Database Users

Restore the Universal from scratch via JTAG

Hi Universal cracks,
i got a Qtek device which seems totally bricked.
The history of the device is unknown, so my investigation is getting deeper and deeper.
On gathering all information together it seems that the IPL and maybe also the SPL is damaged and cannot be easily revovered, because the bootmenu is not reachable in any way (believe me, i read everything about recovering intensely ).
That's why i'm looking for a general way to recover bricked devices using JTAG.
The idea is the following:
1. Access the device via jtag
2. Setup ram according to the setting used in wince or linux kernel
3. Rewrite IPL (it is yet unknown how to do it!)
4. Load SPL as executable binary into RAM using JTAG
5. Start the SPL from RAM
6. With SPL running from RAM Re-format the DOC reinstall SPL into DOC
Restart
That's it!
To resume my efforts so far i may report:
1. JTAG connection established (using OpenOCD or OCD Commander)
2. Init SDRAM (using intel PXA270 development kit setup)
3. Write a file to SDRAM and start it
4. Made a dump of IPL and SPL (using haret)
What did not work???
1. Access mDOC G3 in normal mode via JTAG (seems to stick in reset mode)...
2. Rewrite IPL using JTAG...
3. Start the SPL successful from SDRAM base address....
What do you think specialists!
Anyone willing to help?
Cheers,
scholbert

Hello Scholbert,
Sorry I couldn't help you out on this matter. But When I read your post I thought that you gone deeper than me in this technically.
So can Please go though my problem http://forum.xda-developers.com/showthread.php?t=353063 & help me out to solve WHITE SCREEN Problem?
Thanks in Advance.

bootloader
Hi scholbert, it couldn't be enough to simply rewrite the bootloader?
Please could you post the patched version of openwince jtag?

Hi roglio,
roglio said:
Hi scholbert, it couldn't be enough to simply rewrite the bootloader?
Click to expand...
Click to collapse
Maybe you're right , restoring the uni via JTAG could be mission impossible (at least the way described in my starting post).
As far as i got to know from various postings, the bootloader itself does some security checks during runtime (password checking, CRC checking ...).
It could require some real awful hacks, to start the SPL from RAM with an external debugger.
Please could you post the patched version of openwince jtag?
Click to expand...
Click to collapse
I made a lot experiments on other platforms using the openwince jtag.
In this case i used the famous OpenOCD:
http://openfacts.berlios.de/index-en.phtml?title=Building_OpenOCD
There's PXA270 support out of the box!
You have to download the sources from their SVN-repository .
Anyway i'll have a look on my workstation in a few days, what could be of interest for the geeks out there.
Regards,
scholbert

Geek inside
Hi scholbert, all bricked universal are broken because the bootloader was wrongly updated or overwritten with a bad update. If we look for a fresh bootloader, the right starting address and wrote it back we've fixed the major problem. Recover a universal starting from this point is already well documented...
Tomorrow I'll download OpenOCD and try to compile it on cygwin to start doing some experiments.
I lack of some informations anyway: the most important is the address where to put the correct bootloader...
I'll post any further step ahead.
Thanks.
roglio

Hi again,
roglio said:
Hi scholbert, all bricked universal are broken because the bootloader was wrongly updated or overwritten with a bad update.
Click to expand...
Click to collapse
this seemed to be happened to my device too. With single stepping starting at address 0x0 there's an error after some instructions. So it seems there's wrong assembler code in the IPL section already.
If we look for a fresh bootloader, the right starting address and wrote it back we've fixed the major problem. Recover a universal starting from this point is already well documented...
Click to expand...
Click to collapse
That's the theory .
Tomorrow I'll download OpenOCD and try to compile it on cygwin to start doing some experiments.
Click to expand...
Click to collapse
Good luck for this action! I did compile it on a debian linux system.
I lack of some informations anyway: the most important is the address where to put the correct bootloader...
Click to expand...
Click to collapse
Let's assume we got a working device .
As far as i know, this is what happens after coldboot (comments welcome):
1. DOC is in reset mode, processor jumps to address 0x0 and excutes IPL
2. IPL initializes RAM, switches DOC to normal mode and copies SPL to RAM
3. further details of IPL functions unknown
4. leaving IPL, jump to physical address 0xa0000000
5. execute SPL ....
The problem is, that at this point various system checks are following.
If something goes wrong before we good USB serial connection or bootloader screen. The processor simply could stop at any instruction and we won't know why .
I'll post any further step ahead.
Thanks.
roglio
Click to expand...
Click to collapse
Good luck for your next steps!!!
Maybe, we may draw some attention with this little discussion. It would be nice to get things rollin' and someday there'll be hope for all those bricked devices around .
P.S.:
I already made bootloader dumps. See attachments!
IPL and IPL2 got the same content but they were dumped on different physical addresses. SPL was dumped from RAM. Of course these files were taken from a working device.
scholbert

Hi, after your description of the boot process I'm not so optimist anymore...
Anyway, I've just finished to compile OpenOCD under cygwin, without any major problem.
Just a doubt: which configuration file are you using?
Does you have already configured also the flash banks?
I share your doubts about what's happen after SPL execution... IMHO anyway we should give a chance to a complete reflash: fully dump a working device and after wrote it back to a bricked uni just to see what happen.
Some time ago, I've accidentally overwritten the bootloader of a Toshiba e740 PDA (very nice device indeed). After using a proprietary jtag sw/hw I've resurrected it simply writing the bootloader back in place.
This give me at least a hope...

Hi roglio,
Anyway, I've just finished to compile OpenOCD under cygwin, without any major problem.
Click to expand...
Click to collapse
Great!!!
Just a doubt: which configuration file are you using?
Click to expand...
Click to collapse
I will post the configuration file as soon as possible (it's on my linux machine at work ).
Does you have already configured also the flash banks?
Click to expand...
Click to collapse
No, only the PXA270 chip select for the DOC device was set up. These NAND flashes need special initialisation to switch form reset mode to normal mode to be programmed or to read the filesystem.
This process was not yet successful using JTAG .
I share your doubts about what's happen after SPL execution... IMHO anyway we should give a chance to a complete reflash: fully dump a working device and after wrote it back to a bricked uni just to see what happen.
Click to expand...
Click to collapse
If we are able to access the DOC device in a proper way, this may work.
At least there are professionel programmers on the market, that are able to reprogram these devices using the JTAG interface. But these are very, very expensive .
Some time ago, I've accidentally overwritten the bootloader of a Toshiba e740 PDA (very nice device indeed). After using a proprietary jtag sw/hw I've resurrected it simply writing the bootloader back in place.
Click to expand...
Click to collapse
Yes basically this also possible for the uni, but this damn#?=% DOC device is very hard to handle. There's also no linux device driver for these devices yet.
Great work anyway!!!
This give me at least a hope...
Click to expand...
Click to collapse
Our hope should never die .
Best regards,
scholbert

Googling
Hi, scholbert! Today I was googling around and I've found some interesting informations about mDOCs... These special flashrom are internally handled as NAND flash but with the cpu (when used to eXecute In Place XIP) are handled as NOR flash chips. I haven't still found useful information to understand how this could be useful for our goal.
Another interesting information about mDOCs is that exists some pc software that permit to flash them via jtag but are part of very expensive development packages!
Anyway mDOCs are handled by linux! Basically it is possible to patch the linux kernel to handle them via trueffs. I'll be more detailed tomorrow, but my first impression is that these information about linux drivers for mDOC family aren't useful for our project...
Does you have retrieved the conf file for openocd?

Hi roglio,
that's nice information. I also gathered together anything about the mDOC series i could find, all over the planet. If you need more details
Unfortunately, there's no source code of the low level routines to access this device. If someone would share m-systems BDK for the G3, you're welcome!
Does you have retrieved the conf file for openocd?
Click to expand...
Click to collapse
Yes, but i realized that i used a slightly modified one of the standard package (no SDRAM init, nothing but access PXA270).
You will find it attached!
My efforts with the uni using OpenOCD get stuck at a point, because i only got a very simple JTAG hardware. To use it as a debugger you also need to have influence on the systems reset.
That's why i decided to used some Macraigor stuff to get nice hardware debugger for accessing the universal hardware with OCD Commander.
Obviously both systems are very similar.
OpenOCD is completely GPL, so this should be first choice in the end!!!
You will also find the OCD Commander config file (htc-uni.zip) attached.
This could be the base for an OpenOCD script (very similar stuff).
Just an additional information:
I successfully disassembled the IPL . At the moment i'm in the process of clearing up, how the basic init process is working!
I nearly forgot to mention, that you'll need to update the description for the stepping of PXA270 in the OpenOCD source code. If i remember correctly, the C5 is missing. Without it the PXA is not recognized correctly. I will post the updated file tomorrow.
Stay tuned!!!
scholbert

scholbert said:
I also gathered together anything about the mDOC series i could find, all over the planet. If you need more details
Click to expand...
Click to collapse
Yes! Post it! Thank you! (or send them to rapidshare or similar).
scholbert said:
Just an additional information:
I successfully disassembled the IPL . At the moment i'm in the process of clearing up, how the basic init process is working!
Click to expand...
Click to collapse
A weird idea... What do you think about relocate and then recompile IPL and run it from SDRAM?
You should remove and/or modify IPL routines related to SDRAM init anyway!
Which tools are you using to decompile IPL?

Hi,
Yes! Post it! Thank you! (or send them to rapidshare or similar).
Click to expand...
Click to collapse
I will somehow. Maybe i'll put on my website or post it here!
Very busy at the moment .
A weird idea... What do you think about relocate and then recompile IPL and run it from SDRAM?
You should remove and/or modify IPL routines related to SDRAM init anyway!
Click to expand...
Click to collapse
The first attempt will be to enhance the JTAG config file with all that stuff i already found out, e.g. setup all GPIO, alternate functions .....
Relocate and compile would be nice too, but more work .
Which tools are you using to decompile IPL?
Click to expand...
Click to collapse
Someone in the forum pointed out to use radare. This was the starting point for further investigation.
At least radare uses objdump for disassembly.
So i decided to use the tools itself.
Here's a short howto:
How to convert raw arm binaries to elf and disassemble the code:
Although not every ARM code is compiled with the famous GCC (e.g. wince binaries) you may use some tools
of the GCC to convert raw binary code that is executable on ARM platforms.
Make sure that you made a real memdump or read out pure flash files from a known offset (reset entry points, direct jumps into code, etc).
In other words use pure binaries!!!
Otherwise this method won't work. It is nice to disassemble bootloader code for example.
Image files with filesystem information won't work, either!!
You'll need a working ARM cross compiler in this example the arm-none-eabi gcc version 4.2 from codesourcery was used.
1. first you have to build an elf-binary for ARM without offset (assumed 0x0) from the raw binary.
arm-none-eabi-objcopy -I binary -B arm -O elf32-littlearm ipl_0x0-0x800.bin ipl_0x0-0x800.elf
2. second simply disassemble the elf-binary!
arm-none-eabi-objdump -D ipl_0x0-0x800.elf > ipl_0x0-0x800.asm
That's it!
scholbert
Click to expand...
Click to collapse
Of course you need some skills to point out how assembler code is organized and you'll have to find out where ASCII strings are stored. If you don't check this everything looks like instruction code!
Regards,
scholbert

scholbert said:
Hi,
I will somehow. Maybe i'll put on my website or post it here!
Very busy at the moment .
Click to expand...
Click to collapse
Ok... I'll look forward for these documents! Thanks!
scholbert said:
The first attempt will be to enhance the JTAG config file with all that stuff i already found out, e.g. setup all GPIO, alternate functions .....
Click to expand...
Click to collapse
Great!
After my jtag will be fully functional, I'll try to do some experiments running IPL from memory...
scholbert said:
Of course you need some skills to point out how assembler code is organized and you'll have to find out where ASCII strings are stored. If you don't check this everything looks like instruction code!
Click to expand...
Click to collapse
I'm a little rusty... but I'll try!
Anyway I found a very great tool for disassembling arm code: IDA Pro v5.2
It is awesome.
Cheers,
roglio

Anyway I found a very great tool for disassembling arm code: IDA Pro v5.2
It is awesome.
Click to expand...
Click to collapse
Yeah i know. I once worked with the eval version.
Very nice piece of software, but no freeware.
Good luck for your experiments!!!
scholbert

IPL disassembled
Hi scholbert!
Attached you will find the IPL asm I've disassembled with IDA.
I hope it could be of some usefulness!
Cheers,
roglio

Hi,
roglio said:
Hi scholbert!
Attached you will find the IPL asm I've disassembled with IDA.
I hope it could be of some usefulness!
Cheers,
roglio
Click to expand...
Click to collapse
Great work!
Here's mine. As you will see it's very equal (at least it should be ).
I made some comments already, but it's not finished yet.
The structure can be seen already. It is soon possible to reconstruct the whole asm code and compile it .
scholbert

is it all necessary ?? more easy way in desoldering flash ... and program it or change to flash from dead device

@scholbert: wow you're always at least a step ahead!!!
Great!
@mo3ulla: hi! yes it is worth the effort because the chance to have skills to build a jtag connector is greater than have skills (and tools) to reball a bga chip (and program it!).
With jtag interface and a relocated IPL we can resurrect bricked uni simply loading it in ram and running. Then reflash the pda with a simple usb cable

Hi,
roglio thanks for the credits .
But at least this no competition, it's really great that someone took a look at this posting and started to discuss.
This goes out to you roglio .
mo3ulla said:
is it all necessary ?? more easy way in desoldering flash ... and program it or change to flash from dead device
Click to expand...
Click to collapse
When i started this topic, i thought about a way to de-brick some uni's without touching the hardware. So roglio is absolutely right!
Once tried reballing at home???
At least the major point is:
Why touch the hardware, when it's a software problem?
Obviously no one got a programmer for mDOC devices!
If the universal would have NOR flash all things would be less complicated.
So what we are doing here, is to replace a 10.000$ programmer.
These professional devices do the same in the end, they use software algorithm to programm these NAND flashes.
The SPL uses the same software parts to reprogram G3 NAND flashes, but to start SPL (get into bootloader menu), IPL is needed. On a heavily bricked device these parts are damaged.
If we setup the device like IPL does or recompile IPL to run from RAM using JTAG, it could be possible to start SPL and get into bootloader menu.
The rest is already described here ....
Regards,
scholbert

O.K., here's dump from the bricked uni.
The screenshot shows the IPL section. It seems to be IPL version 2.36 which is for devices with a G4 NAND.
Mine is a G3, so this is the reason why it got bricked.
Someone updated the bootloader with a wrong version .
I enhanced the config file for the JTAG debugger with the settings i found out by disassembling IPL version 0.36 (G3 devices).
But unfortunately no success. The SDRAM is not accessible .
Without SDRAM initialised, i am not able do download SPL to the platform.
grumbl....
I'll have to check all settings again.
Especially the SDRAM setup...........
No time for that at the moment.
Anyone who'd like to join our experiments????
Cheers,
scholbert

[Porting] ANDROID on LG Ks20

Hello everyone,
I'm starting this 3d to support a porting "project" for the LG Ks20. Now I own an HTC Sapphire and I'm really happy with it, thanks to Google Android OS...and it would be so nice to have it running in our phone: it has a quit good hardware specs to run it, and I know it runs well on HTC ELF (Yes, the ELF, not only the Vogue ), wich specs are worse than Ks20's, so why don't give a try?
About a year ago, in Kaiser Android developing thread, I found that someone (spocky ) was able to run Vogue's android kernel on Ks20, than i tried it and just stop there... just curious. Then, in theese days, I reconsider this project and I began to investigate...As far as I know there's a lot of porting project on msm7200-based devices, and ks20 hardware is very closer to other phones...so I think we have some chances!
This is the situation:
- Lg Ks20 can run earlier (0.8 ver) vogue kernel and Niki's kernel with Haret, but only within RamDisk...so reading images files from SD doesn't work as Haret doesn't recognize it. This is the 1st big issue, as we can't load and run the last bigger 1.0,1.1,1.5 android rootfs'images directly into RAM...
- Touch screen doesn't work
- Usb network doesnt' work, so you can't login trough ssh so there's no input options after the kernel is loaded; you can try to boot Angstrom distro on Ks20: it works, but without input method you can't even login
Basically you cant' do anything for now, just boot the image and try running 1 or 2 applications...but this is a good start, and it means that it could be done! We have a bootable kernel, an LCD working and you can see Android graphical interface on the ks20.
now the first thing is to have a complete list of Lgks20 GPIOs. This can be done using HARET. I try to get the list using a Haret version that recognize msm7200 as msm7500 (they're pretty similar), and I obtain these results:
Code:
HARET#1 watch gpios 10
Beginning memory tracing.
Watching GPIOS(00): Addr 92b00800(@a9200800)
Watching GPIOS(01): Addr 92a00c00(@a9300c00)
Watching GPIOS(02): Addr 92b00804(@a9200804)
Watching GPIOS(03): Addr 92b00808(@a9200808)
Watching GPIOS(04): Addr 92b0080c(@a920080c)
Watching GPIOS(05): Addr 92b00834(@a9200834)
Watching GPIOS(06): Addr 92a00c20(@a9300c20)
Watching GPIOS(07): Addr 92b00838(@a9200838)
Watching GPIOS(08): Addr 92b0083c(@a920083c)
Watching GPIOS(09): Addr 92b00840(@a9200840)
Watching GPIOS(10): Addr 92b00810(@a9200810)
Watching GPIOS(11): Addr 92a00c08(@a9300c08)
Watching GPIOS(12): Addr 92b00814(@a9200814)
Watching GPIOS(13): Addr 92b00818(@a9200818)
Watching GPIOS(14): Addr 92b0081c(@a920081c)
000.000 GPIOS 92b00800=0
000.000 GPIOS 92a00c00=1f0005d
000.000 GPIOS 92b00804=4000
000.000 GPIOS 92b00808=12200
000.000 GPIOS 92b0080c=0
000.000 GPIOS 92b00834=0
000.000 GPIOS 92a00c20=1f00050
000.000 GPIOS 92b00838=1f04008
000.000 GPIOS 92b0083c=3c1a208
000.000 GPIOS 92b00840=0
000.000 GPIOS 92b00810=f
000.000 GPIOS 92a00c08=fc0c2
000.000 GPIOS 92b00814=1feff09
000.000 GPIOS 92b00818=423660d
000.000 GPIOS 92b0081c=0
....
[B]007.466 GPIOS 92a00c20(213)=1d00050
007.606 GPIOS 92a00c20(213)=1f00050[/B]
So, when I press the Joypad Down, for example, it shows me the last 2 values, and so on...
My questions:
- Now, why there are only 14 GPIOs available while on Ks20 service manual are more than 90?
- is GPIO(00) a list of GPIOs 0 to 15 maybe? ...GPIO(01) 16-31 etc?
- According to Ks20 service manual The Joypad correspond to GPIOs 33 to 40...So what's 213 ?
- Why aren't there GPIOs changes when I touch the touchscreen (but yes, can get irqs trought "wirq" command )
- Maybe I have to re-compile haret forcing it recognize the msm7200 , or Ks20 MTYPE? If so, how to do it?
The next goal is to get SD and usb net interface working
Thanks to all people that will help me...
(To try it , unzip the attachment in the link below to your sd card in one folder, then run Haret and tap "Run"; maybe you have to press some buttons during boot to get it loading...don't know the why...)
Useful links:
http://mikechannon.net/PDF Manuals/LG/LG KS20 Service Manual ENG_1123_1.0.pdf - a lot of useful infos, expetially for Qualcomm msm7200 CPU
http://www.megaupload.com/?d=LBNQVSP8 - Android 0.8 Bootkit; basically the same of HTC Nike

nice work!!!!~..
guess seeing HTC sense working on ks20 won't be long...
keep up the good work

Wow cool!
I'll start immediately some work on my LG KS20!!!!
tent:wq

tentator said:
Wow cool!
I'll start immediately some work on my LG KS20!!!!
tent:wq
Click to expand...
Click to collapse
can you figure out how to modify the keypad definition using GPIOs infos provided by Haret and why it gaves me theese values instead of 1 or 0?

gregnapola said:
Hello everyone,
(To try it , unzip the attachment in the link below to your sd card in one folder, then run Haret and tap "Run"; maybe you have to press some buttons during boot to get it loading...don't know the why...)
http://www.megaupload.com/?d=PJ8DGFT8 - Android 0.8 Bootkit; basically the same of HTC Nike
Click to expand...
Click to collapse
Actually that zip should be uncompressed in the root (/) of the SD to work.. not in a folder..
But a part from that, the problem is that on mine I just get a linux boot screen till keyboard detection and then nothing.. after some seconds it just reboots in winmobile again..
so definitely it seems somehow worried about keyboard..
tent:wq

tentator said:
Actually that zip should be uncompressed in the root (/) of the SD to work.. not in a folder..
But a part from that, the problem is that on mine I just get a linux boot screen till keyboard detection and then nothing.. after some seconds it just reboots in winmobile again..
so definitely it seems somehow worried about keyboard..
tent:wq
Click to expand...
Click to collapse
It will have to be uncompressed in the root of SD; since we've not a rootfs to point to yet, uncompressing it to a folder or to the root doesn't matter for now (I'Ve just booted it within 2 subfolders and there's no problem).
Anyway, try to boot it kepping the jog up pressed; I can always boot ti with no probs

Hi,
I guess you already know this site: http://www.androidonhtc.com/start. But just for all the other...

..uhm.. strange.. even by pressing the jog upwards during haret and boot I still get like the linux boot image staing there for some second and then th KS20 rebooting again into windows mobile...
when should I press it upwards? and what should it do?
btw, shouldnt there be something like system.img (or system.gz) in the image??
tent:wq
@Joline: well, but there is no support for KS20 in that site, right?

tentator said:
..uhm.. strange.. even by pressing the jog upwards during haret and boot I still get like the linux boot image staing there for some second and then th KS20 rebooting again into windows mobile...
when should I press it upwards? and what should it do?
Click to expand...
Click to collapse
You shouldn't "keep" the jog pressed, you have to press it alternately
btw, shouldnt there be something like system.img (or system.gz) in the image??
Click to expand...
Click to collapse
As I wrote in the 1st post:
- Lg Ks20 can run earlier (0.8 ver) vogue kernel and Niki's kernel with Haret, but only within RamDisk...so reading images files from SD doesn't work as Haret doesn't recognize it. This is the 1st big issue, as we can't load and run the last bigger 1.0,1.1,1.5 android rootfs'images directly into RAM...
Now, the 0.8 filesystem image is enough small to be loaded entirely into the RAM so initrd and the rootfs are "packed" into one file; since the Android images became larger, it was necessary to separate initrd from rootfs (packed in system.img or system.gz), but without working SD card driver the kernel, once loaded, cannot mount the partition in which the filesystem is.

Joline said:
Hi,
I guess you already know this site: http://www.androidonhtc.com/start. But just for all the other...
Click to expand...
Click to collapse
Yes...I'm learning a loooooot of thing from that site...anyway , thank you

gregnapola said:
You shouldn't "keep" the jog pressed, you have to press it alternately
As I wrote in the 1st post:
- Lg Ks20 can run earlier (0.8 ver) vogue kernel and Niki's kernel with Haret, but only within RamDisk...so reading images files from SD doesn't work as Haret doesn't recognize it. This is the 1st big issue, as we can't load and run the last bigger 1.0,1.1,1.5 android rootfs'images directly into RAM...
Now, the 0.8 filesystem image is enough small to be loaded entirely into the RAM so initrd and the rootfs are "packed" into one file; since the Android images became larger, it was necessary to separate initrd from rootfs (packed in system.img or system.gz), but without working SD card driver the kernel, once loaded, cannot mount the partition in which the filesystem is.
Click to expand...
Click to collapse
Sorry man, but still no success in booting that image, even by pressing up in different moments and repeatingly.. where can I find the lates source for 0.8 vogue? If you proviede a link I'd like to try to recompile the kernel myself and retry.. and in the video you posted in the other thread I noticed that you're also using a different HARET version, right? maybe it's that?
since we have the same phone it sounds strange that it doesn't boot on mine..
tent:wq

tentator said:
Sorry man, but still no success in booting that image, even by pressing up in different moments and repeatingly.. where can I find the lates source for 0.8 vogue? If you proviede a link I'd like to try to recompile the kernel myself and retry.. and in the video you posted in the other thread I noticed that you're also using a different HARET version, right? maybe it's that?
since we have the same phone it sounds strange that it doesn't boot on mine..
tent:wq
Click to expand...
Click to collapse
I'm sorry!!!! Maybe I uploaded the wrong files from my PC...I've TONS of kernel and images ... now I'm uploading them from the folder in my phone, look at the 1st post when it's done . Haret is good though... sorry again

same thing for me didn't start on mine
please tell us how to do step by step

karim_31 said:
same thing for me didn't start on mine
please tell us how to do step by step
Click to expand...
Click to collapse
Now it should works... Let me know...

gregnapola said:
I'm sorry!!!! Maybe I uploaded the wrong files from my PC...I've TONS of kernel and images ... now I'm uploading them from the folder in my phone, look at the 1st post when it's done . Haret is good though... sorry again
Click to expand...
Click to collapse
Ok, something changed now at least.. I downloaded this new one and I can get to the supercar-like red bar weaving on the screen, but then shortly after seeing for a short moment the android desktop it again reboots spontaneously.. what's it sort of watchdog? Uhm... Maybe there some button trick that I did not get correctly?
Well but anyway if there is something to be compiled I'd also like to try that way..
tent:wq
PS: karim, do you notice the same?
PS2: I also noticed that the initrd image is a .zip file.. does it mean I need to decompress it first? Because looking at the header of it it does not seem zipped archive......

tentator said:
Ok, something changed now at least.. I downloaded this new one and I can get to the supercar-like red bar weaving on the screen, but then shortly after seeing for a short moment the android desktop it again reboots spontaneously.. what's it sort of watchdog? Uhm... Maybe there some button trick that I did not get correctly?
Click to expand...
Click to collapse
Maybe mine is "Magic" ...seriously, my ks20 restarts only if I don't press anything, otherwise it stays on even for a day...Actually you can only open google maps app with this keymap
Well but anyway if there is something to be compiled I'd also like to try that way..
tent:wq
PS: karim, do you notice the same?
PS2: I also noticed that the initrd image is a .zip file.. does it mean I need to decompress it first? Because looking at the header of it it does not seem zipped archive......
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=441999
here you can find what you're looking for; the initrd extension doesnt matter, it's a gzipped file but it's mounted as disk image. If you unzip it's about 32 MB large and you can't use it with older Haret version because of memory limit (from haret changelogs)

ok.. so then I definitely do something wrong with that joypad up key..
Could you give me some detailed hint on exactly when you press/release and how many times that key and what is on the screen when I need to do it (ok this sounds really silly altrough!! )
tonight I'm goint to try to recompile from git if there is a 0.8 three.. and I'll see what happens with that..
tent:wq

Ok, two quick updates:
1) I was able to boot your android image by pressing the up joggle something like 5 times each 1-2 seconds while booting.. then I could move around the main menu for like 10 seconds and then it rebooted again anyway.. ok I definitely think ther's something with the keys or some watchdog biting..... uhm... (any reports from other users here?)
2) I wasn't able to compile by yesterday since the git repository had some problems and I was not able to clone from git the .config for vogue part in the build, will try later again..
tent:wq

It works! I managed to successfully boot up Android. Unfortunately, I couldn't do much. Here a clip of the boot-up process.
http://www.youtube.com/watch?v=pmH8H4wvTcE

d3thstalker said:
It works! I managed to successfully boot up Android. Unfortunately, I couldn't do much. Here a clip of the boot-up process.
http://www.youtube.com/watch?v=pmH8H4wvTcE
Click to expand...
Click to collapse
Yes, it works....but....please....I'm looking for the nswer in the firts pages. At least for the keymap I need to understand how GPIOs are organized to edit board-vogue-keypad.c or even de default *keypad.c file and map them correctly at least

[Need help] Lenovo Yoga Tablet 2 830L BIOS Dump

Hello, I accidentally flashed my device on PVT Board with DVT firmware. Naturally, the tablet is no longer power on. Send me please a correct PVT dump for programmer. In advance, thank you very much.

attached... there's a risc processor inside the SoC that has anti-theft and firmware tpm technology so be careful at what you feed in your programmer

Thank you very much. But, if not difficult, write what exact tablet was this dump and how programmer.

crosstech said:
Thank you very much. But, if not difficult, write what exact tablet was this dump and how programmer.
Click to expand...
Click to collapse
it's not a dump, is the original firmware from Lenovo for 830 and 1050 models
do you have a hw programmer and if so what model? or you intent on buying one

All a little different. I passed the tablet to the service center and the master could not find a dump for the BIOS chip. All I know about the programmer, is the fact that it should support the flash mode at 1.8 volts.
However, plans to buy the programmer, if necessary.

crosstech said:
All a little different. I passed the tablet to the service center and the master could not find a dump for the BIOS chip. All I know about the programmer, is the fact that it should support the flash mode at 1.8 volts. However, plans to buy the programmer, if necessary.
Click to expand...
Click to collapse
he can use the file i attached, it was already used by many to restore their bios (with my restore kitkat bios tool for the 830-1050 models)
if he does in circuit programming he should leave the battery on and do a programming cycle, afterwards remove the battery connector then reconnect and now he can program (this is needed so that the processor hangs completely, the first time the programming will fail because the processor is still accessing at random times the bios together with the programmer, and the bios will have a bricked firmare, but after that if he removes then plugs back the battery then the processor will hang completely and this time programming will succeed
the thing is not only about the programmer but about your expertise in doing the job, the components are small and you will need the specific smd tools, a special connector that might not even connect as it was in my case due to the placement of the ic, so i had to solder very thin wires on the spi, all in all it's a risky job and you must have the know-how to do it. i am not discouraging you, just trying to say that if you have comeone who did this kind of stuff before let him do it.

Thank you very much for your advice. I will look for the wizard, if I don't, I will try myself. Although I had this experience only with laptops.

please help i also need to flash the bios as my 830LC wont turn on after OTA.

nsxt99 said:
please help i also need to flash the bios as my 830LC wont turn on after OTA.
Click to expand...
Click to collapse
could anyone tell how to differentiate PVT & DVT board?
i tear down my 830LC & found the bios contain in a 25Q64FW chip whereby its support by my RT809F programmer.

nsxt99 said:
could anyone tell how to differentiate PVT & DVT board?
i tear down my 830LC & found the bios contain in a 25Q64FW chip whereby its support by my RT809F programmer.
Click to expand...
Click to collapse
there are no PVT or DVT boards, those are manufacturing stages (PVT being the ready to ship one, while DVT is only used in factory). you can use the file in the zip i attached a few posts above.
is the programmer capable of programming at 1.8V? the FW and DW chips from WinBond are working at 1.8V nominal Vcc (with a peak transitory absolute maximum voltage of Vcc+1V = 2.8V) if it is a 3.3V programmer could cause issues (can work but it can also cause problems)

Hi,
Could anyone please re-post the BIOS file that ionioni attached before? Thanks so much!

find the attachment of BIOS file you want
serepok said:
Hi,
Could anyone please re-post the BIOS file that ionioni attached before? Thanks so much!
Click to expand...
Click to collapse
here attached
if need more help then attach pics with problem description.
Regards

Thank you so much @KAASHP

will this bios work on 1050? how do we apply it?

Thanks for your

Sage said:
will this bios work on 1050? how do we apply it?
Click to expand...
Click to collapse
This works for Lenovo Yoga 830 series. Also may be work on 1050 variant.
you can try it for your device probably it will not brick your device.
reply here if you succeed. good luck :good:

Universal ReadBack Extractor for mtk feature watchphones

Update Mar-12/2016: as long as on the market appeared a long line of new types of mtk6260 mtk6261 mtk2502C mtk2502A (etc) watches equipped with strange new PCB or flash_ID parameters, the new release <Readback Extractor mtk 2.0> now has the capacity to identify, to read, check, rebuild firmware and collect and insert in the .cfg files the flash_ID's coded inside the ROM dump for almost all types of mtk watchphones or smartwatches based on RTOS Nucleus
NOTE: being tested already for mtk6260 mtk6261 mtk2502C and mtk2502A
In short - if you intend to install in your smartwatch new firmwares, mods etc, before to initiate any flashing with the Flash Tool app (pushing that goddamn < Download > button) think twice, 'bove all better DO a backup for the original firmware, why so? because it's containing all original drivers hence you'll be able to recover 100% your watch in case of bricking.
How to:
First you have need of a full dump of your ROM. Assuming that you already got a Flash Tool 5.15.16 and drivers, and you were at the point of flashing something (already chose the download agent and scatter file)
preparations:
a. Set options/backup and restore on no action
b. load the download agent (you find this file inside the flash tool folder)
c. load a scatter firmware - for initialization flash tool needs a scatter file (.cfg) - for dz09 you get this one - for any other than mtk6260A get here and get a firmware compatible with your PCB
d. in case you have W10 - go to the start menu and click on power and hold down the shift key while clicking on restart. A screen then comes up and you need to choose troubleshooting and then startup options. It will then reboot and give you a menu. press 7 which is ignore signed drivers and then when windows comes up, you will be able to install the drivers.
for instance let's say you have a DZ09 smartwatch:
1 - press < Readback > in upper menu and so < Add > in the middle menu
2 - click twice on the item appears in the main window, set name as ROM_DZ choose in browser the path and save
3 - set as Physical start address 0x00000000 and as Length 0x01000000 or 0x00800000 or 00400000 (try them in this order) then ok
4 - turn off the watch, press < Readback > in the middle menu wait 2 seconds and connect through USB your watch
5 - wait until the upload is complete (big green ring)
Now second stage:
1 - download the app I've built attached here (Readback Extractor mtk) and unzip it
2 - create a folder where you intend to keep in safe the original firmware and name it for instance DZ09-Orig
3 - do a copy of Readback Extractor mtk 2.0.exe and place it inside the DZ09-Orig folder then click twice on it
4 - press <Load Readback file> and browse after the ROM_DZ file created before with the Flash Tool then open
5 - Wait about a minute while the app will check bit by bit the integrity of your file
6 - If everything went ok and your file is healthy then app will show " health 100% " so you can proceed to the next step
7 - Press <Rebuild Firmware> and wait about one minute (it shows a progress counter)
8 - When appears the message " - ALL DONE!!!" close app and go back in the DZ09-Orig folder, now you'll find there a set of new files which are the original firmware kit ready to be flashed back in your phone anytime you want
9 - Enjoy flashing anything you like without any fear that something bad can happen
Some tricks for writing IMEI in your watch NVRAM:
you connect to usb your watch (turned on this time) and set the com port on the watch screen, go in device manager and check the port number your watch is connected, then you open Tera Term hyperterminal (google for this app), connect it as serial com on watch com port and then give the command:
AT + EGMR = 1, 7, " imei number "
if on screen appears OK then ready, you've changed your imei
AFTERWARDS READ ME story - Anywhere you search, there is no one to tell you explicitly how to extract from your mtk smartwatch the firmware kit
All says a halfmouth: Do a full < Readback > in Flash Tool, you'll do it being confident that from now on you say goodbye to any risk because you have A BACKUP hence you start flashing new firmwares. And the Big Brick is coming , you smile and get back to your < Readback > backup discovering that, sadly, you have a binary bulk at first sight good for nothing. It cannot be so useless, isn't it? after all it contains full dump of your ROM! I was in exactly the same situation, so 'cause I didn't find any answer I've started reverse engineering . . . and it worked, first I did it manually for guys being in the same situation, 've noticed that is a common issue so I had to choose how to help, simpler but dangerous (for you) way, to create a tutorial <how to> or the hard way (hard for me), to develop an app which will do all "cooking" automatically and I choose the second because in manually way there is a quite big "chance" to mess up with your primary bootloader which could get to a real tragedy - no modem - brickest brick you saw in your entire life
Readback extractor mtk 2.1 beta
Flash Tool and drivers

Lil to late for me XD.... *just ordered a new one btw*

franc33s said:
Lil to late for me XD.... *just ordered a new one btw*
Click to expand...
Click to collapse
Sorry man, couldn't earlier because I have mine either of two weeks or so. . . still a beginner
Look at the bright side, best lessons we learn from our own mistakes, best part is that if you buy the new one from the same seller, you'll have the firmware hence two working watches!

Are there apps in the works to change watch faces without flashing?

kyitech said:
Are there apps in the works to change watch faces without flashing?
Click to expand...
Click to collapse
Unfortunately, yet, there is no way to get in contact with the watch else than through proprietary mediatek drivers so that the only ways to communicate for now are Flash Tool app and bluetooth modem proprietary commands (the most important of them being secret as well)
To do such a reverse engineering is way way way over my pay grade
Still I'm working for an app which could replace any media in the watch (backgrounds, icons) but through flashing method of course

Thanks for the info...I just think this watch have great potential

Golem_ said:
Unfortunately, yet, there is no way to get in contact with the watch else than through proprietary mediatek drivers so that the only ways to communicate for now are Flash Tool app and bluetooth modem proprietary commands (the most important of them being secret as well)
To do such a reverse engineering is way way way over my pay grade
Still I'm working for an app which could replace any media in the watch (backgrounds, icons) but through flashing method of course
Click to expand...
Click to collapse
Sorry for not knowing, but what about bluetooth app transfer in the Google play store. How can they be used on dz09-?

kyitech said:
Sorry for not knowing, but what about bluetooth app transfer in the Google play store. How can they be used on dz09-?
Click to expand...
Click to collapse
. . . bluetooth modem AT commands, just I told this before, generally speaking, in this way all bluetooth app are working, in our case they are proprietary and most of them SECRET. For more information please check this link, it is an older tutorial posted by me on that site

franc33s said:
Lil to late for me XD.... *just ordered a new one btw*
Click to expand...
Click to collapse
I'm almost sure you found these before me, still, here link you have more than 10 versions of dz09 firmwares (others than we checked before)
It looks like they made a firmware for each phone ) very prolific guys when about dz09
Hope this time you catch the right one!

Golem_ said:
I'm almost sure you found these before me, still, here link you have more than 10 versions of dz09 firmwares (others than we checked before)
It looks like they made a firmware for each phone ) very prolific guys when about dz09
Hope this time you catch the right one!
Click to expand...
Click to collapse
yup already did try them all, they boot fine, just no luck getting the Padgene (padgeME) one yet (so my touchscreen driver would work), the guy is still uploading more firmwares tough *fingers crossed*

Golem_ is a hero!
Thanks for all the time you spend with the gt08

flashtool
Hy ,
I am trying to search for the wright flashtool to make my backup.
And where can i find a tutorial?
I have a gv08s.
Wich drivers do i need, and wich version of flashtool?
Thanks in advance

xeph20 said:
Golem_ is a hero!
Thanks for all the time you spend with the gt08
Click to expand...
Click to collapse
thank you for kind words!

Golem_ said:
thank you for kind words!
Click to expand...
Click to collapse
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

carlospaco said:
Hy ,
I am trying to search for the wright flashtool to make my backup.
And where can i find a tutorial?
I have a gv08s.
Wich drivers do i need, and wich version of flashtool?
Thanks in advance
Click to expand...
Click to collapse
here link you find a good tutorial but instead <download> you have to use <readback>

Golem_ said:
here link you find a good tutorial but instead <download> you have to use <readback>
Click to expand...
Click to collapse
Yes , i have done everything like its said, for couple off days, but i keep getting this error always.
lashtool error: S_BROM_DOWNLOAD_EPP_FAIL (2036)
[EPP] FlashTool environment preparation failed
It May be caused from DRAM initialization failed
Pleace check the EMI information of the MAUI load is correct and fit the target.
Hope that someone can help me with this, i am desperated.
Thanks

carlospaco said:
Yes , i have done everything like its said, for couple off days, but i keep getting this error always.
lashtool error: S_BROM_DOWNLOAD_EPP_FAIL (2036)
[EPP] FlashTool environment preparation failed
It May be caused from DRAM initialization failed
Pleace check the EMI information of the MAUI load is correct and fit the target.
Hope that someone can help me with this, i am desperated.
Thanks
Click to expand...
Click to collapse
give me in PM a skype ID

Golem_ said:
give me in PM a skype ID
Click to expand...
Click to collapse
Oh, i am sorry, but i don't have a skype id.

carlospaco said:
Oh, i am sorry, but i don't have a skype id.
Click to expand...
Click to collapse
Alternatives for live screen sharing like, for instance TeamViewer?

Golem_ said:
Alternatives for live screen sharing like, for instance TeamViewer?
Click to expand...
Click to collapse
i have send you id teamviewer

I would like to mod/hack this. Help please? any and all appreciated.

I got a smartwatch from a friend, they said they bought it at walmart. Someone posted a code to type into the dialer, and i got this info from it
LD991A_BSC_A1_LX7789_9304_CAM3A01_LANGA_V2.2
[BRANCH]:
11CW1352MP
MTK61D_BTDIALER_11C
BUILD:BUILD_NO
SERIAL#:
[BUILD TIME]
2016/11/08 12:15
[MRE VERSION] - 266923472
HAL_VERNO:
also, how would i go about getting the IMEI for this thing? do i need to put some sim card in it before it will give me that? I'd like to do.. whatever i can to this thing, most specificially though, change the watch faces. It has a computerized analog clock, i'd rather it show some sort of nifty digital..
Edit : it was *#8375# that showed that info

Look at this: https://forum.xda-developers.com/sm.../readback-extractor-mtk6260-firmware-t3289272
Be careful to take a full recovery dump before anything else !!!
What model is it?

defdefred said:
Look at this: https://forum.xda-developers.com/sm.../readback-extractor-mtk6260-firmware-t3289272
Be careful to take a full recovery dump before anything else !!!
What model is it?
Click to expand...
Click to collapse
That's the thing, with it being chinese with english language. I'm not completely sure. The info there says it's "A1", and it matches the watches called that, on youtube. So, i guess?

Eve_brea said:
That's the thing, with it being chinese with english language. I'm not completely sure. The info there says it's "A1", and it matches the watches called that, on youtube. So, i guess?
Click to expand...
Click to collapse
If it's a "A1" clone I'm very interesting by your firmware !!!
I trashed mine stupidly before having the full dump completed and now I'm stuck with another ROM that cause my screen/touch screen to be inverted!
You need to install the MTK usb drivers under micro$oft windows + the flash tool https://drive.google.com/file/d/0B_hRh3DjuBoeeUk3azBBU0ZvSXc/view?usp=sharing
The first thing to do is a "readback" backup => you will get a 4MB dump of the firmware. Keep it safe!
If you want to try the "test ram" feature, be careful to suppress the NOR test (because it will destroy your firmware) .
You can use the config file from https://drive.google.com/drive/folders/0B_hRh3DjuBoeZktTVXJrWms1U1k to feed the flashtool, but dont "download" neither "format", it will destroy your firmware!

defdefred said:
If it's a "A1" clone I'm very interesting by your firmware !!!
I trashed mine stupidly before having the full dump completed and now I'm stuck with another ROM that cause my screen/touch screen to be inverted!
You need to install the MTK usb drivers under micro$oft windows + the flash tool https://drive.google.com/file/d/0B_hRh3DjuBoeeUk3azBBU0ZvSXc/view?usp=sharing
The first thing to do is a "readback" backup => you will get a 4MB dump of the firmware. Keep it safe!
If you want to try the "test ram" feature, be careful to suppress the NOR test (because it will destroy your firmware) .
You can use the config file from https://drive.google.com/drive/folders/0B_hRh3DjuBoeZktTVXJrWms1U1k to feed the flashtool, but dont "download" neither "format", it will destroy your firmware!
Click to expand...
Click to collapse
Well, if i can pull out a copy of the files, i don't mind sharing them. However I'm not going to do it if there's nothing useful to me. Are there files to. do anything to my watch? Can i change the faces as i want? Add other apps? Unlock the device? It has a sim card slot, i ordered a card from the free company "freedompop" i plan to try in it, but i'm not sure how it's going to go.

Concerning watch faces, is it easly, thanks to Golem, for MT6260 models => https://forum.xda-developers.com/smartwatch/other-smartwatches/watch-vxp-files-t3437311
But it is still ongoing / difficult /maybe impossible for MT6261 models with 4MB ROM / 32 MB RAM.
What is your models (check with the Flashtool / RAM test and don't forget to uncheck the box for the NOR test) ?
One you have a correct backup, you may try other firmware (with other faces) => https://drive.google.com/folderview?id=0B_hRh3DjuBoeblBsakZfUWFCeGM&usp=sharing
Notice that only few will work due to hardware variety of clones.

defdefred said:
If it's a "A1" clone I'm very interesting by your firmware !!!
I trashed mine stupidly before having the full dump completed and now I'm stuck with another ROM that cause my screen/touch screen to be inverted!
You need to install the MTK usb drivers under micro$oft windows + the flash tool
The first thing to do is a "readback" backup => you will get a 4MB dump of the firmware. Keep it safe!
If you want to try the "test ram" feature, be careful to suppress the NOR test (because it will destroy your firmware) .
Click to expand...
Click to collapse
I used *#8375# on the one I just got and came up with the exact match to what OP posted.
Managed to get a Readback on the Rom and formed a back up with the flashtool.
Posted to my google drive if you can download and look at it:
/ file/ d/0ByCO5YTrx3QBWWRqRTJyQVFub3M/ view?usp=sharing
Hope this helps since you were interested. If I need to do something else done to it please let me know username at gmail...