Database Users

Restore Product ID to AT&T Captivate nv_data.bin

********NOTE*********
i have included a few of the tools you will need as attachments to this post. I will not take any credit for these programs as i was not the developer for them... these people work too hard to have anyone steal their credit... please give credit where credit is due!​Your nv_data.bin file and its matching nv_data.bin.md5 files are located on your phone in /efs/
All references that i make to "sd card" or "/sdcard/" refer to your phone's internal SD Card, not an external SD card that you may have installed.
I have created a windows batch file that you can run and it will extract your entire /efs/ folder from your phone to your PC. I am currently working on the batch script to move the edited nv_data.bin files back to your/efs/ folder and do the other adb stuff.
attached is the EFS Extractor.zip file that contains the ADB files and the batch script.
The product code for your AT&T Captivate is: SGH-I897ZKAATT
WARNING… I AM NOT RESPONSIBLE IF YOU BREAK YOUR PHONE FOLLOWING ANY OF THESE INSTRUCTIONS
The Attached EFS Extractor.zip file contains the necessary adb file and a couple batch files. "retrieve efs.bat" copies your entire /efs/ folder to your PC in a folder called /efs_bkup/ in the directory where you unzipped the file and ran the batch program from. The file "update nv_data.bat" takes your edited nv_data.bin file from the root directory where you ran the .bat file from and places in in your phone's /efs/ folder and removes the old copies from your phone... when it is done, it will power cycle your phone.
To fix your nv_data.bin, you will have to have access to the following tools:
A hex editor (search google for hex editors, they have tons of them that are free… I use one called HexEdit and i have it attached)
GalaxyS_One-Click_Root_All_Models (available via XDA-Developers... attached)
ADB (Android Debugging Bridge) This is available by getting the Android SDK at the Android Developers Website (http://developer.android.com/sdk/index.html) or if you downloaded the Galaxy S One Click Root, it is in the directory where you unzipped the files.
BusyBox – Search the google market for “BusyBox”. It will appear and will be the free one from stericson (i have included the .apk as an attachement)
Odin One-Click Downloader (available from XDA)… make sure you get the correct one. There are 2 versions. If you batch number is 1008 then you need the one with the 3-button fix, if you batch number is greater than 1008 then you should need the regular one. Your batch number is written on the sticker on your phone under your battery on the left side right under the words “S/N” where your serial number is listed.
Samsung Kies Mini (gotten from Samsung website)
Download the attached EFS Extractor .zip file. It contains everything you need to copy your /efs/ folder to your PC
Now for what you need to do to get your phone’s nv_data.bin back to normal:
Flash back to stock and then do a master clear using Odin One Click
put phone into USB debugging mode and also check the setting to "stay awake"
connect phone to PC and root and install busybox
extract the attached EFS Extractor.zip file and run the "retrieve efs.bat" file. This will copy your entire /efs/ folder from your phone to your PC in a direcotry called ./efs_bkup/
Using the Hex Editor, edit the file ./efs_bkup/efs/nv_data.bin on your PC to have the correct product code SGH-I897ZKAATT. do an ASCII search for "SGH" to locate the line in the file that contains your product key. then save the edited file to ./nv_data.bin (the root directory where you extracted your ZIP file to on your PC)
run the file "update nv_data.bat" to copy your corrected nv_data.bin to your phone's efs folder and chown it and reboot your phone
change USB Settings on phone back to Kies then open Kies Mini and connect phone.
you should now be able to connect to Kies Mini and not have unregistered device... now would be a good time to back_up your /EFS/ folder... you can now either do Odin One-Click and a master clear, or flash a different rom. You should do Odin if you want to use Kies to get updates to be 100% stock to remove your root and busybox.
The general overview what what you need to do is this for those of you that want to know and/or use other tools to do this
Copy your /efs/nv_data.bin file from your phone to your PC
Use a hexeditor to modify the line in the nv_data.bin file that contains the productcode to contain your correct product code
delete any nv_data.* files from your /efs/ folder on your phone
copy the corrected nv_data.bin file from your PC to your /efs/ folder on your phone
busybox chown 1001:1001 /efs/nv_data.bin
reboot phone
Done!
Now, when you backup your /efs/ folder to your PC you may see files like nv_data.bak and nv_data.bak.md5. Using a hexeditor, open the nv_data.bak file and look at the line that has the product code (ASCII values starting wtih SGH)... if the product code in the .bak file is correct, then delete the nv_data.bin and nv_data.bin.md5 from your /efs/ folder on your phone and reboot your phone. Your phone should then create new .bin and .bin.md5 files from the .bak and .bak.md5 files that will have the proper productcode. You can also optionally rename the .bak and .bak.md5 files on your PC to be .bin and .bin.md5 and copy them to your /efs/ folder on your phone.
You can view what Kies is reading your productcode as by opening your windows registry editor Start>Run>regedit[enter]
Connect phone to PC in Kies(Firmware) mode
Navigate to HKEY_CURRENT_USER/Software/Samsung/KiesMini/FUS
Look at the key "PRODUCTKEY" and what it's value is... if it is correct, then you are good. If not, then something went wrong somewhere.
If you have issues please post the issues you are having and I will update as necessary.
Here is a link to a different thread that contains a program and instructions for restoring your unlock codes if that is what you are trying to do. The .jar (java program is written in frech, but it only asks for the codes you want to use for your unlock codes... i did not make this program so I cannot help you with it.
http://forum.xda-developers.com/showpost.php?p=8983897&postcount=103

Tried to trim this down a little as there are a ton of steps, let me know if any of this is incorrect.
1. Flash back to stock rom, and do a master clear using the Odin3 One-Click Downloader by designgears
2. Root using one-click-root and install busybox, turn on usb development mode + stay awake, and connect to your PC.
3. Open a command prompt window and navigate to the directory where you extracted the one-click-root. Run the following commands:
a. adb shell
b. su
c. cp /efs/nv_data.bin /sdcard/nv_data.bin
d. cp /efs/nv_data.bin /sdcard/nv_data.bin.copy (incase there is a problem)
e. rm /efs/nv_data.*
4. Exit your adb.exe window, mount your phone on your PC and navigate to the internal card. Edit the nv_data.bin with a hexeditor (bpsoft.com) and search (ascii) for "SGH-" (without the quotes)
5. It may be something like SGH-I897ZKATOR or SGH-I897ZKATMB. You need to change this to SGH-I897ZKAATT then save the file, and unmount your phone.
6. Disconnect usb data cable from pc to phone, re-enable usb development mode + stay awake, reconnect.
7. Open a command prompt window and navigate to the directory where you extracted the one-click-root. Run the following commands:
a. adb shell
b. su
c. cp /sdcard/nv_data.bin /efs/nv_data.bin
d. busybox chown 1001:1001 /efs/nv_data.bin
8. Power cycle

Hi hansomni. l've been down this road. Were you successfull with creating Nv_data.bak this way and restoring with that. For example editing nv_data.bak and making a corresponding md5 file and only placing those files in your efs folder and restarting your phone
I had problems creating this file. i would always get an incorrect iemi. This is why i recommend using nv_data repair.zip posted in the tmo vibrant unlock thread not only can you recreate the correct product code but also fix the fffffffff for unlock code.
Have you checked this outhttp://forum.xda-developers.com/showpost.php?p=8983897&postcount=103

mattbeau said:
Hi hansomni. l've been down this road. Were you successfull with creating Nv_data.bak this way and restoring with that. For example editing nv_data.bak and making a corresponding md5 file and only placing those files in your efs folder and restarting your phone
I had problems creating this file. i would always get an incorrect iemi. This is why i recommend using nv_data repair.zip posted in the tmo vibrant unlock thread not only can you recreate the correct product code but also fix the fffffffff for unlock code.
Have you checked this outhttp://forum.xda-developers.com/showpost.php?p=8983897&postcount=103
Click to expand...
Click to collapse
yeah... i have been successful using the steps i outlined... like i said in the original post, this is only to get your product code fixed... i don;t have an unlocked phone so i don't know if that program works... i did use it to check it out, but it is written in frech or something and it never copied the "patched" nv_data files back to my phone... i had to do it manually and still the product code from the created files were wrong. Others say that they have had success using it, but i never did. I took a buch of stuff from a buch of posts on this site to compile the guide here for restoring product codes only.
the .bak files are your backup files that get generated sometimes... usually those files have your correct unlock codes and productcode... to restore them, just delete the non .bak files and remove the .bak extension from the backups... then copy them to your /efs/ folder and powercycle and you should be good. you should keep all your orignial files from your /efs/ folder in a safe place though so you have them to fall back on if you need to. I have never had the .bak files in my /efs/ folder so i haven't ever been that lucky.

devz3r0 said:
Tried to trim this down a little as there are a ton of steps, let me know if any of this is incorrect.
1. Flash back to stock rom, and do a master clear using the Odin3 One-Click Downloader by designgears
2. Root using one-click-root and install busybox, turn on usb development mode + stay awake, and connect to your PC.
3. Open a command prompt window and navigate to the directory where you extracted the one-click-root. Run the following commands:
a. adb shell
b. su
c. cp /efs/nv_data.bin /sdcard/nv_data.bin
d. cp /efs/nv_data.bin /sdcard/nv_data.bin.copy (incase there is a problem)
e. rm /efs/nv_data.*
4. Exit your adb.exe window, mount your phone on your PC and navigate to the internal card. Edit the nv_data.bin with a hexeditor (bpsoft.com) and search (ascii) for "SGH-" (without the quotes)
5. It may be something like SGH-I897ZKATOR or SGH-I897ZKATMB. You need to change this to SGH-I897ZKAATT then save the file, and unmount your phone.
6. Disconnect usb data cable from pc to phone, re-enable usb development mode + stay awake, reconnect.
7. Open a command prompt window and navigate to the directory where you extracted the one-click-root. Run the following commands:
a. adb shell
b. su
c. cp /sdcard/nv_data.bin /efs/nv_data.bin
d. busybox chown 1001:1001 /efs/nv_data.bin
8. Power cycle
Click to expand...
Click to collapse
Yeah, looking at it quickly it looks like all the instructions are correct... maybe abbreviated too much... Thanks for that... i will update with instuctions similar.... i have to remember that there are those folks that have never used adb or know what it is. I will credit you in my update tomorrow. I am used to where i work we have people that use computers that don;t know how to power them on and off so they just leave them on all the time... i have to be very specific on my instructions that i tell them so they can understand... a two second task becomes an all-day event. Just something i am used to doing.
I will be working on a dos script (.bat) file that will do most of the adb stuff so then the users only need a few things to do and just let the scripts take care of the rest.

hansonmi said:
yeah... i have been successful using the steps i outlined... like i said in the original post, this is only to get your product code fixed... i don;t have an unlocked phone so i don't know if that program works... i did use it to check it out, but it is written in frech or something and it never copied the "patched" nv_data files back to my phone... i had to do it manually and still the product code from the created files were wrong. Others say that they have had success using it, but i never did. I took a buch of stuff from a buch of posts on this site to compile the guide here for restoring product codes only.
the .bak files are your backup files that get greated sometimes... usually those files have your correct unlock codes and productcode... to restore them, just delete the non .bak files and remove the .bak extension from the backups... then copy them to your /efs/ folder and powercycle and you should be good. you should keep all your orignial files from your /efs/ folder in a safe place though so you have them to fall back on if you need to.
Click to expand...
Click to collapse
You dont even need to change the extenaion of those files if you power cycle your phone with just .Bak files. Your phone will recreate the nv_data.bin and md5 from those .Bak files and create a log file
Yeah i know the java program is in french. But its only asking you what two codes you want to use for unlocking your phone ( ahh google translate)
And yes the first time i tried the program i had trouble too. I think it helps if you have a good busybox version.
Believe me the easier you can make it the better it will be for everyone. Now if we could just get everyone to back up that folder before flashing anything we wouldnt even need to go down that road. Thanks for your help in this. Ill leave this thread alone now sorry if im intruding. Pm me if you need any help

mattbeau said:
You dont even need to change the extenaion of those files if you power cycle your phone with just .Bak files. Your phone will recreate the nv_data.bin and md5 from those .Bak files and create a log file
Yeah i know the java program is in french. But its only asking you what two codes you want to use for unlocking your phone ( ahh google translate)
And yes the first time i tried the program i had trouble too. I think it helps if you have a good busybox version.
Believe me the easier you can make it the better it will be for everyone. Now if we could just get everyone to back up that folder before flashing anything we wouldnt even need to go down that road. Thanks for your help in this. Ill leave this thread alone now sorry if im intruding. Pm me if you need any help
Click to expand...
Click to collapse
Yeah... the problem is that not everyone knew to do it before flashing as a lot of the ROM pages don't say it (I was one of them that never knew about it)... i knew what the java was saying but since i don't have an unlocked phone, i had no way of testing it to see if it worked for me or not... and on top of that it didn't work with restoring my productcode (i know that becuase i couldn't use Kies until i did things manually)... I tell people to rename the files, becuse i am assuming they copy the contents of their /efs/ folder to a PC or something... then they just have to delete the nv_data files from /efs/ on their phone, and rename the .bak files on their PC and copy them back to their phone's /efs/ so they still have a copy of their original files saved on their PC... plus i don't like relying on the phone doing the renaming because if it doesn't no one will know what went wrong...

Working on Windows Batch (.bat) script
I will be working on doing a windows .bat script that will do most of the dirty work for you... it may take a couple days because where i work the end of the year is the busiest time for me and i don't have a lot of time between work during the week.
I will make the script an attachment and will hopefully be able to zip with the abd files to make life a little easier for everyone.
Thanks for the input everyone.

What line
Could someone that has successfully done this post what line in the hex file the product code is found on. All I get is string not found??? Thanks

Worked great, followed steps exactly as outlined didn't have any problems. Thanks again for this, I've been wanting to have a proper backup of efs folder with correct product code, but could never change it back.

Slowazz28 said:
Could someone that has successfully done this post what line in the hex file the product code is found on. All I get is string not found??? Thanks
Click to expand...
Click to collapse
I used hexedit, and if the line number is in first column it begins on line 188010. I did notice when searching a second time to get line number, that I had to have sgh- in all caps, and once i got string not found, I closed program reopened and searched again using caps (SGH-) it worked several times. Hopes this helps.

Big thanks for posting this.
I'll give this a shot prior to flashing Axura 2.5.

Thanks hansonmi! I got it updated with kies. I done it a lil diffent using root explorer to move files around and used hexeditor to edit files and root explorer to copy back.

great guide.
wish this would have been around the first time i ran into this problem as it was a headache when it happened and the threads and advice on fixing were so fragmented within the forum threads.
The only thing i did differently was that i didn't use ADB on a pc at all during the process (I completed the process using both Root Explorer and Terminal Emulator on my phone and copying files to pc via mounting the phone and its storage as disk drives).
(PS before doing any of this i backup up my efs folder first to my external SD using root explorer and then to my pc via mounting the phones storage)
1. I had already copied my nv_data.bin file to external SD when backing up EFS folder.
2. Connected to pc via usb and mounted for storage (with debugging on)
3. copid nv_data to pc
4. used PsPad to edit the nv_data file in accordance with previous instruction in this thread. (I highly recommend PSpad as a hex editor. Its nice that you can switch back and forth between hex and text editor views) See PS in the end for using PSpad hex editor to find the line you need to edit. That seemed to be the only thing that needed clarified.
5. copy nv_data.bin back to the root directory of external sd
6. use root explorer to move newly edited nv_data from external sd back to original EFS folder.
7. Delete the nv_data..bin.md5 file..i left the backup from efs folder
7. delete any nv_data.baks from efs folder
8. Now the use of Termainl Emulator (download from market). Busybox must be installed as well
9. Open terminal emulator execute following commands:
SU
busybox chown 1001:1001 /efs/nv_data.bin
reboot
(reference to step 4 using hex editor)
PS - These are the steps for editing the hex code and starting with step first step assuming you have copied the nv_data.bin to your PC
1. Open PsPad (or other hex editor)
2. Open nv_data.bin in hex editor mode
3. Go to line 188000 (using search modes you will likely have to enter $00188000 or 00188000) Using PsPad you would do the following:
Select SEARCH from top tool bar. Select GOTO LINE.......then enter $00188000
4. You will see yTMB....SGH_i897ZKATMB (or yTOR....SGH-ZKATOR).
5. Replace that first TMB or TOR with ATT then replace ZKATMB or ZKAATOR with KZAATT
6. Save
7. Now you should have a proper nv_data.bin

HBeezy said:
I used hexedit, and if the line number is in first column it begins on line 188010. I did notice when searching a second time to get line number, that I had to have sgh- in all caps, and once i got string not found, I closed program reopened and searched again using caps (SGH-) it worked several times. Hopes this helps.
Click to expand...
Click to collapse
Ok that worked great except when I get to that line it says productcode several times then a bunch of x's then 11 0's but no SGH- so not sure where to put it in at. The 0's start on line 1880f0 and end on line 188100 ??? Appreciate the help

Slowazz28 said:
Ok that worked great except when I get to that line it says productcode several times then a bunch of x's then 11 0's but no SGH- so not sure where to put it in at. The 0's start on line 1880f0 and end on line 188100 ??? Appreciate the help
Click to expand...
Click to collapse
what hex editor are you using?
i recommend downloading the free PSpad Hex/Txt editor.
1. Open your nv_data file using FILE then OPEN IN HEX EDIT
2. use SEARCH from toolbar commands....GOTO LINE from search menu....options after opening in hex edit mode
3. then search for $00188000
you should see the line you need to edit.
The nice thing about PSPAD is that you can also open the binary file in a Text mode. If you have trouble finding it in the hex editor mode try the following.
1. open PSpad. Goto FILE then OPEN (vs. open in hex edit). This will open in a text editor view/mode.
2. goto SEARCH and select INCREMENTAL SEARCH
3. type SGH and search
(you could also do all the hex editing without moving files to pc if you wanted using HEX EDITOR from market...though for most the PC hex editors might be easier)
if you want to use the android hex editor app to do all the editing on your phone...do the following:
THERE ARE 3 Total Lines you will need to edit:
00188008
00188010
00188020
1. Use Root Explorer to copy nv_data.bin from efs folder to the root directory on your external sd.
2. Use Hex Editor App to open the copy from your external SD.
3. One Open click the capacitive menu button and select jump to address
4. Enter 0188008
This will take you to line 00188008
5. Edit the last or 8th Block so it reads 41.
6. Enter 0188010
7. This will take you to line 00188010. Edit the first two blocks of this line. Replace the #'s so that both of the first two blocks contain 54. (look to the text at the right of screen the first two letter should have changed to TT. To recap you need to edit Block 1 and Block 2 of line 0018010:
LINE 0018010
Block 1 = 54
Block 2 = 54
(text @ right should now read TT....SG)
8. Now look down to line 0018020 and look at the line. If you at the line and to the far right text you will see ATOR or ATMB if your nv_is messed up.
9. You may need to edit blocks 2-4. They should read as follows:
LINE 00188020
Block 2 = 41
Block 3 = 54
Block 4 = 54
(the text at the right of your screen should now read AATT....)
10. Save the file and move it back to efs using root explorer.
PS: Here are how the following lines should read (the ones in bold are the only ones you have to edit as line 00188018 will already be correct):
00188008|2e|34|00|00|00|00|ff|41|.4....A
00188010|54|54|00|00|00|00|53|47|TT....SG
00188018|48|2d|49|38|39|37|5a|4b|H-I897ZK
00188020|41|41|54|54|00|00|00|00|AATT....

bames said:
what hex editor are you using?
i recommend downloading the free PSpad Hex/Txt editor.
1. Open your nv_data file using FILE then OPEN IN HEX EDIT
2. use SEARCH from toolbar commands....GOTO LINE from search menu....options after opening in hex edit mode
3. then search for $00188000
you should see the line you need to edit.
The nice thing about PSPAD is that you can also open the binary file in a Text mode. If you have trouble finding it in the hex editor mode try the following.
1. open PSpad. Goto FILE then OPEN (vs. open in hex edit). This will open in a text editor view/mode.
2. goto SEARCH and select INCREMENTAL SEARCH
3. type SGH and search
(you could also do all the hex editing without moving files to pc if you wanted using HEX EDITOR from market...though for most the PC hex editors might be easier)
if you want to use the android hex editor app to do all the editing on your phone...do the following:
THERE ARE 3 Total Lines you will need to edit:
00188008
00188010
00188020
1. Use Root Explorer to copy nv_data.bin from efs folder to the root directory on your external sd.
2. Use Hex Editor App to open the copy from your external SD.
3. One Open click the capacitative menu button and select jump to address
4. Enter 0188008
This will take you to line 00188008
5. Edit the last or 8th Block so it reads 41.
6. Enter 0188010
7. This will take you to line 00188010. Edit the first two blocks of this line. Replace the #'s so that both of the first two blocks contain 54. (look to the text at the right of screen the first two letter should have changed to TT. To recap you need to edit Block 1 and Block 2 of line 0018010:
LINE 0018010
Block 1 = 54
Block 2 = 54
(text @ right should now read AT....SG)
8. Now look down to line 0018020 and look at the line. If you at the line and to the far right text you will see ATOR or ATMB if your nv_is messed up.
9. You may need to edit blocks 2-4. They should read as follows:
LINE 00188020
Block 2 = 41
Block 3 = 54
Block 4 = 54
(the text at the right of your screen should now read AATT....)
10. Save the file and move it back to efs using root explorer.
PS: Here are how the following lines should read (the ones in bold are the only ones you have to edit as line 00188018 will already be correct):
00188008|2e|34|00|00|00|00|ff|41|.4....A
00188010|54|54|00|00|00|00|53|47|AT....SG
00188018|48|2d|49|38|39|37|5a|4b|H-I897ZK
00188020|41|41|54|54|00|00|00|00|AATT....
Click to expand...
Click to collapse
Ok, So my nv_data.bin must be fubared cause I don't even have lines 188008 or 188018. They go by 10's like 188000, 188010, 188020, ect. And the text to the right of line 188010 starts TT....SG not AT....SG

File
I didn't back this up from my first flash to a custom ROM. Stated at the beginning it says this is likely unfixable. I have run Axura, Cog and Perception Roms (not in that order). Not sure if that makes a difference. Is this still fixable? The problem I have (using new market) is apps are either
A) Installed and not showing so on the market
B) I have them installed and they disappear & have to reinstall them from the market only to have them disappear from my phone again
C) Unable to download them (such as Pocket Legends)
Any feedback is appreciated.
Thanks

Slowazz28 said:
Ok, So my nv_data.bin must be fubared cause I don't even have lines 188008 or 188018. They go by 10's like 188000, 188010, 188020, ect. And the text to the right of line 188010 starts TT....SG not AT....SG
Click to expand...
Click to collapse
my bad
the 188010 should start TT i will correct my original.
but you should be able to find lines 188008 an 18 though you wont need to do anything with 18. Did you try looking at it with the android hex editor app from market?
You won't see the 008 and 018 lines if your using a hex editor on PC you will only see the lines by by 10's.
The section you are referring to are for Using Android Hex Editor App on your phone.
-----------------------
if your using a hex editor on your PC you should see the following when corrected:
188000 | FFFF | FFFF | 5245 | 5630 | 2E34 | 0000 | 0000 | FF41 |
188010 | 5454 | 0000 | 0000 | 5347 | 482D | 4938 | 3937 | 5A4B |
188020 | 4141 | 5454 | 0000 | 0000 | 0000 | 0150 | 024E | 034E |

Slowazz28 said:
Could someone that has successfully done this post what line in the hex file the product code is found on. All I get is string not found??? Thanks
Click to expand...
Click to collapse
It really depends on the editor you are using and you have to make sure you are searching for ASCII...
in the edit that i use, it is line 188010

[HOW TO] Return to a Stock Branded RUU that isn't on AAHK

When returning to stock, I found this the most simple way to do it.
You will need:
AAHK
Your carrier's branded RUU (I'm using the Orange UK one found here
A computer with Windows on it (Annoying, I know), however this is just needed for the RUU exe process, not for AAHK
Disclaimer: I'm not responsible for anything you do to your device! I recommend making a backup of AAHK's file you will be editing before you start editing it
1. Download and open AAHK, entering the passcode (read the manual)
2. Type "o" and press enter
3. Type "s" and press enter
4. Find the closest generic RUU to your device, but DO NOT SELECT IT
5. Remember the CID of the one you chose (for me it's HTC__001, as I chose the UK generic one)
6. Close the terminal
7. Select your respective file that runs AAHK (.sh for Linux, .cmd for windows [I think])
8. Open it in a text editor
9. Use a find tool within the file to find the CID of your closest generic RUU, which should look a little like this:
Code:
elif [ "$inp" = "0" ]; then
cid="HTC__001"
dlFlash
10. Find your CID for your carrier, this thread is very useful: http://forum.xda-developers.com/showthread.php?t=1195475
11. Change the CID within the AAHK text file, to match your carrier's CID, for example my carrier's CID is ORANG001, so my text would now read this:
Code:
elif [ "$inp" = "0" ]; then
cid="ORANG001"
dlFlash
12. Save and close that file
13. Open AAHK in a terminal again, entering the passcode and then selecting "o" and "s"
14. Go to your generic RUU again (Don't worry that the CID hasn't changed in the terminal, it will have done in the code)
15. Now select that RUU, and let it download, but DO NOT YET SELECT FLASH "y", and DO NOT CLOSE AAHK
16. Download this PD98IMG http://cmw.22aaf3.com/ace/stock/1.32.405.6/PD98IMG.zip
17. Copy it to your AAHK folder, within the folder named PD98IMG, where there will be the one you just downloaded
18. Select the one that AAHK downloaded(will be called something like "PD98IMG_GB2" and rename it to "BACKUP_ZIP"
19. Select the one you just downloaded from my link, and rename it to what you just renamed the other one from, so it will be something like "PD98IMG_GB2"
20. Return to AAHK, that you left open, and now select "y" to flashing the RUU and "y" to setting S-ON
21. Wait for the phone to finish rebooting, returning to the stock, unbranded froyo RUU. You're not done yet.
22. When the phone is done turn on USB debugging, open a second terminal and run
Code:
adb shell getprop ro.cid
It should return your carrier's branded CID. If not, you did something wrong, re-root using AAHK and do the process again. ONLY IF IT does, then continue
23. Now you need to flash your branded RUU. If you need to, boot a Windows computer now and download it. Else, just open it
24. Accept everything it says about readmes and things, if you're nervous, read them
25. Let it flash, once it's done it should reboot the device
26. Again, enable USB debugging, open a second terminal and run:
Code:
adb shell getprop ro.cid
If it returns your carrier's branded CID, you're good, continue. Else, re-root and start again
27. Your phone should now prompt a software update if the RUU is older than the current version, accept and install these
28. Hit the thanks button, it took me a while to figure out and put this together
Thanks to attn1 for the AAHK, Chris Moyles for the Toby Lerone references on radio stations and Real Radio Northwest for providing me with background music for most of the time I was writing it.
You are done, now go do whatever you were going to do, whether it be warranty or trading it in

Any chance of re upping the Orange UK Firmware. As all the ones i have tried that said they was orange was telsa. Thanks in advance

hacktrix2006 said:
Any chance of re upping the Orange UK Firmware. As all the ones i have tried that said they was orange was telsa. Thanks in advance
Click to expand...
Click to collapse
I don't have the exe anymore, and it seems Goo doesn't either
You could try torrenting it from this site, appears to have it
http://bitsnoop.com/ruu-ace-orange-uk-1-40-61-2-radio-1-q24244672.html
Sent from my Galaxy Nexus using Tapatalk 4 Beta

Quinny899 said:
I don't have the exe anymore, and it seems Goo doesn't either
You could try torrenting it from this site, appears to have it
http://bitsnoop.com/ruu-ace-orange-uk-1-40-61-2-radio-1-q24244672.html
Sent from my Galaxy Nexus using Tapatalk 4 Beta
Click to expand...
Click to collapse
Thank you will give it a go.
Edit: Na its not working nothing there.(Seeder wise)

I managed to get a copy in the end, Install all the OTA's and then Nandroid the whole phone and made a new rom.zip for orange.
So its now the latest firmware 2.3.5 with the Latest Hboot as well that came with the OTA's.

Modify system.img on Marshmallow ROM locked BL to gain adblock, edit build.prop etc

Hi
I wonder why no one is doing mods as the Sprint G4's forums are doing http://forum.xda-developers.com/spr...-mellowmallow-debloated-60fps-camera-t3341993
Take a look at this, they are using Send_Command exploit, as used in Lolipop to gain root. Many of you after MM update thought the LG blocked this metod but actually we can use it again. Just start flashing any .kdz by LG UP and at 9% at computer, and when green COMx shows on screen just unplug USB.
After that run Send_Command and you are root. We can dump system.img, modify it in any way and using dd command, flash it back to phone.
I am 100% sure this will work.
We can't gain ROOT on Marshmallow this way but we can de-bloat and put modifications or even themed/modified stock LG apps.

JoHnNy08PL said:
Hi
I wonder why no one is doing mods as the Sprint G4's forums are doing http://forum.xda-developers.com/spr...-mellowmallow-debloated-60fps-camera-t3341993
Take a look at this, they are using Send_Command exploit, as used in Lolipop to gain root. Many of you after MM update thought the LG blocked this metod but actually we can use it again. Just start flashing any .kdz by LG UP and at 9% at computer, and when green COMx shows on screen just unplug USB.
After that run Send_Command and you are root. We can dump system.img, modify it in any way and using dd command, flash it back to phone.
I am 100% sure this will work.
We can't gain ROOT on Marshmallow this way but we can de-bloat and put modifications or even themed/modified stock LG apps.
Click to expand...
Click to collapse
This is nice. Problem is, will someone use this to do some modifications for our MM?

https://plus.google.com/108809553303056950825/posts/3tkNdkaMnNK

the_naxhoo said:
https://plus.google.com/108809553303056950825/posts/3tkNdkaMnNK
Click to expand...
Click to collapse
This is for H815P only, anything for H818?

MitoTakatori said:
This is for H815P only, anything for H818?
Click to expand...
Click to collapse
It's for both (H815 & H818). Check again.

Last night I actually modified my system.img
I have right now 530DPI, all apps in Dual Window and louder headphone output.
Edits were made to /system/build.prop and /system/etc/mixer_profiles.xml
Everything is working great so far.

Now keep in mind if u pull the plug to late you risk hard bricking. There have been cases reported. And this is a dangerous method but it does work

You can check out my github repo for examples.
https://github.com/tabp0le/MellowMallowROM-for-G4-LS991
I've debloated and modified/replaced these files:
https://github.com/tabp0le/MellowMallowROM-for-G4-LS991/blob/master/system/build.prop
https://github.com/tabp0le/MellowMallowROM-for-G4-LS991/blob/master/system/etc/hosts
https://github.com/tabp0le/MellowMallowROM-for-G4-LS991/blob/master/system/etc/fonts.xml
https://github.com/tabp0le/MellowMallowROM-for-G4-LS991/blob/master/system/etc/fallback_fonts.xml
https://github.com/tabp0le/MellowMa...blob/master/system/etc/init.qcom.post_boot.sh (this has some sprint specific modifications)
https://github.com/tabp0le/MellowMallowROM-for-G4-LS991/blob/master/system/etc/camera_config.xml
https://github.com/tabp0le/MellowMallowROM-for-G4-LS991/blob/master/system/etc/media_profiles.xml
https://github.com/tabp0le/MellowMallowROM-for-G4-LS991/blob/master/system/etc/mixer_paths.xml
https://github.com/tabp0le/MellowMallowROM-for-G4-LS991/blob/master/system/fonts/NotoColorEmoji.ttf
https://github.com/tabp0le/MellowMa.../system/app/LatinImeGoogle/LatinImeGoogle.apk

not worth it, too risky to end up with bricked phone,,

the_naxhoo said:
It's for both (H815 & H818). Check again.
Click to expand...
Click to collapse
Translated it:
Good evening, folks. As promised, I bring you the system.img modified by me the rom marshmallow br with the changes in build.prop. . Follow strictly all the steps and pay close attention Files Needed: • LG system.img modified modified H818P: https://drive.google.com/open?id=0B-qopUSJ7Y5KWUR4Z3FMXzR5VTQ • Drivers LG Root (to pass the ROM via -. Enable USB debugging and oem unlock the developer options Copy system.img downloaded to the root folder of your lg g4 shut off the phone with the same plug off the USB cable by pressing the volume button +, the. phone will go into download mode. 2 - Pay close attention:. Now on your computer, open the LG UP and select a rOM (any KDZ) and start the installation process When you reach the 9% on your computer and mobile display the number of uSB port in green (eg COM3), unplug the qUICKLY cable This process is necessary because the LG blocked common access the COM port in Marshmallow.. 3 - Close the LG UP, and enter the LG_ROOT folder and open the file "PORTS", will open another command window, copy the port number that appears in the "\ Device \ LGANDNETDIAG1 REG_SZ COM5 *" (Using the example COM5). 4 - Go to the folder where is located the LG ROOT, press shift, click the right button and click Open command window here Type:. ". Send_Command.exe \\ \ COM5" (COM5 is the sample number, place the number of your door that took in the previous step and press enter .) 5 - will appear on one line with "#" Enter "id" (without quotes) and you will see a line like this: "uid = (0) root gid = (0) root" if aperecer FAIL retrace all . process 6 - Copy and paste the following command in CMD: dd if = / data / media / 0 / system.img bs = 8192 count = seek = 55 296 529 920 of = / dev / block / mmcblk0 After about 2.3 minutes appears the old game symbol again. Then type LEAVE. If the phone does not restart alone, unplug the cable, remove your battery, place and turn on. After starting, the unit will already be with low DPI and the double window enabled for all apps. Recommend to perform a factory reset before using the ROM. Attention: Only for H815P. Do not take responsibility for any damage to your phone. Remarks: - I'm studying the possibility of injecting the Xposed directly on img, and perform some more general settings, such as adding the native v10 apps on it (apps manager, weather, camera, etc.) and try to implement the viper4android. But as I walk out of time due to studies, I believe that in the offseason can take time to make the changes and go testing to be able to provide.
---------------------
The bold one says it's for H815P only?
---------- Post added at 11:03 ---------- Previous post was at 11:03 ----------
JoHnNy08PL said:
Last night I actually modified my system.img
I have right now 530DPI, all apps in Dual Window and louder headphone output.
Edits were made to /system/build.prop and /system/etc/mixer_profiles.xml
Everything is working great so far.
Click to expand...
Click to collapse
Is this for H818P? MM?

MitoTakatori said:
Translated it:
Good evening, folks. As promised, I bring you the system.img modified by me the rom marshmallow br with the changes in build.prop. . Follow strictly all the steps and pay close attention Files Needed: • LG system.img modified modified H818P: https://drive.google.com/open?id=0B-qopUSJ7Y5KWUR4Z3FMXzR5VTQ • Drivers LG Root (to pass the ROM via -. Enable USB debugging and oem unlock the developer options Copy system.img downloaded to the root folder of your lg g4 shut off the phone with the same plug off the USB cable by pressing the volume button +, the. phone will go into download mode. 2 - Pay close attention:. Now on your computer, open the LG UP and select a rOM (any KDZ) and start the installation process When you reach the 9% on your computer and mobile display the number of uSB port in green (eg COM3), unplug the qUICKLY cable This process is necessary because the LG blocked common access the COM port in Marshmallow.. 3 - Close the LG UP, and enter the LG_ROOT folder and open the file "PORTS", will open another command window, copy the port number that appears in the "\ Device \ LGANDNETDIAG1 REG_SZ COM5 *" (Using the example COM5). 4 - Go to the folder where is located the LG ROOT, press shift, click the right button and click Open command window here Type:. ". Send_Command.exe \\ \ COM5" (COM5 is the sample number, place the number of your door that took in the previous step and press enter .) 5 - will appear on one line with "#" Enter "id" (without quotes) and you will see a line like this: "uid = (0) root gid = (0) root" if aperecer FAIL retrace all . process 6 - Copy and paste the following command in CMD: dd if = / data / media / 0 / system.img bs = 8192 count = seek = 55 296 529 920 of = / dev / block / mmcblk0 After about 2.3 minutes appears the old game symbol again. Then type LEAVE. If the phone does not restart alone, unplug the cable, remove your battery, place and turn on. After starting, the unit will already be with low DPI and the double window enabled for all apps. Recommend to perform a factory reset before using the ROM. Attention: Only for H815P. Do not take responsibility for any damage to your phone. Remarks: - I'm studying the possibility of injecting the Xposed directly on img, and perform some more general settings, such as adding the native v10 apps on it (apps manager, weather, camera, etc.) and try to implement the viper4android. But as I walk out of time due to studies, I believe that in the offseason can take time to make the changes and go testing to be able to provide.
---------------------
The bold one says it's for H815P only?
---------- Post added at 11:03 ---------- Previous post was at 11:03 ----------
Is this for H818P? MM?
Click to expand...
Click to collapse
h818 xD

the_naxhoo said:
h818 xD
Click to expand...
Click to collapse
Haha. Sorry. My bad mate. Thank you for this! :good:
---------- Post added at 13:15 ---------- Previous post was at 13:07 ----------
Anyone tried this?

The commands are the same for H815P, H818P and international H815. You can use this translated page to do it yourself but be aware - google translate messed up commands so go copy them from source, not this translated text.

Out of curiosity, would it be possible to add root to this?

No, you can't root Marshmallow without modyfing kernel (boot.img) and you can't do this because you have locked bootloader.

On what firmware this thing is based? 20a? 20c?

Help Me Unlock Huawei Lua-L22 Bootloader

Hi.
I found a post on xda how to unlock huawei mya-l22 device . This is it
After reading it I got this idea I can unlock Lua-L22 , if I could find someone who has a unlocked Lua-L22 device and willing to send me a backup of his/hers device's PROINFO partition and the KEY that was used to unlock the device (may be it is in emails)
so that's how I need help from anyone here
If there is anyone who is willing to help , read further.
How to Backup PROINFO And Help Me
1. Download SP flash tool and drivers for our phone and install them on your pc.
2.Download the attached Lua-L22.zip (which includes MT6735M scatter file and DA_SWSEC.bin files) (and preloader_LUA-L22.bin for the ones who read this in order to unlock Lua-L22)
3. Open SP flash tool, then ..
a.extract Lua-L22.zip
b. select Download Agent : "DA_SWSEC.bin" (the file in extracted Lua-L22 folder)
c. select the scatter file: "MT6735M_Android_scatter.txt"
4. Backup proinf partition..
a. Press on Readback tab.
b. Press on "Add" button.
c. Double click on the new entry, and chose where you want to save the backup and press Save. (default name is ROM_0 change it if you want to)
d. Select Type: Hex.
Region EMMC_USER
Start Address: 0x80000
Length: 0x300000
e. Press Read Back button " the green arrow "
f. now make sure your phone is turned off,
press and hold the down volume button and plug the USB cable..
keep pressing the volume down button untill the backup process is done.
5.Doing the grate help
a. attach the ROM_0 (or whatever the name you gave) file.
b. include the bootloader unlock key you used to unlock device
c . Post reply (A lot of thanks )
example : attached ROM_0 file with my unlock code was XXXXXXXXXXXXXXXX
If you are here to know how to unlock bootloader Lua-L22 Read further.
6.If a nice one has replied with what I asked
a. download attached file and save the unlock code to somewhere (from nice one's reply)
b. follow steps from 1 to 4 and save your backup (Must do)
7. Flash the new PROINFO partition:
a. open SP flash tool press " ctrl + alt + v ", to enable the advanced mode.
b. from "Window " in menu bar select " Write memory"
c. New tab will be available "Write memory "open the it.
d. Set File path: the file downloaded from a Nice One
Begin address: 0x80000
Region : EMMC_USER
"by DRAM"
e. click on write memory
f. now as before turn off your phone and press and hold volume down button on your phone and plug the USB cable.
g. keep pressing the volume down button until the flash is done.
8. Unlock the phone!!
a. make sure to enable "OEM unlock" from developer option in your phone.
b. boot your phone to bootloader " fastboot" .
c. from your PC open the "minimal adb tool " or what you have ..
d. type this command :
fastboot oem unlock XXXXXXXXXXXXXXXX
e. done !! your phone will report now and it will do a full factory reset and will delete every thing .. so make sure to have backups
9.Restore your backup
just follow the 7th step but Set File path to file you backuped
That's it !
Many Many thanks for anyone who sends the backed up file and bootloader key
Thank you

I read somewhere that its not mandatory to unlock bootloader for the Huawei y3 2017 for one to root ( through magisk) just patch boot and flash using the same method outlined above (write memory). Twrp can be installed the same way.

i am Huawei lua l22 user I downloaded lua l22.zip and now I need bootloader key please send it to me
githubbeta said:
Hi.
I found a post on xda how to unlock huawei mya-l22 device . This is it
After reading it I got this idea I can unlock Lua-L22 , if I could find someone who has a unlocked Lua-L22 device and willing to send me a backup of his/hers device's PROINFO partition and the KEY that was used to unlock the device (may be it is in emails)
so that's how I need help from anyone here
If there is anyone who is willing to help , read further.
How to Backup PROINFO And Help Me
1. Download SP flash tool and drivers for our phone and install them on your pc.
2.Download the attached Lua-L22.zip (which includes MT6735M scatter file and DA_SWSEC.bin files) (and preloader_LUA-L22.bin for the ones who read this in order to unlock Lua-L22)
3. Open SP flash tool, then ..
a.extract Lua-L22.zip
b. select Download Agent : "DA_SWSEC.bin" (the file in extracted Lua-L22 folder)
c. select the scatter file: "MT6735M_Android_scatter.txt"
4. Backup proinf partition..
a. Press on Readback tab.
b. Press on "Add" button.
c. Double click on the new entry, and chose where you want to save the backup and press Save. (default name is ROM_0 change it if you want to)
d. Select Type: Hex.
Region EMMC_USER
Start Address: 0x80000
Length: 0x300000
e. Press Read Back button " the green arrow "
f. now make sure your phone is turned off,
press and hold the down volume button and plug the USB cable..
keep pressing the volume down button untill the backup process is done.
5.Doing the grate help
a. attach the ROM_0 (or whatever the name you gave) file.
b. include the bootloader unlock key you used to unlock device
c . Post reply (A lot of thanks )
example : attached ROM_0 file with my unlock code was XXXXXXXXXXXXXXXX
If you are here to know how to unlock bootloader Lua-L22 Read further.
6.If a nice one has replied with what I asked
a. download attached file and save the unlock code to somewhere (from nice one's reply)
b. follow steps from 1 to 4 and save your backup (Must do)
7. Flash the new PROINFO partition:
a. open SP flash tool press " ctrl + alt + v ", to enable the advanced mode.
b. from "Window " in menu bar select " Write memory"
c. New tab will be available "Write memory "open the it.
d. Set File path: the file downloaded from a Nice One
Begin address: 0x80000
Region : EMMC_USER
"by DRAM"
e. click on write memory
f. now as before turn off your phone and press and hold volume down button on your phone and plug the USB cable.
g. keep pressing the volume down button until the flash is done.
8. Unlock the phone!!
a. make sure to enable "OEM unlock" from developer option in your phone.
b. boot your phone to bootloader " fastboot" .
c. from your PC open the "minimal adb tool " or what you have ..
d. type this command :
fastboot oem unlock XXXXXXXXXXXXXXXX
e. done !! your phone will report now and it will do a full factory reset and will delete every thing .. so make sure to have backups
9.Restore your backup
just follow the 7th step but Set File path to file you backuped
That's it !
Many Many thanks for anyone who sends the backed up file and bootloader key
Thank you
Click to expand...
Click to collapse

[GUIDE] [X606X/F/V(A)] [Lenovo M10 FHD PLUS] How to get rid of the Orange State message

Whenever we unlock a mtk device to flash root, custom rom, gsi etc, the device will show the Orange State message.
This is how to get rid of it.
It works on Linux.
1) Download the rom which is currently installed on your X606X/F/V (check in "about device") or which was installed before you installed the custom rom or gsi HERE
2) Extract into a folder and rename Checksum.ini and xauth_sv5.auth to something else.
3) Copy lk-verified.img to lk-patched.img
4) Hex-edit lk-patched.img (I used GHex)
-search for Orange
-replace, starting at the O of Orange and ending on the last s of seconds, in the hex part everything by 00 (zero zero)
-save the patched file
(I attach the lk-patched.img I already did for TB-X606X_S300673_220613_BMP)
5) Download SLA & DAA authentication bypass tool HERE
6) Extract into a folder
7) Open a terminal in that folder
-chmod +x bypass
-./bypass
8) When you get the prompt choose your distro (mine is Manjaro, so I chose Arch)
-the script will download various packages and files
9) When prompted connect your switched off tablet
10) The script will launch SP Flashtool
-choose Scatter-loading file: go to the folder of the rom you unpacked and choose the MT676x_Android_scatter.txt
-untick the x next to 'Name', all will be unselected
-on the far right of lk, double click on the file name (.../lk-verified.img) and select lk-patched.img
-do the same for lk2
-now only lk and lk2 will have a x tick in front
-unplug the cable from your phone
-click Download
-plug the cable back into your phone
11) Succes!
-reboot your phone and enjoy no Orange State message.
Acknowledgment: Thanks to romprovider.com for the SLA & DAA authentication bypass tool