer.mbn
...singleimage = singleimage.bin
OKAY [ 0.005s]
validating files
OKAY [ 0.001s]
switching to download mode
OKAY [ 0.002s]
greeting device for image downloading
OKAY [ 0.003s]
sending programmer
OKAY [ 0.014s]
flashing singleimage
FAILED (blank-flash:sdl-transfer-image:sdl-hello:error sending packet)
Click to expand...
Click to collapse
Yes this is the same result I have
I've tried too, but it's appear that are so much things to be made to it work. Aryk toldme that.
I'm stucking on this part too...
A blankflash for our exactly phone model must be made.
In my case, i've a crashed Nougat installation.
According to Aryktech, must be created a way to clean this broken installation to run this blankflash.
I'm keeping looking for solutions yet. If i discover anything i'll post here.
Anphab said:
Can you share BlankFlash Files ?
Click to expand...
Click to collapse
once we have working ones, sure.
Hi, Can you share "Moto X Force Blankflash.rar" & "Moto X Force Modded Blankflash.tar.gz" ? I'll have a look and try to help you.
roweboat56 said:
Yes this is the same result I have
Click to expand...
Click to collapse
Did you try moto factory cable with blank flash?
Anphab said:
Did you try moto factory cable with blank flash?
Click to expand...
Click to collapse
I've tried multiple cables. same result.
With debug mode enabled on the blank-flash file, I get this from the Moto X Force blankflash folder one
Code:
**** Log buffer [000001] 2017-09-24_23:11:02 ****
[ 0.000] Opening device: \\.\COM5
[ 0.000] Opening serial device: \\.\COM5
[ 0.002] Detecting device
[ 0.002] Switching to command mode
[ 0.002] Receiving HELLO packet
[ 0.002] Dumping 48 bytes read
[ 0.002] 00000000 01 00 00 00 30 00 00 00 02 00 00 00 01 00 00 00 |....0...........|
[ 0.002] 00000010 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.002] 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.002] ...protocol version: 2
[ 0.002] ...compatible with: 1
[ 0.002] ...max. packet size: 1024
[ 0.002] ...current mode: Image transfer pending
[ 0.002] Sending HELLO_RESP packet
[ 0.002] Dumping 48 bytes written
[ 0.002] 00000000 02 00 00 00 30 00 00 00 02 00 00 00 02 00 00 00 |....0...........|
[ 0.002] 00000010 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.002] 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.002] Receiving COMMAND_READY packet
[ 0.002] Dumping 8 bytes read
[ 0.003] 00000000 0b 00 00 00 08 00 00 00 |........ |
[ 0.003] Identifying device
[ 0.003] Reading CPU serial number
[ 0.003] Sending CMD_EXEC packet, cmd=CMD_READ_SN
[ 0.003] Dumping 12 bytes written
[ 0.003] 00000000 0d 00 00 00 0c 00 00 00 01 00 00 00 |............ |
[ 0.003] Receiving CMD_EXEC_RESP packet
[ 0.003] Dumping 16 bytes read
[ 0.004] 00000000 0e 00 00 00 10 00 00 00 01 00 00 00 04 00 00 00 |................|
[ 0.004] ...payload: 4 byte(s)
[ 0.005] Receiving payload
[ 0.005] Dumping 12 bytes written
[ 0.007] 00000000 0f 00 00 00 0c 00 00 00 01 00 00 00 |............ |
[ 0.008] Dumping 4 bytes read
[ 0.008] 00000000 b2 a7 23 02 |..#. |
[ 0.011] Reading CPU id
[ 0.012] Sending CMD_EXEC packet, cmd=CMD_READ_HWID
[ 0.013] Dumping 12 bytes written
[ 0.014] 00000000 0d 00 00 00 0c 00 00 00 02 00 00 00 |............ |
[ 0.015] Receiving CMD_EXEC_RESP packet
[ 0.015] Dumping 16 bytes read
[ 0.017] 00000000 0e 00 00 00 10 00 00 00 02 00 00 00 18 00 00 00 |................|
[ 0.018] ...payload: 24 byte(s)
[ 0.018] Receiving payload
[ 0.019] Dumping 12 bytes written
[ 0.019] 00000000 0f 00 00 00 0c 00 00 00 02 00 00 00 |............ |
[ 0.020] Dumping 24 bytes read
[ 0.020] 00000000 00 00 68 02 e1 00 94 00 00 00 68 02 e1 00 94 00 |..h.......h.....|
[ 0.020] 00000010 00 00 68 02 e1 00 94 00 |..h..... |
[ 0.021] Reading SBL SV
[ 0.021] Sending CMD_EXEC packet, cmd=CMD_READ_SV_SBL
[ 0.022] Dumping 12 bytes written
[ 0.023] 00000000 0d 00 00 00 0c 00 00 00 07 00 00 00 |............ |
[ 0.023] Receiving CMD_EXEC_RESP packet
[ 0.024] Dumping 16 bytes read
[ 0.024] 00000000 0e 00 00 00 10 00 00 00 07 00 00 00 04 00 00 00 |................|
[ 0.025] ...payload: 4 byte(s)
[ 0.025] Receiving payload
[ 0.026] Dumping 12 bytes written
[ 0.027] 00000000 0f 00 00 00 0c 00 00 00 07 00 00 00 |............ |
[ 0.028] Dumping 4 bytes read
[ 0.029] 00000000 00 00 00 00 |.... |
[ 0.030] Reading debug data
[ 0.030] Sending CMD_EXEC packet, cmd=CMD_READ_DEBUG_DATA
[ 0.031] Dumping 12 bytes written
[ 0.031] 00000000 0d 00 00 00 0c 00 00 00 06 00 00 00 |............ |
[ 0.032] Receiving CMD_EXEC_RESP packet
[ 0.033] Dumping 16 bytes read
[ 0.034] 00000000 0e 00 00 00 10 00 00 00 06 00 00 00 40 0f 00 00 |[email protected]|
[ 0.035] ...payload: 3904 byte(s)
[ 0.035] Receiving payload
[ 0.036] Dumping 12 bytes written
[ 0.037] 00000000 0f 00 00 00 0c 00 00 00 06 00 00 00 |............ |
[ 0.038] Dumping 3904 bytes read
[ 0.038] 00000000 02 00 00 00 00 06 10 01 0b 00 0b ef fc b0 23 00 |..............#.|
[ 0.039] 00000010 94 4f 01 fc d0 00 00 00 00 06 10 01 04 06 01 ef |.O..............|
[ 0.039] 00000020 6f 75 26 00 84 68 01 fc eb 00 00 00 00 00 00 00 |ou&..h..........|
[ 0.040] 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.041] *
[ 0.041] 000000c0 2d 00 00 00 00 08 01 ef 86 4c 05 00 03 02 0f ef |-........L......|
[ 0.042] 000000d0 66 55 05 00 02 08 01 ef f5 9a 05 00 04 08 01 ef |fU..............|
[ 0.042] 000000e0 26 b9 05 00 06 08 01 ef 71 bc 05 00 08 08 01 ef |&.......q.......|
[ 0.043] 000000f0 79 c0 05 00 0a 08 01 ef 1a c2 05 00 00 03 0f ef |y...............|
[ 0.043] 00000100 07 c3 05 00 0c 08 01 ef 5a c3 05 00 00 02 5d ef |........Z.....].|
[ 0.044] 00000110 cd c4 05 00 06 04 5d ef b6 01 0e 00 00 06 5d ef |......].......].|
[ 0.045] 00000120 93 3e 0e 00 00 07 5d ef 4d 7b 0e 00 00 04 0f ef |.>....].M{......|
[ 0.046] 00000130 2a 7c 0e 00 00 0c 5d ef 2b 84 0e 00 00 0a 5d ef |*|....].+.....].|
[ 0.046] 00000140 ff 85 0e 00 00 10 5d ef 8b 8c 0e 00 01 13 5d ef |......].......].|
[ 0.047] 00000150 a4 eb 0f 00 00 15 5d ef 2d ec 0f 00 00 16 5d ef |......].-.....].|
[ 0.048] 00000160 7b ed 0f 00 0e 08 01 ef b0 00 10 00 00 03 1d ef |{...............|
[ 0.048] 00000170 2e 03 10 00 10 08 01 ef a8 1d 1c 00 00 05 0f ef |................|
[ 0.049] 00000180 5d 20 1c 00 0b 00 0b ef 8f b0 23 00 00 08 01 ef |] ........#.....|
[ 0.049] 00000190 0f b3 23 00 01 08 01 ef c3 b4 23 00 02 08 01 ef |..#.......#.....|
[ 0.050] 000001a0 ee d1 24 00 03 08 01 ef 78 d2 24 00 04 08 01 ef |..$.....x.$.....|
[ 0.051] 000001b0 08 d6 24 00 05 08 01 ef 73 d6 24 00 06 08 01 ef |..$.....s.$.....|
[ 0.051] 000001c0 31 da 24 00 07 08 01 ef 9c da 24 00 01 02 5d ef |1.$.......$...].|
[ 0.052] 000001d0 07 dc 24 00 04 06 01 ef 10 75 26 00 00 08 01 ef |..$......u&.....|
[ 0.052] 000001e0 70 77 26 00 01 08 01 ef 23 79 26 00 02 08 01 ef |pw&.....#y&.....|
[ 0.053] 000001f0 61 96 27 00 03 08 01 ef ec 96 27 00 04 08 01 ef |a.'.......'.....|
[ 0.053] 00000200 63 9a 27 00 05 08 01 ef cf 9a 27 00 06 08 01 ef |c.'.......'.....|
[ 0.055] 00000210 70 9e 27 00 07 08 01 ef db 9e 27 00 00 06 0f ef |p.'.......'.....|
[ 0.056] 00000220 6b db 28 00 00 05 0f ef 4d 40 54 1b 00 00 00 00 |k.([email protected]|
[ 0.057] 00000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.057] *
[ 0.058] 00000c00 00 08 01 ef 26 21 00 00 01 01 0f ef 46 23 00 00 |....&!......F#..|
[ 0.058] 00000c10 02 08 01 ef 4b 2c 00 00 00 02 06 ef 37 2f 00 00 |....K,......7/..|
[ 0.059] 00000c20 04 01 07 ef f1 3f 00 00 51 00 07 ef bd 40 00 00 |[email protected]|
[ 0.059] 00000c30 08 10 07 ef 24 44 00 00 51 00 07 ef f0 44 00 00 |....$D..Q....D..|
[ 0.060] 00000c40 04 01 07 ef 57 48 00 00 51 02 07 ef 23 49 00 00 |....WH..Q...#I..|
[ 0.060] 00000c50 08 10 07 ef 8d 4c 00 00 00 02 07 ef 59 4d 00 00 |.....L......YM..|
[ 0.061] 00000c60 0e 03 06 ef 64 4e 00 00 01 04 06 ef 30 4f 00 00 |....dN......0O..|
[ 0.061] 00000c70 42 71 07 ef 8f 52 00 00 01 0e 07 ef 5b 53 00 00 |Bq...R......[S..|
[ 0.062] 00000c80 00 09 06 ef 3b 62 02 00 04 08 01 ef b2 63 02 00 |....;b.......c..|
[ 0.062] 00000c90 06 08 01 ef 47 67 02 00 08 08 01 ef 99 6d 02 00 |....Gg.......m..|
[ 0.063] 00000ca0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.063] *
[ 0.063] Debug data dump follows
[ 0.065] 00000000 02 00 00 00 00 06 10 01 0b 00 0b ef fc b0 23 00 |..............#.|
[ 0.066] 00000010 94 4f 01 fc d0 00 00 00 00 06 10 01 04 06 01 ef |.O..............|
[ 0.067] 00000020 6f 75 26 00 84 68 01 fc eb 00 00 00 00 00 00 00 |ou&..h..........|
[ 0.067] 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.068] *
[ 0.068] 000000c0 2d 00 00 00 00 08 01 ef 86 4c 05 00 03 02 0f ef |-........L......|
[ 0.068] 000000d0 66 55 05 00 02 08 01 ef f5 9a 05 00 04 08 01 ef |fU..............|
[ 0.069] 000000e0 26 b9 05 00 06 08 01 ef 71 bc 05 00 08 08 01 ef |&.......q.......|
[ 0.069] 000000f0 79 c0 05 00 0a 08 01 ef 1a c2 05 00 00 03 0f ef |y...............|
[ 0.069] 00000100 07 c3 05 00 0c 08 01 ef 5a c3 05 00 00 02 5d ef |........Z.....].|
[ 0.070] 00000110 cd c4 05 00 06 04 5d ef b6 01 0e 00 00 06 5d ef |......].......].|
[ 0.071] 00000120 93 3e 0e 00 00 07 5d ef 4d 7b 0e 00 00 04 0f ef |.>....].M{......|
[ 0.071] 00000130 2a 7c 0e 00 00 0c 5d ef 2b 84 0e 00 00 0a 5d ef |*|....].+.....].|
[ 0.072] 00000140 ff 85 0e 00 00 10 5d ef 8b 8c 0e 00 01 13 5d ef |......].......].|
[ 0.072] 00000150 a4 eb 0f 00 00 15 5d ef 2d ec 0f 00 00 16 5d ef |......].-.....].|
[ 0.072] 00000160 7b ed 0f 00 0e 08 01 ef b0 00 10 00 00 03 1d ef |{...............|
[ 0.073] 00000170 2e 03 10 00 10 08 01 ef a8 1d 1c 00 00 05 0f ef |................|
[ 0.073] 00000180 5d 20 1c 00 0b 00 0b ef 8f b0 23 00 00 08 01 ef |] ........#.....|
[ 0.073] 00000190 0f b3 23 00 01 08 01 ef c3 b4 23 00 02 08 01 ef |..#.......#.....|
[ 0.075] 000001a0 ee d1 24 00 03 08 01 ef 78 d2 24 00 04 08 01 ef |..$.....x.$.....|
[ 0.075] 000001b0 08 d6 24 00 05 08 01 ef 73 d6 24 00 06 08 01 ef |..$.....s.$.....|
[ 0.076] 000001c0 31 da 24 00 07 08 01 ef 9c da 24 00 01 02 5d ef |1.$.......$...].|
[ 0.076] 000001d0 07 dc 24 00 04 06 01 ef 10 75 26 00 00 08 01 ef |..$......u&.....|
[ 0.076] 000001e0 70 77 26 00 01 08 01 ef 23 79 26 00 02 08 01 ef |pw&.....#y&.....|
[ 0.077] 000001f0 61 96 27 00 03 08 01 ef ec 96 27 00 04 08 01 ef |a.'.......'.....|
[ 0.077] 00000200 63 9a 27 00 05 08 01 ef cf 9a 27 00 06 08 01 ef |c.'.......'.....|
[ 0.077] 00000210 70 9e 27 00 07 08 01 ef db 9e 27 00 00 06 0f ef |p.'.......'.....|
[ 0.077] 00000220 6b db 28 00 00 05 0f ef 4d 40 54 1b 00 00 00 00 |k.([email protected]|
[ 0.078] 00000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.078] *
[ 0.079] 00000c00 00 08 01 ef 26 21 00 00 01 01 0f ef 46 23 00 00 |....&!......F#..|
[ 0.079] 00000c10 02 08 01 ef 4b 2c 00 00 00 02 06 ef 37 2f 00 00 |....K,......7/..|
[ 0.079] 00000c20 04 01 07 ef f1 3f 00 00 51 00 07 ef bd 40 00 00 |[email protected]|
[ 0.079] 00000c30 08 10 07 ef 24 44 00 00 51 00 07 ef f0 44 00 00 |....$D..Q....D..|
[ 0.080] 00000c40 04 01 07 ef 57 48 00 00 51 02 07 ef 23 49 00 00 |....WH..Q...#I..|
[ 0.080] 00000c50 08 10 07 ef 8d 4c 00 00 00 02 07 ef 59 4d 00 00 |.....L......YM..|
[ 0.080] 00000c60 0e 03 06 ef 64 4e 00 00 01 04 06 ef 30 4f 00 00 |....dN......0O..|
[ 0.081] 00000c70 42 71 07 ef 8f 52 00 00 01 0e 07 ef 5b 53 00 00 |Bq...R......[S..|
[ 0.081] 00000c80 00 09 06 ef 3b 62 02 00 04 08 01 ef b2 63 02 00 |....;b.......c..|
[ 0.081] 00000c90 06 08 01 ef 47 67 02 00 08 08 01 ef 99 6d 02 00 |....Gg.......m..|
[ 0.082] 00000ca0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.082] *
[ 0.083] ...cpu.id = 2368 (0x940)
[ 0.083] ...cpu.sn = 35891122 (0x223a7b2)
[ 0.083] Opening singleimage
[ 0.086] ERROR: error opening singleimage
[ 0.087] Check qboot_log.txt for more details
[ 0.087] Total time: 0.089s
[ 0.087]
[ 0.087] qboot version 3.40
[ 0.087]
[ 0.087] DEVICE {
[ 0.087] name = "\\.\COM5",
[ 0.087] flags = "0x67",
[ 0.087] addr = "0x61FE5C",
[ 0.087] sahara.current_mode = "3",
[ 0.087] api.buffer = "0x1068020",
[ 0.087] cpu.serial = "35891122",
[ 0.087] cpu.id = "2368",
[ 0.087] cpu.sv_sbl = "0",
[ 0.087] api.bnr = "0x1232FE8",
[ 0.087] }
[ 0.087]
[ 0.087]
[ 0.087] Backup & Restore {
[ 0.087] num_entries = 0,
[ 0.087] restoring = "false",
[ 0.087] backup_error = "not started",
[ 0.087] restore_error = "not started",
[ 0.087] }
[ 0.087]
The one for the Moto X Force Modded blankflash is attached to the post post
I recently acquired a Verizon-branded LG V20 (VS995) and I my eventual goal is to put TWRP and LineageOS on it like my last phone. The first step is to downgrade it to a vulnerable stock image using UPPERCUT. However, I'm finding that LGUP is unable to begin to perform the flash.
My setup/procedure is as such:
1. Fresh Windows 7 x64 installation in Virtualbox 5.2.16 on Arch Linux
1a. USB filter setup so that USB 1004:633a is always passed through to Windows 7
2. Installed drivers: LGMobileDriver_WHQL_Ver_4.2.0.exe
3. Installed LGUP 1.14: LGUP_Store_Frame_Ver_1_14_3.msi
4. Insert battery into LG V20 VS995
5. Insert USB into computer
6. Hold VOLUP while inserting USB-C into V20
7. Wait as "download mode" message appears and then changes to "Firmware Update" screen.
8. Wait for Windows to install all drivers, ensuring devmgmt.msc shows COM port
9. Launch UPPERCUT v1.0.0.0, granting admin permissions
10. Wait for LGUP to launch, initialize, and show a VS9951CA device
11. Select the December 2016 KDZ: VS99512A_06_1114_ARB00.kdz
12. Select UPGRADE and hit Start
After waiting for the 15 second initialization period, LGUP displays the error "Cannot decide device boot mode. set Unknown". If left in this state for several minutes, LGUP will eventually bring up a dialog saying "Error: 0x2000, Port open error (COMX)". LGUP sometimes says it is on a step which I have not transcribed correctly but resembles "_prepareAndDL" before showing the "Cannot decide device boot mode. set Unknown" error, but I've only seen this step once or twice.
SHA1 sums of the files I'm using:
eac54e3e0cfe6e8d7cd395e245170e13de4fcd67 lgmobiledriver_whql_ver_4.2.0.exe
f7b41f77047698bc8e030dddf4ef6fbdb5c3af41 lgup_store_frame_ver_1_14_3.msi
46c9a349d62287d81c94ce7148233c0922604273 uppercut_1.0.0.0.zip
3104b93b7243e3274932b2c56b8383cdecf7ede3 vs99512a_06_1114_arb00.kdz
Is UPPERCUT still the recommended tool to flash stock firmware for this model? Should I be installing it via fastboot instead (if so, is there a thread to follow)? Is the 1CA update no longer downgradable?
--------------------
I tried to use the patched LGUP tool instead of UPPERCUT to see if that helped at all. I did not try to flash the KDZ, but rather just tried to DUMP the existing partitions. I ran into the same error as the post title again.
Procedure:
0. In the LGUP program files directory:
1. Copy the original LGUP.exe to LGUP.original.exe
2. Copy the patched LGUP.exe into it's place
3. Copy in the 'model/common' directory from the patched LGUP zip
4. Steps 4->8 from above
9. Launch patched LGUP (no UPPERCUT)
10. Same as above
11. Select DUMP, hit start, select dump location
SHA1 sum of additional files:
242640ddb023308b9a103e0a767f27511c9a2db0 lgup_v20dll_patched.zip
I captured a trace of the USB communication with wireshark. I used the LG LAF protocol plugin (can't post links yet: github com/Lekensteyn/lglaf/blob/master/lglaf.lua) and it didn't find any USB frames that matched the protocol. I'm no USB wire protocol expert, but it looks like the phone is sending a response:
Code:
0000 1b 00 10 b0 62 03 80 fa ff ff 00 00 00 00 09 00 ...°b..úÿÿ......
0010 01 02 00 01 00 83 03 97 00 00 00 ef a0 00 00 00 ...........ï*...
0020 00 00 56 53 39 39 35 00 00 00 00 00 56 53 39 39 ..VS995.....VS99
0030 35 31 43 41 00 00 00 00 00 00 00 00 00 00 00 00 51CA............
0040 00 00 00 00 00 00 00 00 00 00 01 33 35 39 39 36 ...........35996
0050 38 30 37 32 39 39 39 30 37 36 00 00 00 00 00 60 8072999076.....`
0060 1e 41 6e 64 72 6f 69 64 00 00 00 37 2e 30 00 00 .Android...7.0..
0070 00 00 00 00 00 3X 3X 3X 3X 3X 3X 3X 3X 3X X9 00 .....XXXXXXXXXX.
0080 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 31 63 6f 6d 6d 6f 6e 00 00 00 ......1common...
00a0 56 5a 57 31 00 00 00 00 00 00 00 00 00 00 7d 5d VZW1..........}]
00b0 86 7e .~
There were five such frames, all essentially identical less a byte or two. I suspect if I had let the capture go they would have continued to arrive at an interval. So it's possible the LGUP tool just is not recognizing the ping that the phone is sending?
Install the VirtualBox extension pack and set your USB config for that VM to 2.0 or 3.1, and you should be good.
1CA is definitely downgradable. This is a USB communication problem.
-- Brian
I re-confirmed that I had the guest extensions installed (VM has no nic and all files were transferred in via shared folders, which requires guest extensions). But it turns out I did have the USB bus set to USB 2.0. After setting that to USB 3.0 and installing the Intel USB3 drivers for Windows, LGUP started the download without issue. This is still the patched LGUP (no UPPERCUT) and using the UPGRADE option with the KDZ mentioned in the OP. Oddly enough, it did not clear my data, as it asked for my encryption passphrase when it rebooted. It did successfully downgrade me, so I just did a factory reset to clear my old data and apps. As a reminder, the LG out-of-the-box experience starts checking for OTA updates as soon as the phone starts up, so remove your SIM before you start.
1. Remove SIM
2. Do one of the following:
CLI:
Code:
vboxmanage modifyvm $vmname --usbehci off && vboxmanage modifyvm $vmname --usbxhci on
UI: Right click VM > Settings > USB > USB 3.0 (XHCI) Controller