Related
QMAT - QC Mobile Analysis Tool
What is it ?
It is a development and debugging tool for Qualcomm mobiles - the only tool you'll ever need for research and development.
Who may need it ?
Mobile engineers / reverse engineers / cryptoanalysts / forensics
Crypto Functions :
- Calculate CRC-30, CRC-32, SHA1, SHA2 (SHA224 + SHA256), MD4 and MD5 of any file
- Bruteforce bytes to fit CRC-30 needed when qcsblhd_cfgdata.mbn was edited
- Decrypt and Encrypt any RSA-Message, including ASN-1 / SHA Signatures. (you can add publickeys to publickeys.xml)
- Calculate TEA/XTEA/DES/RSA in various modes (ECD,CBC,OFC, etc..)
- Generate RSA Private Key and create .pvk files
- Check firmware signature given Modulus and Exponent (for HTC and BQS mobiles)
- Extract information from .pvk files
- Search for algorithms in binary files (find cryptomethods + signatures) CRC8, CRC16, CRC32, MD4, MD5, SHARK, HAVAL, GZIP, ZIP, SHA1, ... and much more (you can add cryptosignatures to crypto.xml)
- Search for qc standard functions in binary files
JTAG Interface :
(soon via Segger J-Link)
Functions for QC mobiles :
1. Load binary files for :
Extraction of certificates
Extraction of BMPs,GIFs,PNGs, JPGs
2. Load Partition File to get overview about NAND/NOR structure
3. Send any String to a COM/USB Port and backup all your SMS !
4. Make usage of QCs Diag USB/COM Port Interface
(Useful for any QC mobile in the world)
5. Find SP and SPC and several other codes
6. CDMA Parameter Editor
Standard Features :
- Send standard diag commands or any hexadecimal command you want (database included)
- Read out all NVItems (range given)
(all that exist, more than QPST normally extracts)
- Backup and Restore all NVItems
- Read out and Dump Firmware in Memory (SRam)
- Read out complete EFS
- Switch to FTM Mode (or anything else you want)
- Get infos about phone, codes ..... etc ..... a lot more functions
- Generate SimSecure Command to write to SimSecure using given file (may brick your phone when used without knowledge)
- Full Feature EFS Browser
Bootloader / DownloadMode Features :
- Load any file to mobile at any address and execute (bootloader f.e.)
- Read out complete NAND Memory using bootloader (range given) with included MSM6250/A bootloader or any given bootloader
Usage : Take out battery, put in battery, press ON # to enter emergency mode, Execute Loader
or (with SL91,SF71 f.e.) enable FTM mode, Execute Loader
- Use any Download Mode or Bootloader Command to experiment
- Read application memory of newer Diag Ver 6 in Download Mode
- Show complete infos about used NAND after loading of Bootloader
Flasher Features :
Flash any QC mobile (OBL Multiboot) with given bootloader
- Flash PBL (dangerous), QCSBL, QCSBL Header and Config Bits, Partition, OEMSBL, OEMSBL Header, AMSS, AMSS Header and EFS
Functions for BQS only :
1. Load AMSS to extract files or useful infos
(EF81, E81C, EF91, SXG75, EF82, SF71, SL91 or similiar ones)
Features :
Extract Infos from AMSS : USBID, Product.Nr., SVN, SwBuild, Mobiletype
Extract internal filesystem (mif,bar,sig etc. files)
Extract AMSS signature bytes (if production key)
Show all file references used by mobile
2. Check Firmware validity (signature)
3. Sim_Secure extraction/decryption (non-public)
4. Master-/Usercode/Unlock extraction and direct unlock (non-public)
Functions for HTC only :
1. Check validity of HTC firmware (signature check)
2. Cut out signatures from .nbh file
3. Split radio.nb into qualcomm files for analysis
4. Find HTC Public keys using Cryptosearch
5. Generate Security passwords (SPL + radio) for newer HTC
6. Generate NBH Files (you can add any device into devlist.xml)
7. Dump Files from NBH (you can add any type into nbhtype.xml)
8. Fix radio.nb checksum
9. Generic Bootloader / AT Command interface with logging functions
10. Generate goldcard for older and newer htc devices (newer one non-public)
Functions for Network Engineers - registered version
Network Calculators :
TDMA (GSM/UMTS) :
--------------------
IMEI
GSM A5-1
GSM A5-2
GSM A5-3
3G ECSD
GEA3 - GPRS
3G SNOW
3G UEA2
3G UIA2
GSM A3/A8 COMP128 V1
GSM A3/A8 COMP128 V2
GSM A3/A8 COMP128 V3
3G Milenage
3G Milenage Resync
CDMA :
-------
CAVE
CAVE Authentication
CAVE CMEA
CAVE EMEA
CAVE EMEA_NF
CAVE Wireless Residential Extension
CAVE Datakey / Look Up Table / Mask
CAVE DTC / DCCH
CAVE KSG
CAVE Long Block
CAVE Short Block
CAVE Enhanced Message
CAVE Enhanced Voice Privacy
CAVE Enhanced Data Mask
and much more ....
Planned in future :
1. Bugfixes
2. EFS Restore to Zip File
3. QC Jtag interface using Segger J-Link ARM
4. LNBS HTC support to replace MTTY 5. Tooltips showing real addresses in graphical window
5. CDMA Write functions
6. Read out / Write back Addressbook
7. Restore backupped SMS to phone
8. much much more
NO UNLOCKING ! PLEASE DO NOT REQUEST. THIS PROJECT IS FOR EDUCATIONAL PURPOSES ONLY, NOT TO HARM COMPANIES FOR THEIR EFFORTS.
What we need :
- Any contribution to the project is welcome.
- Donations for new hardware and software for further development of this tool.
Link to the project files :
------------------------
Version 4.21 (Major Release) Stable
QMAT Homepage
Cya and keep on reversing,
Viper BJK
==> Donate via PayPal <==
See older threads here :
http://forum.xda-developers.com/showthread.php?p=2519683
Small update :
--------------
New version 4.22 will feature :
- DECT DSAA algorithm
- OTA SMS Tools
Cya,
Viper BJK
New version 4.22 out
--------------------
What's new :
-------------
- Added DECT DSAA Algorithm to Network Calculators
- Fixed Bug in Security Password Retrival
Cya,
Viper BJK
I am going to implement Jtag to QMAT, so we need Beta Testers.
Are you :
1. Using Segger J-Link ARM or any clone (H-Link, JT-Link, etc..) ?
2. Experienced in Jtagging ?
3. Have a phone ready to jtag using a MSM Chipset (jtag pinouts etc. available) ?
Then join the QMAT Jtag beta team, mail your JTAG Serialnumber to [email protected].
Cya,
Viper BJK
Small update :
--------------
Right now we're doing a lot of bugfixes regarding spc / sp and usercode search, but also a lot of bugfixes for efs read. EFS read will now be done fully automatically. Of course, we take bugs serious and due to official support of lg ks20 in the next qmat release, we are also fixing all those nasty timeouts that messed up some extracted data.
So right now, it's bugfixing weeks. After that we will continue on jtag interface and all other feature requests you brave people sent us.
Cya,
Viper BJK
what about KU990 (which have MSM6280)?
I guess KU990 will also be fine
But I can only give official support for ks20, as it's the only lg mobile I got here to work with.
Cya,
Viper BJK
Right now we're doing some beta testing qmat 4.23.
After all issues are fixed, there will be another great release including a lot of improvements and features.
Cya,
Viper BJK
New version 4.23 out
--------------------
What's new :
-------------
- Complete Com Rewrite, fixing timeout issues
- Read Memory in Download Mode / Display Memory Partitions in Download Mode (even ones other tools cannot download )
- Find SP password in non standard QC AMSS Firmware
- CRC30 bugfixes
- Added SP function detection
- Automatic EFS read size detection
- Usercode search / Advanced SPC search
- Official LG KS20 support
- Load QC Bootloader in HEX and get address automatically
- EFS Backup to ZIP bugfixes
- EFS Read Factory Fixes
- Bootloader NAND read bugfixes
- a lot more ...
Cya,
Viper BJK
Small update on progress :
--------------------------
"Uhoh ... bad things happen and sometimes the world isn't perfect."
This message is intended for those who work with QC EFS and QMAT.
Several ways to read out EFS exist. And the one from QMAT wasn't perfect at all. Sometimes, sniffing usb data gets you nowhere ... we had to act professional. In fact, after some heavy researches and reversing of firmware, I can now confirm that there is not only "ONE" EFS read at all.
So next version to be released will hopefully introduce two-way-efs for efs explorer to be used with all known qc types. And of course I had to write a lot of fixes for efs RAW/Factory read that I didn't knew before ....
Expect the next version 4.24 to be not only a lot more stable than all versions before ... but will also feature REAL efs dump
Cya,
Viper BJK
Small update :
--------------
Boys and girls,
version 4.24 will be really new. I rewrote complete com/usb port stack and added a lot of new features, like a new command database, gui improvements, efs generic and subsystem browsing, safe factory efs, new bootloader interface, etc....
Trust me, this version will fix a lot of crashes and hangs
To prevent any bugs still being in it, we're doing severe bugtesting right now.
Cya,
Viper BJK
As we wish to make a good working and much better QMAT,
we start a Beta Tester Program.
What advantages do you get :
- Be the first to get unofficial versions
- Be productive and make QMAT more user-friendly
- Get a discount on special modules
- Get your phone working with QMAT
- Increase your knowledge regarding qc technology
Why it is important for us :
- Make more phones work with QMAT
- Fix any existing bug and make QMAT more stable
If you're interested, please write a PM to me, with subject "QMAT Beta Tester" and a short introduction of yourself
(where you are from, if you are a user / programmer / reverse engineer, why you want to be a beta tester, what phones with qc chipsets you have to test)
Thanks,
Viper BJK
QMAT Beta Tester
viperbjk said:
As we wish to make a good working and much better QMAT,
we start a Beta Tester Program.
What advantages do you get :
- Be the first to get unofficial versions
- Be productive and make QMAT more user-friendly
- Get a discount on special modules
- Get your phone working with QMAT
- Increase your knowledge regarding qc technology
Why it is important for us :
- Make more phones work with QMAT
- Fix any existing bug and make QMAT more stable
If you're interested, please write a PM to me, with subject "QMAT Beta Tester" and a short introduction of yourself
(where you are from, if you are a user / programmer / reverse engineer, why you want to be a beta tester, what phones with qc chipsets you have to test)
Thanks,
Viper BJK
Click to expand...
Click to collapse
I saw it in the original forum and to start i'm from Bulgaria (South-Eastern Europe), interested mostly in replacing/messing around with LG's AMSS system, the bootloaders will be great, but i'm realist so the illusions are out, i have KU990 not a real reverse-engineer, but i know basic stuff (i was developing in PHP about an year) for how system works.
ceckin said:
I saw it in the original forum and to start i'm from Bulgaria (South-Eastern Europe), interested mostly in replacing/messing around with LG's AMSS system, the bootloaders will be great, but i'm realist so the illusions are out, i have KU990 not a real reverse-engineer, but i know basic stuff (i was developing in PHP about an year) for how system works.
Click to expand...
Click to collapse
Well the more beta testers we have, the better
Small update :
--------------
Version 4.24 is almost done and about to be released at the end of the week approximately. It seems it is a lot more stable and works way better than any qmat version ever before.
Finally, we were able to reverse whole EFS read, add a new alternate EFS factory read for newer MSM >8xxx, add EFS Browsing not only for generic devices but also for devices with only subsys ... and of course added features like rename directory / change modes.
Also we did some gui changes for easy recognition of diag commands.
You can now even cancel running diag processes ! *thanks to adfree for the hint*
So expect Version 4.24 to bring you great new features and more stability
Cya,
Viper BJK
New version 4.24 out !
---------------------
What's new :
-------------
-Severe Com Port fixes
-EFS alterate read for newer MSM to be released
-GUI changes - EFS Browsing
-Severe bugfixes thanks to beta testing team
-Factory EFS read
-Improved speed of Usercode/SPC search (by 0x1000)
-Button to stop current com port function
Cya,
Viper BJK
New version 4.25 out !
----------------------
What's new ?
-------------
-EFS Browse Bugfixes
-PRL Read/Write
-GUI Improvements
-Bootloader Bugfixes
-SimSecure Bugfixes
-Byte Cutter Bugfixes
-Cmd Byte for different NVItem Read
-Signature Search / SP / SPC Search improved
-EFS Raw Read Fixes
-Added option to add vendor specific commands
-Added support for newer Samsung CDMA
-Added ECC Calculation (Hamming, Toshiba, Reed Solomon)
Cya,
Viper BJK
New version 4.26 out !
----------------------
What's new ?
-------------
- Added new goldcard generation to registered users
- Implemented new registration scheme
- Added rudimentary IDC Script generation for IDA with Function/Algorithm Search (put in output directory as results.idc)
- Function/Algorithm Search is now able to use "??" instead of "FF" as wildcards in .xml files function.xml and crypto.xml
- Added new ECC algorithms
- Several bugfixes
Cya,
Viper BJK
New version 4.27 out
............................
What's new ?
-------------
- Fixed QMAT not to start on several pcs.
Cya,
Viper BJK
New version 4.28 out
.............................
What's new ?
-------------
- JTAG fixes
- Fixed encap files speed
- CID is now called Country ID (GUI improvement)
- New functions added to function-database
Cya,
Viper BJK
Important The below codes are not for noobs. If you by-chance brick your phone. I am no-where responsible. You can regain your firmware by flashing it to the phone. That is no Problem
Note-P.S- All the codes can be entered using the dialer...The code will be executed after you enter the last # ( i.e. if you just enter the codes below, it will execute it without permission
*2767*3855#
Think twice before you use this code. It is a Factory reset code. This will wipe off all your data be it in the internal memory or the external memory. I advice you people to use this code with the External SD card and the SIM removed.
Once you have entered this code, There is no way you can stop it.
*#197328640#- This code is used to enter the Service mode. You can change settings here and run some tests. Any changes except for the camera part will no crash your FW.
*#0228#- This code gives you information about your phone battery.
*#7465625#- This code can be used to check the status of SIM lock, Network LOCK,etc.
Codes to get Firmware Version Information
*#4986*2650468# - SW Version, HW Version, MP, RF Cal Date, CSC Version, CSC Model Spec, FFS Version, RC2 Version
*#1234# - SW Version and CSC Version
*#1111# - FTA SW Version
*#2222# - FTA HW Version
Wi-Fi and Bluetooth testing codes
*#526# - Wi-Fi Manual MFG Test Mode
*#232337# - BT RF Test Mode
Code to launch various factory tests
*#0*# - LCD test
*#0673# OR *#0289# - Melody test
*#0842# - Vibration test
*#2663# OR *#2664# - TM Command
*#4097*4097# - GPS menu
*#272*time* - csc pre configuration
example *#272*1423* ( if the time is 14:23)
*#0002*28346# - Another service menu
*#0228#- Battery test
*#232337#- Bluetooth addrs
*#5239870*# - Admin settings
*#66225*# Motion Calibration
PS- Many users have complained that the motion sensor calibration code is resulting in the incorrect functioning of the Accelerometer. If you encounter such a problem or if you want to use the Motion sensor Calibration code, Please be sure to place the phone on a flat surface and wait for about a minute!
And tell me how you like it!
Nice post. The code for the battery is very helpful, since I cannot find an app that displays the percentage, like in android.
emiok said:
Nice post. The code for the battery is very helpful, since I cannot find an app that displays the percentage, like in android.
Click to expand...
Click to collapse
.. Settings - About your phone (or Info .. I don't know how is write in English) - System Info - Battery ...
Fahrenheit51 said:
.. Settings - About your phone (or Info .. I don't know how is write in English) - System Info - Battery ...
Click to expand...
Click to collapse
Ya.. but i don't think it is so informative..As mentioned, it is like the battery info on Android Settings...!!
*#0*# = full test menu
*#272*time* = csc pre configuration
example *#272*1423* ( if the time is 14:23)
roxyroot said:
Ya.. but i don't think it is so informative..As mentioned, it is like the battery info on Android Settings...!!
Click to expand...
Click to collapse
what do you mean? I shows me about 73% and bada under settings tell me 74% maybe its uprounded...
And what is the real data? Bat RAW SOC or BAT adjusted SOC?
Thx to op for this thread...
Very useful, thanks!
Dont forget the gps menu -
*#4097*4097#
edit : this does not work in BADA 2.0.1
The bada 2.0 equivelent is *#3214789650# (for versions prior to PKH2 this needs the phone in MID debug level)
Samuel Sung said:
what do you mean? I shows me about 73% and bada under settings tell me 74% maybe its uprounded...
And what is the real data? Bat RAW SOC or BAT adjusted SOC?
Thx to op for this thread...
Click to expand...
Click to collapse
adjusted SOC
duxxyuk said:
Dont forget the gps menu -
*#4097*4097#
Click to expand...
Click to collapse
Man! Thanks for reminding! I wrote it down..But forgot to put it on!
roxyroot said:
Man! Thanks for reminding! I wrote it down..But forgot to put it on!
Click to expand...
Click to collapse
Heh, if you want to live dangerously (newbies - stay WELL CLEAR) it's possible with certain firmwares to unlock the master debug mode :
Unlock debug by dialing *#33284*# then choosing mid or high. The phone will then reboot.
It is now possible to dial up the debug menu by dialing *#7092463*#
Do be aware that the debug modes will slow down your phone as this activates a second serial port to which loads of information is being dumped... I's been very useful for the bootloader work.
All the best ~D
duxxyuk said:
Heh, if you want to live dangerously (newbies - stay WELL CLEAR) it's possible with certain firmwares to unlock the master debug mode :
Unlock debug by dialing *#33284*# then choosing mid or high. The phone will then reboot.
It is now possible to dial up the debug menu by dialing *#7092463*#
Do be aware that the debug modes will slow down your phone as this activates a second serial port to which loads of information is being dumped... I's been very useful for the bootloader work.
All the best ~D
Click to expand...
Click to collapse
i didn't know that! ( It is not the Nat Geo show!)
*#66225*# Motion Calibration
sitcoms said:
*#66225*# Motion Calibration
Click to expand...
Click to collapse
Woah, that's the one that had me RE-calibrating my phone whilst holding it at 45° to the right with the top touching the floor and the bottom about 2cm's off the floor .
If your accelerometer works... DON'T fix it
^
just put the phone on a flat surface then calibrate it
sitcoms said:
^
just put the phone on a flat surface then calibrate it
Click to expand...
Click to collapse
This doesn't work at all times if the sensor itself is not placed properly in the device. I too had to calibrate it with the phone at odd angles to perfect the sensor. Now the accelerometer works absolutely fine.
After changing files with sTune should i send *2767*3855# for factory reset? Is this correct? Thanks!
Thanks man! You rock! Wanted some of these!!
@Gremo What files are you changing and why? If you want the hard reset, just go to the dialer and type "*2767*3855#", it will conduct the reset automatically!
@dancegirl You are welcome!
Hi all, the most of the known Bada 2.0 Mobile Codes are invalid on 8600
If anyone knows some for S8600, pls post.
It could be helpful for owners of this device.
Thanks
*#197328640# should run
*#7092463*# seems to run without higher Debug Level then Low
Otherwise *#33284*# for Debug Level change...
More for advanced users, but same like S8500/S8530 use. So take an look here first:
http://forum.xda-developers.com/showthread.php?t=1154945
Best Regards
adfree said:
*#197328640# should run Does not work
*#7092463*# seems to run without higher Debug Level then Low
Click to expand...
Click to collapse
Did not try the others when I try the Wave III.
*#197328640# should run Does not work
Click to expand...
Click to collapse
Please see here:
http://forum.xda-developers.com/showpost.php?p=19687534&postcount=22
Okidoki...
Mabye we should write which Firmware Version we have tried...
Maybe there are big difference between prototype Firmware... and now Retail...
Thanx in advance.
Maybe also usefull, write Code which not work on your S8600... So other S8600 user can confirm or not...
Maybe again protected by Debug Level... like Internal Menu... *#709blabla...
Best Regards
This Codes are working:
*#0228#- Battery test
*#272*time* - csc pre configuration
example *#272*1423* ( if the time is 14:23)
*#0*# - LCD test
*#526# - Wi-Fi Manual MFG Test Mode
*#1234# - SW Version and CSC Version
*#7465625#- This code can be used to check the status of SIM lock, Network LOCK,etc.
RIFF JTAG BOX to Unlock / Unbrick Samsung ZTE Huawei & HTC Phones.
+ Samsung i717 / i727 / i9210 Galaxy Note 4G Jtag Jig
Description:
RIFF Box JTAG is a repair solution providing unique scripting support_and IDA real time debugging via GDB Server. RIFF Box JTAG is a high quality hardware with the Resurrection feature allowing for one-click repair.
http://www.ebay.com/itm/RIFF-BOX-JTAG-HTC-Samsung-ZTE-Huawei-Unlock-Unbrick-Repair-Resurrection-I717-Jig-/330880913292?pt=LH_DefaultDomain_0&hash=item4d0a0a0f8c
Features
RIFF JTAG Features
by admin on Jul.05, 2010, under Features
RIFF JTAG firmware supports following features at the moment:
•ARM7/ARM9/ARM11 PXA3xx, PXA270 cores support;
•Multiple devices on JTAG chain are supported, thus TAP number selection is available;
•Any custom voltage level selection from range ~1.4V to 3.3V
•TCK/Adaptive clocking selection
•Halt core (NRST is not changed)
•Reset core (NRST is applied before halt)
•Direct Read memory (by 8/16/32-bit bytes/half-words/words)
•Direct Write memory (by 8/16/32-bit bytes/half-words/words)
•Access to the control registers of ARM core (coprocessor 15)
•Program code breakpoints
•Run core
•Custom scripting and DCC loader support (trace32 compatible)
•Custom GDB Server Available
This is the list of some available RIFF JTAG Resurrectors DLL-s , which You can use for one click dead boot repair.
***List will be updated with new releases, and this is only small part of models we will add.
Samsung Phones :
•Samsung_B7330.dll
•Samsung_C5510.dll
•Samsung_F500_mdm.dll
•Samsung_G810_mdm.dll
•Samsung_G810_PDA.dll
•Samsung_i450_mdm.dll
•Samsung_i450_PDA.dll
•Samsung_i550_mdm.dll
•Samsung_i550_PDA.dll
•Samsung_i710.dll
•Samsung_i740_PDA.dll
•Samsung_i8910_mdm.dll
•Samsung_i8910_PDA.dll
•Samsung_i900_mdm.dll
•Samsung_i900_PDA.dll
•Samsung_M7600.dll
•Samsung_S3310.dll
•Samsung_S5230.dll
•Samsung_S5600.dll
•Samsung_S7070.dll
•Samsung_S7350.dll
•Samsung_S7350i.dll
•Samsung_S8000.dll
•Samsung_S8300.dll
•Samsung_T919.dll
•Samsung_U700.dll
•Samsung_U900V.dll
ZTE Modems:
•ZTE_MF622.dll
•ZTE_MF626.dll
DAEWOO GPS Device :
•Daewoo_DPN3500.dll
HUAWEI Modems:
•Huawei_E1550.dll
ETEN Communicator:
•Eten_X800.dll
*** LIst has been updated. Please see visit http://www.jtagbox.com/ for more supported devices.
exelent info thanks friend...
I have developed a Language and Media Editor for MT6261 and MT6260 based Smartwatches
ProgrammFetaures:
Supporting MT6260 to MT6261A Baseband
Edit Languages
Supporting Crypted Language Packs
Online Translation
Export and Import Dictionary
Create Custom Dictionary
Change Images and Sound Files
Supporting all MIF Versions and Packs
I am searching Beta Testers.
Everybody who is interested please cantact me: [email protected]
Thanks
What Links?
hey, i want to develop complete rom along with some better features let me know if your enviroment works well.
SmartChinaRes
Hi,
Yes my solution is working well. What do you want to change in Firmware.
Send me your Firmware or Link to Download
Thanks
OXA
can i test it ?
---------- Post added at 10:28 PM ---------- Previous post was at 10:27 PM ----------
oxatools said:
I have developed a Language and Media Editor for MT6261 and MT6260 based Smartwatches
ProgrammFetaures:
Supporting MT6260 to MT6261A Baseband
Edit Languages
Supporting Crypted Language Packs
Online Translation
Export and Import Dictionary
Create Custom Dictionary
Change Images and Sound Files
Supporting all MIF Versions and Packs
I am searching Beta Testers.
Everybody who is interested please cantact me: [email protected]
Thanks
Click to expand...
Click to collapse
can i test it ?
me lo mandi che ko testo
mhd 12 said:
can i test it ?
---------- Post added at 10:28 PM ---------- Previous post was at 10:27 PM ----------
can i test it ?
Click to expand...
Click to collapse
me lo mandi che ko testo
Can you give it for free
can i get download of this software for free
i wont distribute it
This is truly awesome!
Is the knowledge you earned available somewhere or just in your code? I'm excited with RE-ing MTK incl. 2502 though didn't do much myself.
Excellent! I've got Xiaomi Mi Bunny Watch Q - and struggling with it's firmware - already managed to edit MCC/MNC and activate it outside mainland China with ANY cellular operator (with 2G support)
But still have some problems - biggest is Chinese time on watch screen. Less important are Chinese voice prompts ("calling to grandmother" / "father is calling to you" / "successful internet connection")
My fullflash is attachment! If you can - please share your tool with me - would like to sniff through my firmware and try to modify it
Thank you!
FlamingPumpkin said:
Excellent! I've got Xiaomi Mi Bunny Watch Q - and struggling with it's firmware - already managed to edit MCC/MNC and activate it outside mainland China with ANY cellular operator (with 2G support)
But still have some problems - biggest is Chinese time on watch screen. Less important are Chinese voice prompts ("calling to grandmother" / "father is calling to you" / "successful internet connection")
My fullflash is attachment! If you can - please share your tool with me - would like to sniff through my firmware and try to modify it
Thank you!
Click to expand...
Click to collapse
mt6261_apn list editing
FlamingPumpkin said:
Excellent! I've got Xiaomi Mi Bunny Watch Q - and struggling with it's firmware - already managed to edit MCC/MNC and activate it outside mainland China with ANY cellular operator (with 2G support)
But still have some problems - biggest is Chinese time on watch screen. Less important are Chinese voice prompts ("calling to grandmother" / "father is calling to you" / "successful internet connection")
My fullflash is attachment! If you can - please share your tool with me - would like to sniff through my firmware and try to modify it
Thank you!
Click to expand...
Click to collapse
the time or and time_zone in watch is set in mvram_ef_chache_byte_lid
Hi i can be a beta tester of your program
My profile 4pda: http://4pda.ru/forum/index.php?showuser=2249797
No_Russian_Translate.zip - HONGYU60M_BT_11B_PCB01_GSM_MT6260_S00.MX6-60D-3029TN-YDT-DC0821-ZH-V06_637-20180728
With_Russian_Translate.zip - HONGYU60M_BT_11B_PCB01_GSM_MT6260_S00.MX7-COB-DZ09-9307BOE-QCY-DC0821-HYBR-V01_537-20180926
View attachment No_Russian_Translate.zip
View attachment With_Russian_Translate.zip
Hello,
This is a good news you implement this tool.:good:
Could I try it to do some changes on my smartwatch?
Could you send me it in MP?
Thanks a lot,
Helium45b
I hope OP is still reading this thread. In any case I will tag oxatools. I found out my DZ09 watch is SPD. I see mocor and spd6531 to be exact. How? when I plug it in turned on, there is a third option - pc connecting. The other 2 options were udisk and charging. When I click pc connecting there was a pop up that said it needs to install serial scsi drivers. And then finally I see ports in device manager. they are
SPRD SMCC AT interface1 com4
SPRD SMCC AT interface2 com7
SPRD DIAG com3
I have been using the flash tool for this smartwatch but nothing is happening. Can you tell me how to use your tool for this watch? I would like to see if it has wifi or gps and also add video capability and voice commands. Yeah sure. But you never know your tool might do all those in this $10 watch. LOL.
This is the third thread I posted this on. All I need is guidance what is the proper tool to use for this SPRD watch?
This is what I see on *#3646633#
software platform version - mocor_12c
HW version - sc6531_bar
chip type - sc6531
actually there is a lot of list option on this code. I see
IQ mode
Para set
App set
Like over 10 option list and when you click those options theres a lot of sub menus too.
asianbyuti said:
I hope OP is still reading this thread. In any case I will tag oxatools. I found out my DZ09 watch is SPD. I see mocor and spd6531 to be exact. How? when I plug it in turned on, there is a third option - pc connecting. The other 2 options were udisk and charging. When I click pc connecting there was a pop up that said it needs to install serial scsi drivers. And then finally I see ports in device manager. they are
SPRD SMCC AT interface1 com4
SPRD SMCC AT interface2 com7
SPRD DIAG com3
I have been using the flash tool for this smartwatch but nothing is happening. Can you tell me how to use your tool for this watch? I would like to see if it has wifi or gps and also add video capability and voice commands. Yeah sure. But you never know your tool might do all those in this $10 watch. LOL.
This is the third thread I posted this on. All I need is guidance what is the proper tool to use for this SPRD watch?
Click to expand...
Click to collapse
Hi,
Sorry my tool is only working with Mediatek MT6260 and MT6261 Chips not with Spreadtrum
Did you try with this flashtool versions?
https://spdflashtool.com/
OXA
oxatools said:
Hi,
Sorry my tool is only working with Mediatek MT6260 and MT6261 Chips not with Spreadtrum
Did you try with this flashtool versions?
https://spdflashtool.com/
OXA
Click to expand...
Click to collapse
Oh thanks. Ok I will look into it.
Testing
Hello! How can I participate in testing your program? I would like to fix in my device the translation of some items, creating inconvenience in the work. None of the tools found on the network work with my phone's firmware files correctly. Perhaps the program developed by You will appear in paid access?
https //yadi.sk/d/3gFYGtEXKMnFbQ
noformatc said:
Hello! How can I participate in testing your program? I would like to fix in my device the translation of some items, creating inconvenience in the work. None of the tools found on the network work with my phone's firmware files correctly. Perhaps the program developed by You will appear in paid access?
https //yadi.sk/d/3gFYGtEXKMnFbQ
Click to expand...
Click to collapse
Hi,
My Program is not for selling sorry. To much work inside.
Here comes the Resources of your firmware
Download-Link
https://we.tl/t-AHRETIoTuS
if you want to change any of them please tell me
For better working with firmware can you send me a fullflash backup
Thanks
OXA
if you want to change any of them please tell me
For better working with firmware can you send me a fullflash backup
Thanks
OXA[/QUOTE]
Hello! Thank you for responding. I replaced the main menu icons in "resources", I will be grateful if you embed them in the firmware. But it would be more interesting and useful to change the translation of some menu items, because the translated names simply do not fit on the screen and it is not clear what you do when you click. Is it possible to carry out such a thing?
https //yadi.sk/d/o_nuCxWdM0zbwg
Hi,
I'm interested in adding Hebrew fonts to Q50 (G36S) watch so that it can display messages I send in Hebrew.
Is it possible?