I bought a Motorola Moto G7 only for using it with Lineage OS.
I followed the instructions on this site: https://wiki.lineageos.org/devices/river/install
I downloaded TWRP on this site: https://eu.dl.twrp.me/river/
I was able to get into the bootloader and sent a build file ( lineage-16.0-20191209-nightly-river-signed.zip ) onto the device from my computer.
I installed it, but when I wanted to reboot, it said that no OS is installed.
Now my device won't start and is completely dead. (After the installation of TWRP image though TWRP, see EDIT)
Do you have any idea what went wrong?
EDIT:
After the failed installation I noticed that my TWRP version was "twrp-3.3.1-1-river" and not the most recent "twrp-3.3.1-2-river". So i copied the "twrp-3.3.1-2-river.img" onto my device and hit install in TWRP. After that my phone is completely off. I can't start it and can't get into TWRP. I think it was a mistake to install the image. I think I was supposed to install the .zip instead to update TWRP.
-Can the installation of a TWRP image through TWRP brick a device?
-That doesn't change the fact, that the installation of the build file didn't work. Is the file corrput? Does anybody have a working Moto G7 with Lineage OS?
-Is there any way to save my phone?
EDIT:
-I tried this advice: https://forum.xda-developers.com/showpost.php?p=80771201&postcount=37
But the difference in my case is, that my PC can't even detect my phone. My PC doesn't find a device "qualcomm hs-usb qdloader 9008" in the device manager like it's described in your link. In the device manager it says under USB-controllers: "Unknown USB-device (error with requesting a device description)" (translated). The bankflash.bat is just <waiting for device>
Try holding power+vol down, it helped me to show the qualcomm device,
but no luck doing blankflash
Install Qualcomm usb 9008 drivers?
If the phone is bootloader unlocked, just flash back to stock. Then start over. I assume you're already using the most up-to-date version of fastboot (platform tools)
Phalanx7621 said:
If the phone is bootloader unlocked, just flash back to stock. Then start over. I assume you're already using the most up-to-date version of fastboot (platform tools)
Click to expand...
Click to collapse
Hi, I am in the same situation...
I just followed the lineageos instructions and after unlocking, flashing TWRP and sideloading lineageos the phone seems to be dead - or nearly dead. When connecting to linux I see:
usb 1-3: new high-speed USB device number 16 using xhci_hcd
usb 1-3: New USB device found, idVendor=05c6, idProduct=9008, bcdDevice= 0.00
usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 1-3: Product: QUSB__BULK
usb 1-3: Manufacturer: Qualcomm CDMA Technologies MSM
qcserial 1-3:1.0: Qualcomm USB modem converter detected
usb 1-3: Qualcomm USB modem converter now attached to ttyUSB0
despite of that, no fastboot working. All the permissions are fine (I just flashed TWRP with this setup with no problems),
But now fastboot is just <waiting for device> nothing happens....
Any clues?
Thanks
jwberlin1 said:
I bought a Motorola Moto G7 only for using it with Lineage OS.
I followed the instructions on this site: https://wiki.lineageos.org/devices/river/install
I downloaded TWRP on this site: https://eu.dl.twrp.me/river/
I was able to get into the bootloader and sent a build file ( lineage-16.0-20191209-nightly-river-signed.zip ) onto the device from my computer.
I installed it, but when I wanted to reboot, it said that no OS is installed.
Now my device won't start and is completely dead. (After the installation of TWRP image though TWRP, see EDIT)
Do you have any idea what went wrong?
Click to expand...
Click to collapse
I had exactly the same problem. The Lineage OS installation instructions are missing an important point.
The Moto G7 has two slots, A and B. However, it seems they only come with a bootloader pre-installed on slot A, slot B seems to be completely blank.
When slot A is active and you flash Lineage OS using TWRP, it writes to slot B and switches to slot B.
When you reboot, you cannot boot anymore, because on slot B there is no bootloader.
To mitigate this issue, you have to flash a "copypartitions" zip before rebooting.
jwberlin1 said:
-Is there any way to save my phone?
Click to expand...
Click to collapse
My phone also was in 9008 mode and I revived my Moto G7 using the blankflash method, see here:
https://forum.xda-developers.com/moto-g7/how-to/blankflash-moto-g7-xt1962-5-river-reteu-t4020263
Basically, follow exact instructions.
NetrixX13 said:
I had exactly the same problem. The Lineage OS installation instructions are missing an important point.
The Moto G7 has two slots, A and B. However, it seems they only come with a bootloader pre-installed on slot A, slot B seems to be completely blank.
When slot A is active and you flash Lineage OS using TWRP, it writes to slot B and switches to slot B.
When you reboot, you cannot boot anymore, because on slot B there is no bootloader.
To mitigate this issue, you have to flash a "copypartitions" zip before rebooting.
My phone also was in 9008 mode and I revived my Moto G7 using the blankflash method, see here:
https://forum.xda-developers.com/moto-g7/how-to/blankflash-moto-g7-xt1962-5-river-reteu-t4020263
Click to expand...
Click to collapse
I can confirm - the method above ( https://forum.xda-developers.com/mot...reteu-t4020263 ) revived my phone.
The mentioned copy-partitions-AB.zip I have obtained from here: https://androidfilehost.com/?fid=4349826312261636295
Thank you for sharing this!
NetrixX13 said:
I had exactly the same problem. The Lineage OS installation instructions are missing an important point.
The Moto G7 has two slots, A and B. However, it seems they only come with a bootloader pre-installed on slot A, slot B seems to be completely blank.
When slot A is active and you flash Lineage OS using TWRP, it writes to slot B and switches to slot B.
When you reboot, you cannot boot anymore, because on slot B there is no bootloader.
To mitigate this issue, you have to flash a "copypartitions" zip before rebooting.
My phone also was in 9008 mode and I revived my Moto G7 using the blankflash method, see here:
https://forum.xda-developers.com/moto-g7/how-to/blankflash-moto-g7-xt1962-5-river-reteu-t4020263
Click to expand...
Click to collapse
I can also confirm saving my Hard bricked, non booting black screen, no life moto g7 with the above blank flash app from above link. then i used the lenovo recovery program to put the original rom back on the phone downloadable here: https://support.lenovo.com/us/en/downloads/ds101291
if you have a black screen hard brick, no life but windows 10 sees it at an unknown or 9008 device then you can bring your moto g7 back to life again. follow all the above links and youre good!
bricked xt1962-6
same thing happened with me, i tried: https://forum.xda-developers.com/moto-g7/how-to/blankflash-moto-g7-xt1962-5-river-reteu-t4020263 downloaded blankflash for river from lolinet, it doesn't work don't know whats wrong, is the blankflash not correct? have tried more than a 1000 times blankflashing by following all sorts of instruction for blankflashing nothing seems to be working im thinking the blankflash zip on lolinet is not compatible or what! somebody help please. i cant even go out and buy a new phone or approach any service centers thanks to Wuhan
this is what im getting in blankflash (qboot.log)
**** Log buffer [000001] 2020-04-02_13:09:20 ****
[ -0.000] Opening device: \\.\COM5
[ 0.001] Detecting device
[ 0.004] ...cpu.id = 186 (0xba)
[ 0.004] ...cpu.sn = 186586566 (0xb1f15c6)
[ 0.004] Opening singleimage
[ 0.071] Loading package
[ 0.075] ...filename = singleimage.pkg.xml
[ 0.078] Loading programmer
[ 0.080] ...filename = programmer.mbn
[ 0.080] Sending programmer
[ 0.368] Handling things over to programmer
[ 0.369] Identifying CPU version
[ 0.376] Waiting for firehose to get ready
[ 31.077] ReadFile() failed, GetLastError()=0
[ 60.630] Waiting for firehose to get ready
[120.699] ...MSM8953 unknown
[120.699] Determining target secure state
[120.706] Waiting for firehose to get ready
[180.819] ...secure = no
[180.889] Initializing storage
[180.893] Waiting for firehose to get ready
[240.995] Configuring device...
[240.998] Waiting for firehose to get ready
[301.223] Waiting for firehose to get ready
[361.350] Waiting for firehose to get ready
[421.438] Waiting for firehose to get ready
[481.511] Initializing storage
[481.523] Waiting for firehose to get ready
[541.670] Configuring device...
[541.674] Waiting for firehose to get ready
[602.146] Waiting for firehose to get ready
[662.241] Waiting for firehose to get ready
[722.328] Waiting for firehose to get ready
[782.407] Waiting for firehose to get ready
[842.476] Configuring device...
[842.480] Waiting for firehose to get ready
[902.691] Waiting for firehose to get ready
[962.794] Waiting for firehose to get ready
[1022.961] Waiting for firehose to get ready
[1083.048] ERROR: do_package()->do_recipe()->do_configure()->buffer_read()->device_read()->IO error
[1083.048] Check qboot_log.txt for more details
[1083.050] Total time: 1083.052s
[1083.051] There were some hiccups in backup and restore.
[1083.053] Please save the following files and see a Bootloader member.
[1083.054] 1) ./qboot_log.txt
[1083.055] 2) ./backup_0x0B1F15C6_2020-04-02_131221.img
[1083.056]
[1083.058]
[1083.058] qboot version 3.40
[1083.058]
[1083.058] DEVICE {
[1083.058] name = "\\.\COM5",
[1083.058] flags = "0x64",
[1083.058] addr = "0x22FE6C",
[1083.058] sahara.current_mode = "0",
[1083.058] api.buffer = "0x1760020",
[1083.058] cpu.serial = "186586566",
[1083.058] cpu.id = "186",
[1083.058] cpu.sv_sbl = "0",
[1083.058] cpu.name = "MSM8953",
[1083.058] storage.type = "eMMC",
[1083.058] sahara.programmer = "programmer.mbn",
[1083.058] module.firehose = "0x35F278",
[1083.058] cpu.ver = "0",
[1083.058] cpu.vername = "unknown",
[1083.058] api.bnr = "0x16CD488",
[1083.058] }
[1083.058]
[1083.058]
[1083.058] Backup & Restore {
[1083.058] num_entries = 26,
[1083.058] restoring = "false",
[1083.058] restore_error = "not started",
[1083.058] entries[00] = { skipped = 0, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="cid"},
[1083.058] entries[01] = { skipped = 0, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="frp"},
[1083.058] entries[02] = { skipped = 0, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="hw"},
[1083.058] entries[03] = { skipped = 0, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="misc"},
[1083.058] entries[04] = { skipped = 0, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="persist"},
[1083.058] entries[05] = { skipped = 0, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="utags"},
[1083.058] entries[06] = { skipped = 0, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="devinfo"},
[1083.058] entries[07] = { skipped = 0, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="sp"},
[1083.058] entries[08] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="aboot_a"},
[1083.058] entries[09] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="cmnlib_a"},
[1083.058] entries[10] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="cmnlib64_a"},
[1083.058] entries[11] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="devcfg_a"},
[1083.058] entries[12] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="keymaster_a"},
[1083.058] entries[13] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="tz_a"},
[1083.058] entries[14] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="rpm_a"},
[1083.058] entries[15] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="prov_a"},
[1083.058] entries[16] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="sbl1_a"},
[1083.058] entries[17] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="aboot_b"},
[1083.058] entries[18] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="cmnlib_b"},
[1083.058] entries[19] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="cmnlib64_b"},
[1083.058] entries[20] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="devcfg_b"},
[1083.058] entries[21] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="keymaster_b"},
[1083.058] entries[22] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="tz_b"},
[1083.058] entries[23] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="rpm_b"},
[1083.058] entries[24] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="prov_b"},
[1083.058] entries[25] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="sbl1_b"},
[1083.058] simg = {
[1083.058] filename = "backup_0x0B1F15C6_2020-04-02_131221.img",
[1083.059] entries[00] = { size = 405264, name = "programmer.mbn" },
[1083.059] }
[1083.059] }
[1083.059]
same thing
i have the same problem with my phone, i dowloaded 3 diferents flashblanks zip, and no one worked, in my linux computer i got this error :
[ 4.103] ERROR: sahara_greet_device()->change_mode()->do_hello()->IO error
[ 4.103] Check qboot_log.txt for more details
[ 4.103] Total time: 4.103s
FAILED: qb_flash_singleimage()->sahara_greet_device()->change_mode()->do_hello()->IO error
i saw a different instruccion like : ./blank-flash.sh --debug=2
and the result is :
< waiting for device >
Motorola qboot utility version 3.40
[ 0.000] Opening device: /dev/ttyUSB0
[ 0.000] Opening serial device: /dev/ttyUSB0
[ 0.000] serial_open():228: opening /dev/ttyUSB0
[ 0.000] Detecting device
[ 0.000] Switching to command mode
[ 0.000] Receiving HELLO packet
[ 0.000] Dumping 48 bytes read
[ 0.001] 00000000 01 00 00 00 30 00 00 00 02 00 00 00 01 00 00 00 |....0...........|
[ 0.001] 00000010 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.001] 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.001] ...protocol version: 2
[ 0.001] ...compatible with: 1
[ 0.001] ...max. packet size: 1024
[ 0.001] ...current mode: Image transfer pending
[ 0.001] Sending HELLO_RESP packet
[ 0.001] Dumping 48 bytes written
[ 0.001] 00000000 02 00 00 00 30 00 00 00 02 00 00 00 02 00 00 00 |....0...........|
[ 0.001] 00000010 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 |................|
[ 0.001] 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
etc etc etc. and at this poitn it stoped:
[ 44.957] Dumping 16 bytes read
[ 44.957] 00000000 04 00 00 00 10 00 00 00 0d 00 00 00 01 00 00 00 |................|
and nothing, it was like an hour in that state, :c
Related
I'm trying to send out a generic message using SENDSMS function in Windows Mobile Sample Code but I am unsuccessful. Here is a copy of the code
Code:
// ***************************************************************************
// Function Name: SendSMS
//
// Purpose: Send an SMS Message
//
// Arguments: none
//
// Return Values: none
//
// Description:
// Called after everything has been set up, this function merely opens an
// SMS_HANDLE and tries to send the SMS Message.
void SendSMS(BOOL bSendConfirmation, BOOL bUseDefaultSMSC, LPCTSTR lpszSMSC, LPCTSTR lpszRecipient, LPCTSTR lpszMessage)
{
SMS_HANDLE smshHandle;
SMS_ADDRESS smsaSource;
SMS_ADDRESS smsaDestination;
TEXT_PROVIDER_SPECIFIC_DATA tpsd;
SMS_MESSAGE_ID smsmidMessageID;
// try to open an SMS Handle
if(FAILED(SmsOpen(SMS_MSGTYPE_TEXT, SMS_MODE_SEND, &smshHandle, NULL)))
{
MessageBox(NULL,
(LPCTSTR)LoadString(ghInstance, IDS_ERROR_SMSOPEN, 0, 0),
(LPCTSTR)LoadString(ghInstance, IDS_CAPTION_ERROR, 0, 0),
MB_OK | MB_ICONERROR);
return;
}
// Create the source address
if(!bUseDefaultSMSC)
{
smsaSource.smsatAddressType = SMSAT_INTERNATIONAL;
_tcsncpy(smsaSource.ptsAddress, lpszSMSC, SMS_MAX_ADDRESS_LENGTH);
}
// Create the destination address
smsaDestination.smsatAddressType = SMSAT_INTERNATIONAL;
_tcsncpy(smsaDestination.ptsAddress, lpszRecipient, SMS_MAX_ADDRESS_LENGTH);
// Set up provider specific data
memset(&tpsd, 0, sizeof(tpsd));
tpsd.dwMessageOptions = bSendConfirmation ? PS_MESSAGE_OPTION_STATUSREPORT : PS_MESSAGE_OPTION_NONE;
tpsd.psMessageClass = PS_MESSAGE_CLASS1;
tpsd.psReplaceOption = PSRO_NONE;
tpsd.dwHeaderDataSize = 0;
// Send the message, indicating success or failure
if(SUCCEEDED(SmsSendMessage(smshHandle, ((bUseDefaultSMSC) ? NULL : &smsaSource),
&smsaDestination, NULL, (PBYTE) lpszMessage,
_tcslen(lpszMessage) * sizeof(TCHAR), (PBYTE) &tpsd,
sizeof(TEXT_PROVIDER_SPECIFIC_DATA), SMSDE_OPTIMAL,
SMS_OPTION_DELIVERY_NONE, &smsmidMessageID)))
{
MessageBox(NULL,
(LPCTSTR)LoadString(ghInstance, IDS_SMSSENT, 0, 0),
(LPCTSTR)LoadString(ghInstance, IDS_CAPTION_SUCCESS, 0, 0),
MB_OK);
}
else
{
MessageBox(NULL,
(LPCTSTR)LoadString(ghInstance, IDS_ERROR_SMSSEND, 0, 0),
(LPCTSTR)LoadString(ghInstance, IDS_CAPTION_ERROR, 0, 0),
MB_OK | MB_ICONERROR);
}
// clean up
VERIFY(SUCCEEDED(SmsClose(smshHandle)));
}
Again, I am trying to explicitly specify the recipient and the message being sent which are variables LPCTSTR lpszRecipient and LPCTSTR lpszMessage. Every time I assign them a string value, I get an error. Does anybody know a solution?
Not sure
Not too sure what you are trying to achieve here, as Vijay already has an SMSSend app, which is command line driven and works a treat. Would hate for you to reinvent the wheel - check his tools out: http://www.vijay555.com/?Releases:VJPhoneTools
http://www.canyoucrackit.co.uk/
Not Evo related, but still fun. It's stage 1 of a challenge, that is said to be a GCHQ Recruitment Test.
I don't know why this is under the HTC Supersonic but here is the hex data, so you don't have to manually type it in yourself:
Code:
eb 04 af c2 bf a3 81 ec 00 01 00 00 31 c9 88 0c
0c fe c1 75 f9 31 c0 ba ef be ad de 02 04 0c 00
d0 c1 ca 08 8a 1c 0c 8a 3c 04 88 1c 04 88 3c 0c
fe c1 75 e8 e9 5c 00 00 00 89 e3 81 c3 04 00 00
00 5c 58 3d 41 41 41 41 75 43 58 3d 42 42 42 42
75 3b 5a 89 d1 89 e6 89 df 29 cf f3 a4 89 de 89
d1 89 df 29 cf 31 c0 31 db 31 d2 fe c0 02 1c 06
8a 14 06 8a 34 1e 88 34 06 88 14 1e 00 f2 30 f6
8a 1c 16 8a 17 30 da 88 17 47 49 75 de 31 db 89
d8 fe c0 cd 80 90 90 e8 9d ff ff ff 41 41 41 41
(I'll edit this post if you find any transcription errors)
Suspicious sequences are:
00 01 and 00 00 at offset 0x08
deadbeef at 0x18
5c 58 3d 41 41 41 41 75 43 58 3d 42 42 42 42 75 3b 5a ("\X=AAAAuCX=BBBBu;Z") at 0x41
47 49 75 at 0x89
41 41 41 41 ("AAAA") at 0x9c
ff ff ff at 0x99
00 00 00 at offset 0x36 and again at 0x3e
The first few bytes look like x86 assembly code. Trying http:/ stackoverflow.com/questions/1737095/how-do-i-disassemble-raw-x86-code (sorry, can't actually make that a link due to forum rules)
I think it's not 16-bit real mode code, so here's a static analysis of the code treated as ia32 linux code - because of the int $0x80 at the end.
Code:
objdump -D -b binary -mi386 (raw bytes here)
start:
0: eb 04 jmp 0x6
might_be_data1:
2: af scas %es:(%edi),%eax
3: c2 bf a3 ret $0xa3bf
init:
6: 81 ec 00 01 00 00 sub $0x100,%esp
c: 31 c9 xor %ecx,%ecx
search_for_zero_byte:
e: 88 0c 0c mov %cl,(%esp,%ecx,1)
11: fe c1 inc %cl
13: 75 f9 jne 0xe
15: 31 c0 xor %eax,%eax
17: ba ef be ad de mov $0xdeadbeef,%edx
checksum_loop:
1c: 02 04 0c add (%esp,%ecx,1),%al
1f: 00 d0 add %dl,%al
21: c1 ca 08 ror $0x8,%edx ; first time through, %edx = $0xdeadbe
24: 8a 1c 0c mov (%esp,%ecx,1),%bl
27: 8a 3c 04 mov (%esp,%eax,1),%bh
2a: 88 1c 04 mov %bl,(%esp,%eax,1) ; swap byte values
2d: 88 3c 0c mov %bh,(%esp,%ecx,1) ; swap byte values
30: fe c1 inc %cl ; run the loop until %cl wraps to 0
32: 75 e8 jne 0x1c
34: e9 5c 00 00 00 jmp 0x95
sub_39:
39: 89 e3 mov %esp,%ebx
3b: 81 c3 04 00 00 00 add $0x4,%ebx
41: 5c pop %esp
42: 58 pop %eax
43: 3d 41 41 41 41 cmp $0x41414141,%eax
48: 75 43 jne 0x8d
4a: 58 pop %eax
4b: 3d 42 42 42 42 cmp $0x42424242,%eax
50: 75 3b jne 0x8d
52: 5a pop %edx
53: 89 d1 mov %edx,%ecx
55: 89 e6 mov %esp,%esi
57: 89 df mov %ebx,%edi
59: 29 cf sub %ecx,%edi
5b: f3 a4 rep movsb %ds:(%esi),%es:(%edi)
5d: 89 de mov %ebx,%esi
5f: 89 d1 mov %edx,%ecx
61: 89 df mov %ebx,%edi
63: 29 cf sub %ecx,%edi
65: 31 c0 xor %eax,%eax
67: 31 db xor %ebx,%ebx
69: 31 d2 xor %edx,%edx
6b: fe c0 inc %al
6d: 02 1c 06 add (%esi,%eax,1),%bl
70: 8a 14 06 mov (%esi,%eax,1),%dl
73: 8a 34 1e mov (%esi,%ebx,1),%dh
76: 88 34 06 mov %dh,(%esi,%eax,1)
79: 88 14 1e mov %dl,(%esi,%ebx,1)
7c: 00 f2 add %dh,%dl
7e: 30 f6 xor %dh,%dh
80: 8a 1c 16 mov (%esi,%edx,1),%bl
83: 8a 17 mov (%edi),%dl
85: 30 da xor %bl,%dl
87: 88 17 mov %dl,(%edi)
89: 47 inc %edi
8a: 49 dec %ecx
8b: 75 de jne 0x6b
8d: 31 db xor %ebx,%ebx
8f: 89 d8 mov %ebx,%eax
91: fe c0 inc %al
93: cd 80 int $0x80
95: 90 nop
96: 90 nop
97: e8 9d ff ff ff call 0x39
9c: 41 inc %ecx
9d: 41 inc %ecx
9e: 41 inc %ecx
9f: 41 inc %ecx
X=AAAAuCX=BBBBu;
Before i found this page, i wrote a little tool to convert hex into a readable string in pascal..
s:=#$E3+#$81+#$C3+#$04+#$00+#$00+#$00+'\X=AAAAuCX=BBBBu;Z'+#$89+#$D1+#$89+#$E6+#$89+#$DF+')'+#$CF+#$F3+#$A4+#$89+#$DE+#$89+#$D1+#$89+#$DF+')'+#$CF+'1'+#$C0+'1'+#$DB+'1'+#$D2+#$FE+#$C0+#$02+#$1C+#$06+#$8A+#$14+#$06+#$8A+'4'+#$1E+#$88+'4'+#$06+#$99+#$14+#$1E+#$00+#$F2+'0'+#$F6+#$8A+#$1C+#$16+#$8A+#$17+'0'+#$DA+#$88+#$17+'GIu'+#$DE+'1'+#$DB+#$89+#$D8+#$FE+#$C0+#$CD+#$80+#$90+#$90+#$EB+#$9D+#$FF+#$FF+#$FF+'AAAA';
and manually typed in every hex value.. before finding this site.
anyway (annoyed wasting that 20 minutes now)
\X=AAAAuCX=BBBBu;Z
That looks like a cookie?
let's suppose they are opcodes, this does not look like 0x86 have you tried a 16bit disassembler mode?
Question, is this disassemble code? or is this a captured packet? or a packet made to look like either but instead is just random crap generated by a program with a unique identifier that can be decoded...
some clue would be nice...
---------- Post added at 08:15 PM ---------- Previous post was at 08:05 PM ----------
oh and could someone move this thread? it's got nothing to do with htc lol
Here you go :-
www.canyoucrackit.co.uk/soyoudidit.asp
Sent from my GT-S5570 using xda premium
lol, that's just cheating, forget brute force, bruteforce the http request strings to find page you get sent to if you get the answer ...
shakes head, they spent all that time and they never even bothered to stop to consider producing a link on the fly after getting the answer right then deleting the computer generated webpage (tmp file)...
they need help after all! no wonder they're in need of hackers christ....
Anyway thanks for that link, but the answer would be nice, i guess we'll found out soon enough
Cheers!
So i got it.
Passphrase: Pr0t3ct!on#[email protected]*12.2011+
solution to part #1 of canyoucrackit
part2.h will be published along with solutions to the subsequent levels after 12 December 2011
#include <stdio.h>
#include <stdint.h>
#include <malloc.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <time.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/utsname.h>
#include "part2.h" // see information above
static char part1[] = {
0xeb, 0x04, 0xaf, 0xc2, 0xbf, 0xa3, 0x81, 0xec, 0x00, 0x01, 0x00, 0x00, 0x31, 0xc9, 0x88, 0x0c,
0x0c, 0xfe, 0xc1, 0x75, 0xf9, 0x31, 0xc0, 0xba, 0xef, 0xbe, 0xad, 0xde, 0x02, 0x04, 0x0c, 0x00,
0xd0, 0xc1, 0xca, 0x08, 0x8a, 0x1c, 0x0c, 0x8a, 0x3c, 0x04, 0x88, 0x1c, 0x04, 0x88, 0x3c, 0x0c,
0xfe, 0xc1, 0x75, 0xe8, 0xe9, 0x5c, 0x00, 0x00, 0x00, 0x89, 0xe3, 0x81, 0xc3, 0x04, 0x00, 0x00,
0x00, 0x5c, 0x58, 0x3d, 0x41, 0x41, 0x41, 0x41, 0x75, 0x43, 0x58, 0x3d, 0x42, 0x42, 0x42, 0x42,
0x75, 0x3b, 0x5a, 0x89, 0xd1, 0x89, 0xe6, 0x89, 0xdf, 0x29, 0xcf, 0xf3, 0xa4, 0x89, 0xde, 0x89,
0xd1, 0x89, 0xdf, 0x29, 0xcf, 0x31, 0xc0, 0x31, 0xdb, 0x31, 0xd2, 0xfe, 0xc0, 0x02, 0x1c, 0x06,
0x8a, 0x14, 0x06, 0x8a, 0x34, 0x1e, 0x88, 0x34, 0x06, 0x88, 0x14, 0x1e, 0x00, 0xf2, 0x30, 0xf6,
0x8a, 0x1c, 0x16, 0x8a, 0x17, 0x30, 0xda, 0x88, 0x17, 0x47, 0x49, 0x75, 0xde, 0x31, 0xdb, 0x89,
0xd8, 0xfe, 0xc0, 0xcd, 0x80, 0x90, 0x90, 0xe8, 0x9d, 0xff, 0xff, 0xff, 0x41, 0x41, 0x41, 0x41,
};
// code to dump the decrypted memory:
static const char dump_mem[] = {
0xba, 0x31, 0x00, 0x00, 0x00, // mov edx, 0x40
0x8d, 0x4f, 0xce, // lea ecx, [edi-0x32]
0x31, 0xdb, // xor ebx, ebx
0x43, // inc ebx (stdout)
0x31, 0xc0, // xor eax, eax
0xb0, 0x04, // add al, 0x4 - sys_write
0xcd, 0x80, // int 0x80
0x31, 0xdb, // xor ebx,ebx
0x43, // inc ebx
0x31, 0xd2, // xor edx,edx
0x42, // inc edx
0x68, 0x0a, 0x00,0x00, 0x00, // push 0xa
0x8d, 0x0c, 0x24, // lea ecx,[esp]
0xb8, 0x04, 0x00,0x00, 0x00, // mov eax, 0x4
0xcd, 0x80, // int 0x80 - sys_write
0x31, 0xdb, // xor ebx,ebx
0x31, 0xc0, // xor eax,eax
0x40, // inc eax
0xcd, 0x80, // int 0x80 - sys_exit
};
uint32_t patch_mem(char *ptr, size_t size)
{
uint32_t i;
for (i = 0; i < size; i++) {
if (*(uint16_t *)&ptr == 0x80cd) {
*(uint16_t *)&ptr = 0x45eb;
return 0;
}
}
return 1;
}
uint32_t check_arch(void)
{
struct utsname kernel_info;
uname(&kernel_info);
return strcmp(kernel_info.machine, "i686") ? 1 : 0;
}
int main(int argc, char **argv)
{
void *mem;
if (check_arch()) {
printf("[-] this program must run on a 32-bit architecture\n");
return 1;
}
printf("[*] allocating page aligned memory\n");
mem = memalign(4096, 4096);
if (!mem) {
printf("[-] error: %s\n", strerror(errno));
return 1;
}
memset(mem, 0, 4096);
printf("[*] setting page permissions\n");
if (mprotect(mem, 4096, PROT_READ | PROT_WRITE | PROT_EXEC)) {
printf("[-] error: %s\n", strerror(errno));
return 1;
}
printf("[*] copying payload\n");
memcpy(mem, part1, sizeof(part1));
memcpy(mem + sizeof(part1), part2, sizeof(part2));
memcpy(mem + sizeof(part1) + sizeof(part2), dump_mem, sizeof(dump_mem));
printf("[*] adding dump_mem payload\n");
if (patch_mem(mem, sizeof(part1))) {
printf("[-] failed to patch memory\n");
return 0;
}
printf("[*] executing payload..\n\n");
((int(*)(void))mem)();
return 0;
}
CHEERS
Craig Capel said:
lol, that's just cheating, forget brute force, bruteforce the http request strings to find page you get sent to if you get the answer ...
shakes head, they spent all that time and they never even bothered to stop to consider producing a link on the fly after getting the answer right then deleting the computer generated webpage (tmp file)...
they need help after all! no wonder they're in need of hackers christ....
Anyway thanks for that link, but the answer would be nice, i guess we'll found out soon enough
Cheers!
Click to expand...
Click to collapse
Pr0t3ct!on#[email protected]*12.2011+
that's the answer
But easy way to do it.... just use ip scaner...and put the adress below... then you see many updates in adress...2 hours of reading...but i found it
Sorry for my bad English ...
CHEERS
thx. Interesting way to learn how this works without visiting strange sites...
(although it does not seem to fit this forums purpose)
Hello all,
I'm working on the mac address problem inherent to HD2.
For now under Magldr, it is more or less unique (more than less) ;-)
Other boot method I can't test is haret/wimo
It seems that my patch modifying the NAND(magldr) boot affects the SD boot.
I can't figure it without precise reports. I need you to use "adb" to report me some info.
Here is how to do it:
cd your/android-sdk-linux/platform-tools/
[email protected]:> ./adb shell
# uname -a
Linux localhost 2.6.32-ics_tytung_HWA_r2.3-uniMAC #7 PREEMPT Tue May 22 02:13:09 CEST 2012 armv7l GNU/Linux
# dmesg |grep -i mac
<4>[ 0.000000] Machine: htcleo
<6>[ 1.439056] Device Bluetooth MAC Address: 00:23:76:32:16:be
<6>[ 2.989105] rndis_function_bind_config MAC: 00:00:00:00:00:00
<6>[ 2.989593] usb0: MAC 36:b0:0d:af:76:1d
<6>[ 2.989624] usb0: HOST MAC ca:50:bc:14:ad:79
<6>[ 3.444152] Device Wifi Mac Address: 00:23:76:be:16:32
Tips
-shell into your hd2 asap, while in the boot animation !
-do it with both kernels HWA_r2.3-uniMAC and previous functionnal
Please other Magldr users, post here the macaddress you have.
This is just to eval 'dispersion' (collision avoidance) with actual patch.
Franck
ok, good news,
Saw the mistake in the kernel code.
function() call to guess a mac was inadvertandly removed for SD boot method!
Fixed in R4
This thread still must be filled with MAC address for NAND and SD kernel version to evaluate collision avoidance.
Meanwhile I'm working on reading on interesting NAND block with something ressembling a MAC in it.
Will need more testers to check it is a unique MAC ;-)
Hello All,
How many of you users with hd2 will be able to compile a custom kernel with a patched htcleo_nand.c ?
This is to validate my guess of finding two unique macadress writed in block 505 of the NAND.
To definitly get rid of this problem.
Franck
Code:
diff --git a/drivers/mtd/devices/htcleo_nand.c b/drivers/mtd/devices/htcleo_nand.c
index 2150bcc..bfbcbad 100755
--- a/drivers/mtd/devices/htcleo_nand.c
+++ b/drivers/mtd/devices/htcleo_nand.c
@@ -1827,6 +1827,116 @@ static int param_get_page_size(char *buffer, struct kernel_param *kp)
}
module_param_call(pagesize, NULL, param_get_page_size, NULL, S_IRUGO);
+int is_htc_mac (int pattern)
+{
+ /* HTC blocks to find :
+ 00:09:2D
+ 00:23:76
+ 18:87:76
+ 1C:B0:94
+ 38:E7:D8
+ 64:A7:69
+ 7C:61:93
+ 90:21:55
+ A0:F4:50
+ A8:26:D9
+ D4:20:6D
+ D8:B3:77
+ E8:99:C4
+ F8:DB:F7 */
+ static int nums[] = {
+ 0x00092D,0x2D0900,
+ 0x002376,0x762300,
+ 0x188776,0x768718,
+ 0x1CB094,0x94B01C,
+ 0x38E7D8,0xD8E738,
+ 0x64A769,0x69A764,
+ 0x7C6193,0x93617C,
+ 0x902155,0x552190,
+ 0xA0F450,0x50F4A0,
+ 0xA826D9,0xD926A8,
+ 0xD4206D,0x6D20D4,
+ 0xD8B377,0x77B3D8,
+ 0xE899C4,0xC499E8,
+ 0xF8DBF7,0xF7DBF8};
+ int i;
+ for (i=0; i< (sizeof(nums)/sizeof(nums[0])); i++)
+ {
+ if (nums[i] == pattern) return 1;
+ }
+ return 0;
+}
+void scanmac(struct mtd_info *mtd)
+{
+ unsigned char *iobuf;
+ int ret;
+ loff_t addr;
+ struct mtd_oob_ops ops;
+ int i,j,k;
+
+ iobuf = kmalloc(2048/*mtd->erasesize*/, GFP_KERNEL);
+ if (!iobuf) {
+ /*ret = -ENOMEM;*/
+ printk("%s: error: cannot allocate memory\n",__func__);
+ return;
+ }
+
+ ops.mode = MTD_OOB_PLACE;
+ ops.len = 2048;
+ ops.datbuf = iobuf;
+ ops.ooblen = 0;
+ ops.oobbuf = NULL;
+ ops.retlen = 0;
+
+ /* bloc 505 page 6 contains as good candidate */
+ addr = ((loff_t) 505*0x20000 + 6*2048);
+ ret = msm_nand_read_oob(mtd, addr, &ops);
+
+ if (ret == -EUCLEAN)
+ ret = 0;
+ if (ret || ops.retlen != 2048 ) {
+ printk("%s: error: read(%d) failed at %#llx\n",__func__,ops.retlen, addr);
+ goto out;
+ }
+
+ printk("%s: Prefered candidate mac=%02x:%02x:%02x:%02x:%02x:%02x\n",__func__,
+ iobuf[5],iobuf[4],iobuf[3],iobuf[2],iobuf[1],iobuf[0]);
+
+ /* now lets walk looking for HTC mac in the first reserved blocks of NAND */
+ /* NUM_PROTECTED_BLOCKS=0x212 but Parttiontable starts at 0x219 */
+ /* I think 400 is ok, I have already eliminated 0 - 157 with false positive */
+ /* If my guess is correct, only 505 will match ;-) */
+ for (i=158; i<0x219; i++) {
+ for (j=0; j<64; j++) {
+ addr = ((loff_t) i*0x20000 + j*2048);
+ ret = msm_nand_read_oob(mtd, addr, &ops);
+
+ if (ret == -EUCLEAN)
+ ret = 0;
+ if (ret || ops.retlen != 2048 ) {
+ printk("%s: error: read(%d) failed at %#llx\n",__func__,ops.retlen, addr);
+ break;
+ }
+ /* check */
+ for (k=0; k<2045; k++) {
+ if (is_htc_mac( (iobuf[k+0]<<16) + (iobuf[k+1]<<8) + iobuf[k+2])) {
+ printk("Mac candidate at block:%d page:%d offset:%d:\n",i,j,k);
+ k >>= 4;
+ k <<= 4;
+ print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, &iobuf[k], 16);
+ k += 16;
+ }
+ }
+ }/*j*/
+ }/*i*/
+ ret = 0;
+out:
+ kfree(iobuf);
+ if (ret)
+ printk("Find MAc Error %d occurred\n", ret);
+ return;
+}
+
/**
* msm_nand_scan - [msm_nand Interface] Scan for the msm_nand device
* @param mtd MTD device structure
@@ -1992,6 +2102,8 @@ int msm_nand_scan(struct mtd_info *mtd, int maxchips)
/* msm_nand_unlock_all(mtd); */
/* return this->scan_bbt(mtd); */
+ scanmac(mtd);
+
#if VERBOSE
for (i=0;i<nand_info->block_count;i++)
my findings are on five HD2 are:
Frk
Mac candidate at block:505 page:0 offset:40:
00000000: 00 00 00 00 30 00 00 00 38 e7 d8 e6 38 fc 00 00 ....0...8...8...
Mac candidate at block:505 page:6 offset:3:
00000000: 80 1c e2 d8 e7 38 ff ff ff ff ff ff ff ff ff ff .....8..........
wifi mac 38 e7 d8 e6 38 fcunder WIMO
Bad
Mac candidate at block:505 page:0 offset:40:
00000000: 00 00 00 00 30 00 00 00 00 23 76 5d fb 08 00 00 ....0....#v]....
Mac candidate at block:505 page:6 offset:3:
00000000: df 20 74 76 23 00 ff ff ff ff ff ff ff ff ff ff . tv#...........
Frk2
Mac candidate at block:505 page:0 offset:40:
00000000: 00 00 00 00 30 00 00 00 00 23 76 d7 ea 13 00 00 ....0....#v.....
Mac candidate at block:505 page:6 offset:3:
00000000: 80 5b e5 76 23 00 ff ff ff ff ff ff ff ff ff ff .[.v#...........
Val
Mac candidate at block:505 page:0 offset:40:
00000000: 00 00 00 00 30 00 00 00 00 23 76 89 09 c0 00 00 ....0....#v.....
Mac candidate at block:505 page:6 offset:3:
00000000: 46 da 6d 76 23 00 ff ff ff ff ff ff ff ff ff ff F.mv#...........
Flo
Mac candidate at block:505 page:0 offset:40:
00000000: 00 00 00 00 30 00 00 00 00 23 76 8c a4 a6 00 00 ....0....#v.....
Mac candidate at block:505 page:6 offset:3:
00000000: 3d 48 6f 76 23 00 ff ff ff ff ff ff ff ff ff ff =Hov#...........
Flo after full task29+reinstall
Mac candidate at block:505 page:0 offset:40:
00000000: 00 00 00 00 30 00 00 00 00 23 76 8c a4 a6 00 00 ....0....#v.....
Mac candidate at block:505 page:6 offset:3:
00000000: 3d 48 6f 76 23 00 ff ff ff ff ff ff ff ff ff ff =Hov#...........
I think you nailed it,
My device's bluetooth mac id under windows: 00:23:76:78:70:78
My device's wireless mac id under windows: 00:23:76:96:1B:F9
Code:
<4>[ 1.325286] scanmac: Prefered candidate mac=00:23:76:78:70:78
<4>[ 22.797302] Mac candidate at block:505 page:0 offset:40:
<7>[ 22.797332] 00000000: 00 00 00 00 10 00 00 00 [B]00 23 76 96 1b f9[/B] 00 00
<4>[ 22.803070] Mac candidate at block:505 page:6 offset:3:
<7>[ 22.803100] 00000000: [B]78 70 78 76 23 00[/B] ff ff ff ff ff ff ff ff ff ff
Although there was another candidate,
Code:
<4>[ 24.686889] Mac candidate at block:536 page:5 offset:443:
<7>[ 24.686950] 00000000: bf 03 1e ad ba 9d 4a 6f a4 e1 89 7c 61 93 67 d9
But this one is totally wrong, block:536 is after the bootloader(clk in this case) and is part of the config table
As i said in the email, you should only scan till block 530 (0x212)
EDIT: modified your code a bit,
Code:
<4>[ 1.325347] scanmac: candidate for wifi mac=00:23:76:96:1b:f9
<4>[ 1.325622] scanmac: candidate for bluetooth mac=00:23:76:78:70:78
Code:
diff --git a/drivers/mtd/devices/htcleo_nand.c b/drivers/mtd/devices/htcleo_nand.c
index e4e347e..27aa6e8 100755
--- a/drivers/mtd/devices/htcleo_nand.c
+++ b/drivers/mtd/devices/htcleo_nand.c
@@ -1835,6 +1835,54 @@ static int param_get_page_size(char *buffer, struct kernel_param *kp)
}
module_param_call(pagesize, NULL, param_get_page_size, NULL, S_IRUGO);
+void scanmac(struct mtd_info *mtd)
+{
+ unsigned char *iobuf;
+ int ret;
+ loff_t addr;
+ struct mtd_oob_ops ops;
+
+ iobuf = kmalloc(2048/*mtd->erasesize*/, GFP_KERNEL);
+ if (!iobuf) {
+ printk("%s: error: cannot allocate memory\n",__func__);
+ return;
+ }
+
+ ops.mode = MTD_OOB_PLACE;
+ ops.len = 2048;
+ ops.datbuf = iobuf;
+ ops.ooblen = 0;
+ ops.oobbuf = NULL;
+ ops.retlen = 0;
+
+ addr = ((loff_t) 505*0x20000);
+ ret = msm_nand_read_oob(mtd, addr, &ops);
+ if (ret == -EUCLEAN)
+ ret = 0;
+ if (ret || ops.retlen != 2048 ) {
+ printk("%s: error: read(%d) failed at %#llx\n",__func__,ops.retlen, addr);
+ goto out;
+ }
+ printk("%s: candidate for wifi mac=%02x:%02x:%02x:%02x:%02x:%02x\n",__func__,
+ iobuf[40],iobuf[41],iobuf[42],iobuf[43],iobuf[44],iobuf[45]);
+
+ addr = ((loff_t) 505*0x20000 + 6*0x800);
+ ret = msm_nand_read_oob(mtd, addr, &ops);
+ if (ret == -EUCLEAN)
+ ret = 0;
+ if (ret || ops.retlen != 2048 ) {
+ printk("%s: error: read(%d) failed at %#llx\n",__func__,ops.retlen, addr);
+ goto out;
+ }
+ printk("%s: candidate for bluetooth mac=%02x:%02x:%02x:%02x:%02x:%02x\n",__func__,
+ iobuf[5],iobuf[4],iobuf[3],iobuf[2],iobuf[1],iobuf[0]);
+ ret = 0;
+out:
+ kfree(iobuf);
+ if (ret) printk("Find MAC Error %d occurred\n", ret);
+ return;
+}
+
/**
* msm_nand_scan - [msm_nand Interface] Scan for the msm_nand device
* @param mtd MTD device structure
@@ -2000,6 +2048,7 @@ int msm_nand_scan(struct mtd_info *mtd, int maxchips)
/* msm_nand_unlock_all(mtd); */
/* return this->scan_bbt(mtd); */
+ scanmac(mtd);
#if VERBOSE
for (i=0;i<nand_info->block_count;i++)
Great job.
I've implemented the mac address reading in my kernel. You can see the commit here:
https://github.com/marc1706/desire_kernel_35/commit/0b249dfba877b96fc0ebe1333738f0920b4dc7c5
edit:
My mac addresses, now both with Windows Mobile and with Android:
Code:
Wifi Mac: 00:23:76:8A:40:B9
BT Mac: 00:23:76:6E:4B:C6
well, I'l sure now that the offset [40...45] have a macaddress.
problem is how is it unique....
If you read this code you will see that when the Nand is blank, a default macaddress of 00:90:4C:C5:00:34 is created.
Code:
ROM:95043CC8 @ =============== S U B R O U T I N E =======================================
ROM:95043CC8
ROM:95043CC8 @ 1 initdata
ROM:95043CC8 @ 0 displaydata
ROM:95043CC8
ROM:95043CC8 eMapiCheckWlanDataValidity: @ CODE XREF: StartupSequence+3Cp
ROM:95043CC8 @ Emapitest:loc_9502020Cp
ROM:95043CC8 @ DATA XREF: ...
ROM:95043CC8
ROM:95043CC8 var_30 = -0x30
ROM:95043CC8 var_2C = -0x2C
ROM:95043CC8 var_28 = -0x28
ROM:95043CC8
ROM:95043CC8 STMFD SP!, {R4-R11,LR}
ROM:95043CCC SUB SP, SP, #0xC
ROM:95043CD0 MOV R4, R0
ROM:95043CD4 LDR R0, =WlanBlock
ROM:95043CD8 MOV R5, #0
ROM:95043CDC BL GetWLANblock
ROM:95043CE0 BL CheckSignature
ROM:95043CE4 LDR R7, =0xEE4329
ROM:95043CE8 MOV R6, R0
ROM:95043CEC CMP R4, #0
ROM:95043CF0 BNE _InitData
ROM:95043CF4 LDR R3, [R6]
ROM:95043CF8 CMP R3, R7
ROM:95043CFC BNE _InitData
ROM:95043D00 LDR R3, [R6,#4]
ROM:95043D04 CMP R3, #0
ROM:95043D08 BEQ _err_invalid_update
ROM:95043D0C LDR R3, [R6,#8]
ROM:95043D10 CMP R3, #0
ROM:95043D14 BEQ _err_invalid_update
ROM:95043D18 LDR R2, [R6,#0xC]
ROM:95043D1C CMP R2, #0x7C0
ROM:95043D20 BLS loc_95043D30
ROM:95043D24
ROM:95043D24 _err_invalid_body_size: @ "[eMapiCheckWlanDataValidity] Invalid bo"...
ROM:95043D24 LDR R0, =aEmapicheckwlan
ROM:95043D28 BL print
ROM:95043D2C B _end
ROM:95043D30 @ ---------------------------------------------------------------------------
ROM:95043D30
ROM:95043D30 loc_95043D30: @ CODE XREF: eMapiCheckWlanDataValidity+58j
ROM:95043D30 AND R3, R2, #3
ROM:95043D34 SUB R3, R2, R3
ROM:95043D38 ADD R1, R3, #4
ROM:95043D3C MOV R2, #0
ROM:95043D40 ADD R0, R6, #0x40
ROM:95043D44 BL GetRamCrc
ROM:95043D48 LDR R3, [R6,#0x10]
ROM:95043D4C CMP R0, R3
ROM:95043D50 BEQ _DisplayData
ROM:95043D54
ROM:95043D54 _err_checsum_invalid: @ "[eMapiCheckWlanDataValidity] CheckSum e"...
ROM:95043D54 LDR R0, =aEmapicheckwl_0
ROM:95043D58 BL print
ROM:95043D5C B _end
ROM:95043D60 @ ---------------------------------------------------------------------------
ROM:95043D60
ROM:95043D60 _DisplayData: @ CODE XREF: eMapiCheckWlanDataValidity+88j
ROM:95043D60 LDR R0, =aWlanDataHeader @ "Wlan data header ++++++++++++++++++++\n"
ROM:95043D64 BL print
ROM:95043D68 LDR R1, [R6]
ROM:95043D6C LDR R0, =aSignature0xX @ "Signature : 0x%x\n"
ROM:95043D70 BL printf
ROM:95043D74 LDR R1, [R6,#4]
ROM:95043D78 LDR R0, =aUpdatestatus0x @ "UpdateStatus : 0x%x\n"
ROM:95043D7C BL printf
ROM:95043D80 LDR R1, [R6,#8]
ROM:95043D84 LDR R0, =aUpdatecount0xX @ "UpdateCount : 0x%x\n"
ROM:95043D88 BL printf
ROM:95043D8C LDR R1, [R6,#0xC]
ROM:95043D90 LDR R0, =aBodylength0xX @ "BodyLength : 0x%x\n"
ROM:95043D94 BL printf
ROM:95043D98 LDR R1, [R6,#0x10]
ROM:95043D9C LDR R0, =aBodycrc0xX @ "BodyCRC : 0x%x\n"
ROM:95043DA0 BL printf
ROM:95043DA4 LDR R1, [R6,#0x14]
ROM:95043DA8 LDR R0, =aAdieid00xX @ "aDieId(0) : 0x%x\n"
ROM:95043DAC BL printf
ROM:95043DB0 LDR R1, [R6,#0x18]
ROM:95043DB4 LDR R0, =aAdieid10xX @ "aDieId(1) : 0x%x\n"
ROM:95043DB8 BL printf
ROM:95043DBC LDR R1, [R6,#0x1C]
ROM:95043DC0 LDR R0, =aAdieid20xX @ "aDieId(2) : 0x%x\n"
ROM:95043DC4 BL printf
ROM:95043DC8 LDR R1, [R6,#0x20]
ROM:95043DCC LDR R0, =aAdieid30xX @ "aDieId(3) : 0x%x\n"
ROM:95043DD0 BL printf
ROM:95043DD4 LDR R1, [R6,#0x24]
ROM:95043DD8 LDR R0, =aCountryid0xX @ "countryID : 0x%x\n"
ROM:95043DDC BL printf
ROM:95043DE0 LDRB LR, [R6,#45]
ROM:95043DE4 LDRB R4, [R6,#44]
ROM:95043DE8 LDRB R5, [R6,#43]
ROM:95043DEC LDRB R3, [R6,#42]
ROM:95043DF0 LDRB R2, [R6,#41]
ROM:95043DF4 LDRB R1, [R6,#40]
ROM:95043DF8 LDR R0, =aMacBBBBBB @ "MAC= %B %B %B %B %B %B\r\n "
ROM:95043DFC STR LR, [SP,#0x30+var_28]
ROM:95043E00 STR R4, [SP,#0x30+var_2C]
ROM:95043E04 STR R5, [SP,#0x30+var_30]
ROM:95043E08 BL printf
ROM:95043E0C LDR R0, =aWlanDataHead_0 @ "Wlan data header ----------------------"...
ROM:95043E10
ROM:95043E10 _ok: @ CODE XREF: eMapiCheckWlanDataValidity+1F4j
ROM:95043E10 BL print
ROM:95043E14 MOV R5, #1
ROM:95043E18 B _end
ROM:95043E1C @ ---------------------------------------------------------------------------
ROM:95043E1C
ROM:95043E1C _err_invalid_update: @ CODE XREF: eMapiCheckWlanDataValidity+40j
ROM:95043E1C @ eMapiCheckWlanDataValidity+4Cj
ROM:95043E1C LDR R0, =aEmapicheckwl_1 @ "[eMapiCheckWlanDataValidity] Invalid up"...
ROM:95043E20 BL print
ROM:95043E24 B _end
ROM:95043E28 @ ---------------------------------------------------------------------------
ROM:95043E28
ROM:95043E28 _InitData: @ CODE XREF: eMapiCheckWlanDataValidity+28j
ROM:95043E28 @ eMapiCheckWlanDataValidity+34j
ROM:95043E28 MOV R2, #0x800 @ Count
ROM:95043E2C MOV R1, #0 @ char
ROM:95043E30 MOV R0, R6 @ int
ROM:95043E34 BL fillchar
ROM:95043E38
ROM:95043E38
ROM:95043E38 MOV R3, #0x238
ROM:95043E3C LDR R1, =unk_97901318
ROM:95043E40 ORR R3, R3, #2
ROM:95043E44 MOV R5, #0x10
ROM:95043E48 MOV R8, #0x90 @ '�'
ROM:95043E4C MOV R9, #0x4C @ 'L'
ROM:95043E50 MOV R10, #0xC5 @ '+'
ROM:95043E54 MOV R11, #0x34 @ '4'
ROM:95043E58 MOV LR, #1
ROM:95043E5C MOV R4, #0
ROM:95043E60 MOV R2, R3
ROM:95043E64 ADD R0, R6, #0x40
ROM:95043E68 STMIA R6, {R7,LR}
ROM:95043E6C STR LR, [R6,#8]
ROM:95043E70 STR R3, [R6,#0xC]
ROM:95043E74 STR R5, [R6,#0x24]
ROM:95043E78 STRB R4, [R6,#0x28]
ROM:95043E7C STRB R8, [R6,#0x29]
ROM:95043E80 STRB R9, [R6,#0x2A]
ROM:95043E84 STRB R10, [R6,#0x2B]
ROM:95043E88 STRB R4, [R6,#0x2C]
ROM:95043E8C STRB R11, [R6,#0x2D]
ROM:95043E90 BL memcpy
ROM:95043E94 MOV R2, #0
ROM:95043E98 MOV R1, #0x23C
ROM:95043E9C ADD R0, R6, #0x40
ROM:95043EA0 BL GetRamCrc
ROM:95043EA4 MOV R3, R0
ROM:95043EA8 MOV R0, R6
ROM:95043EAC STR R3, [R6,#0x10]
ROM:95043EB0 BL callNAND_WriteConfig
ROM:95043EB4 CMP R0, #0
ROM:95043EB8 LDRNE R0, =aInitializeWlan @ "Initialize wlan data success\n"
ROM:95043EBC BNE _ok
ROM:95043EC0
ROM:95043EC0 _err_init_failed: @ "Initialize wlan data fail\n\n"
ROM:95043EC0 LDR R0, =aInitializeWl_0
ROM:95043EC4 BL print
ROM:95043EC8 MOV R5, #0
ROM:95043ECC
ROM:95043ECC _end: @ CODE XREF: eMapiCheckWlanDataValidity+64j
ROM:95043ECC @ eMapiCheckWlanDataValidity+94j ...
ROM:95043ECC MOV R0, R5
ROM:95043ED0 ADD SP, SP, #0xC
ROM:95043ED4 LDMFD SP!, {R4-R11,LR}
ROM:95043ED8 BX LR
Is that from a ROM? If yes then I'm guessing that it maybe creates a "default" mac before the actual mac address is parsed from SPL.
I've done a task29 and installed a (close to) stock windows mobile ROM before checking my real wifi and bt mac addresses.
And they are the same as the ones this code returns.
marc1706 said:
Is that from a ROM? If yes then I'm guessing that it maybe creates a "default" mac before the actual mac address is parsed from SPL.
I've done a task29 and installed a (close to) stock windows mobile ROM before checking my real wifi and bt mac addresses.
And they are the same as the ones this code returns.
Click to expand...
Click to collapse
It is from SPL, But since nand config data is never erased and is written in factory, i think it should be fine using this as a source, since we know there weren't any mac collisions under windows mobile as far as i know.
Add another htc-hd2 I got
Directly installed with Tytung kernel hwa v2.3 (jun 2012), macaddress:
wifi : 00:23:76:89:1F:B2
bluetooth : 00:23:76:6D:E3:FF
are unique :angel:
Franck
Franck78 said:
Add another htc-hd2 I got
Directly installed with Tytung kernel hwa v2.3 (jun 2012), macaddress:
wifi : 00:23:76:89:1F:B2
bluetooth : 00:23:76:6D:E3:FF
are unique :angel:
Franck
Click to expand...
Click to collapse
I've confirmed this fix with 4 different HD2 devices - all are unique, and show the same MAC from WinMo65 Thanks a ton for your work!!!
I'm completely new to the world of kernel building and everything. So after weeks of googling, reading, modifying, etc, I've managed to get the stock kernel of SM-G360T1. Now I've been looking on overclocking the kernel and am under the assumption that kernel max and min freq are in drivers/cpufreq/cpufreq_limit.c with it being defined on line 117. Am I correct in assuming that this is the correct one/area to modify or am I completely wrong. If so, guide me in the right direction.
Code:
struct cpufreq_limit_hmp hmp_param = {
.little_cpu_start = 4,
.little_cpu_end = 7,
.big_cpu_start = 0,
.big_cpu_end = 3,
.big_min_freq = 1036800,
.big_max_freq = 1497600,
.little_min_freq = 200000, // 400000 Khz
.little_max_freq = 556800, // 1113600 Khz
.little_min_lock = 400000, // 800000 Khz
.little_divider = 2,
.hmp_boost_type = 1,
.hmp_boost_active = 0,
};
Hiya
I recently tried to unbrick my G6 plus again and got more progress than I ever had. I found a blankflash from a post on XDA here but I get a "no response" error when I run it. I've ran it 3 times now and each time I've gotten the same error. Now I'm no expert by any means so I don't know if this is just the end of the line for me or if this can be saved. Here's the last log entry It's pretty big but just in case I'll provide everything.
**** Log buffer [000001] 2022-08-16_23:27:40 ****
[ 0.000] Opening device: \\.\COM4
[ 0.002] Detecting device
[ 0.004] ...cpu.id = 172 (0xac)
[ 0.004] ...cpu.sn = 768239553 (0x2dca67c1)
[ 0.005] Opening singleimage
[ 0.005] Loading package
[ 0.007] ...filename = pkg.xml
[ 0.008] Loading programmer
[ 0.008] ...filename = programmer.elf
[ 0.008] Sending programmer
[ 0.198] Handling things over to programmer
[ 0.199] Identifying CPU version
[ 0.199] Waiting for firehose to get ready
[ 61.296] Waiting for firehose to get ready
[122.365] ...SDM630 unknown
[122.365] Determining target secure state
[122.365] Waiting for firehose to get ready
[183.395] ...secure = no
[183.416] Initializing storage
[183.417] Waiting for firehose to get ready
[244.490] Configuring device...
[244.491] Waiting for firehose to get ready
[305.510] Waiting for firehose to get ready
[366.600] Waiting for firehose to get ready
[427.591] Waiting for firehose to get ready
[488.603] Initializing storage
[488.605] Waiting for firehose to get ready
[549.662] Configuring device...
[549.664] Waiting for firehose to get ready
[610.782] Waiting for firehose to get ready
[671.804] Waiting for firehose to get ready
[732.820] Waiting for firehose to get ready
[793.914] Waiting for firehose to get ready
[854.953] Configuring device...
[854.954] Waiting for firehose to get ready
[916.014] Waiting for firehose to get ready
[977.064] Waiting for firehose to get ready
[1038.161] Waiting for firehose to get ready
[1099.235] ERROR: do_package()->do_recipe()->do_configure()->fh_send()->get_fh()->no response
[1099.235] Check qboot_log.txt for more details
[1099.236] Total time: 1099.237s
[1099.237] There were some hiccups in backup and restore.
[1099.237] Please save the following files and see a Bootloader member.
[1099.237] 1) ./qboot_log.txt
[1099.238] 2) ./backup_0x2DCA67C1_2022-08-16_233043.img
[1099.238]
[1099.239]
[1099.239] qboot version 3.86
[1099.239]
[1099.239] DEVICE {
[1099.239] name = "\\.\COM4",
[1099.239] flags = "0x64",
[1099.239] addr = "0x62FD54",
[1099.239] sahara.current_mode = "0",
[1099.239] api.buffer = "0x286F020",
[1099.239] cpu.serial = "768239553",
[1099.239] cpu.id = "172",
[1099.239] cpu.sv_sbl = "1",
[1099.239] cpu.name = "SDM630",
[1099.239] storage.type = "eMMC",
[1099.239] sahara.programmer = "programmer.elf",
[1099.239] module.firehose = "0x1FEA50",
[1099.239] cpu.ver = "0",
[1099.239] cpu.vername = "unknown",
[1099.239] api.bnr = "0x27A7F28",
[1099.239] }
[1099.239]
[1099.239]
[1099.239] Backup & Restore {
[1099.239] num_entries = 32,
[1099.239] restoring = "false",
[1099.239] restore_error = "not started",
[1099.239] entries[00] = { skipped = 0, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="cid"},
[1099.239] entries[01] = { skipped = 0, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="frp"},
[1099.239] entries[02] = { skipped = 0, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="hw"},
[1099.239] entries[03] = { skipped = 0, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="misc"},
[1099.239] entries[04] = { skipped = 0, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="persist"},
[1099.239] entries[05] = { skipped = 0, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="utags"},
[1099.239] entries[06] = { skipped = 0, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="devinfo"},
[1099.239] entries[07] = { skipped = 0, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="sp"},
[1099.239] entries[08] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="abl_a"},
[1099.239] entries[09] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="cmnlib_a"},
[1099.239] entries[10] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="cmnlib64_a"},
[1099.239] entries[11] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="devcfg_a"},
[1099.239] entries[12] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="hyp_a"},
[1099.239] entries[13] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="keymaster_a"},
[1099.239] entries[14] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="storsec_a"},
[1099.239] entries[15] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="tz_a"},
[1099.239] entries[16] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="rpm_a"},
[1099.239] entries[17] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="pmic_a"},
[1099.239] entries[18] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="prov_a"},
[1099.239] entries[19] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="xbl_a"},
[1099.239] entries[20] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="abl_b"},
[1099.239] entries[21] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="cmnlib_b"},
[1099.239] entries[22] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="cmnlib64_b"},
[1099.239] entries[23] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="devcfg_b"},
[1099.239] entries[24] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="hyp_b"},
[1099.239] entries[25] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="keymaster_b"},
[1099.239] entries[26] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="storsec_b"},
[1099.239] entries[27] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="tz_b"},
[1099.239] entries[28] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="rpm_b"},
[1099.239] entries[29] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="pmic_b"},
[1099.239] entries[30] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="prov_b"},
[1099.239] entries[31] = { skipped = 1, backup_tried = 0, backup_failed = 0, restore_tried = 0, restore_failed = 0, name ="xbl_b"},
[1099.239] simg = {
[1099.239] filename = "backup_0x2DCA67C1_2022-08-16_233043.img",
[1099.239] entries[00] = { size = 606912, name = "programmer.elf" },
[1099.239] }
[1099.239] }
[1099.239]
Now, to give you a little bit of background info, I didn't try to root my device or anything One day it just simply rebooted itself when it was just lying on my desk next to me being idle (or whatever android does when it's idling) and it kept rebooting, Every time it restarted and got into android it froze after 10 seconds or so and just rebooted again, until at some point it didn't boot anymore at all. At that point I tried messing with the fastboot menu (I think it's called, volume down + lock) but I couldn't do anything there. After trying that a couple times it just refused to get into that many and now won't turn on anymore at all. It did still show up on my PC as QUSB_BULK, and now after installing the Qloader thing it shows up as qualcom something with no driver errors (I disabled test singing in Windows). But now as mentioned, the blankflash runs for over 1000 seconds and then givers me the no response error. I've attached the latest backup it tried to make just in case that gives any info. Again I'm no expert so I don't know if this can be saved or not. It's not my main phone or anything, it already died in like 2019 or early 2020 or so.
If anyone can offer any help that would be greatly appreciated!
Thanks!