S720 ESN Read Write method - Upgrading, Modifying and Unlocking

S720 / HTC LIBRA / HTC 5800 / Fusion / Boss
I'm happy to hear that somebody is working on a hard SPL for HTC S720. Here's the deal, I really want to change esn in this phone but I realized that for now it's not possible.
It's a MSM7500.
**I've tryied QPST but the version 2.7 only support MSN6500.
**I've tried QXDM 3.9.19 and still can't write the new esn. It says read only.
_________________________
How to put it not in read only?
Could I use a anykind of ready/writer to change info directly on the chip?
-----------------------------
**CDMA Workshop 2.7 all kind os ESN write doesn't work.
-----So, two options left:
1- either I desolder the esn chip and change it for a new one (to be honest, I haven't discovered yet if the esn is inside the MSM or on a different chip. If it's the case (on a diff. chip) it's a bit a pain in the but to do but it's still an option.
2 - I want to try shadowmite's method for writing the ESN into a PPC6800. Again it need to be done in high level via MTTY.
Concerning MTTY I cannot run commands because I can't put the phone on the boot loader screen.
I will try to run RUU wich will put the phone in bootloader screen. And then try mtty.
I tried the method of RUU to get into bootloader and then run MTTY but it doesn't work... I get the error ''Unable to load USB port''.
Any suggestion...? Or any help I could bring to create this hard spl?
And please, anybody that is gonna tell me that it's illegal to do and that is gonna write me the FBI phone number it's fine, just pass to the next thread!
I'd be more than happy to help anybody with what I can.

Related

Bootloader dead / Recovered

Hi,
I made a mistake with flashing QTEK S200 with wrong file.
Bootloader was modified. Device can not start at all.
It can not even go to bootloader screen (red-green-blue).
As consequence, no USB connection can be established.
What is the solution? I guess utilities can not be used, because they assume connection to USB, but there is no connection.
Not big deal, because it was not working well anyways, but would be interesting to know a solution in this case. Many ppl. would be happy to know how to manage this situation, I guess.
later.
Not very good news, service center said they don't know how to fix it, but kept the device to make few things with it.
Clearly, bootloader was overwritten.
Will see. Somehow they manage to identify type of rom is installed from i-mate.
So, think before you make any flashing
re: another service said they will do whatever needed, up to replacing chip with flash. I am not ready to go that far yet.
feel like i am missing something
It appears to be a real problem with flash.
No connection to computer with USB.
With power supply connected blue-green-?? screen, but I cannot connect to PC of course.
With USB cable connected blue-green-?? screen does not come up.
I figured out that pins 4 and 5 are shorten when power supply is connected. I did this with USB connection to PC, but still not connected.
For sure, USB is not functioning on device.
Will get new device, but very interested on how to repair this one. I disassembled it completely. There is no way to replace the flash chip at home, you need specific equipment and chip, of course.
What I need is surcuit diagram for S200 or similar, particularly part of diagram related to flash, radio module is not needed. Is there any possibility to get it? If I have it, I think can reprogram chip.
Thanks.
Hm. It looks like extreemly difficult to get pins layout on motherboard.
JTAG is the only solution left to access chips direct. But we need to know where JTAG pins on motherboard.
Recovered S200.
Finally very good news!
Prophet S200 was succesfully recovered with help of Arc.
He managed to discover JTAG pins, afterwards re-flashed SPL and ROM.
REALLY GOOD JOB!
Want to say special THANKS to Arc!!!
Device go live again.
Until next experiment....
But procedure to recover is in place.
Regards,
fdp24
i have a dead one too
Hi there,
I have a dead one too can you tell me how to fix it please?
dead, as in my ppc k-jam is dead
basically it hangup and i soft restarted, tried hard reset. it didnt help either. i tried restoring to factory default same thing it hangup. now it doesnt shows any signs of life . i lost my life, my buddy.
My Orange SPV M2000 will not start anymore after update. I only see Serial (on top)............ V2.07 (underneath)
I tried to update my ORANGE SPV M2000 to Tmobile's newest rom by extracting the exe. file and using maUpdateut. It started well and all of a sudden gave error "country code................"
You will not be able to fix it yourself.
Equipment and phone required physically in order to connect jtag interface and re-flash DOC.
Sorry, but this is the only solution if your bootloader is damaged.
Of course, you can try to ship it to service center. If you are lucky they will change your device. This might more simple.
Good luck.
fdp24 said:
You will not be able to fix it yourself.
Equipment and phone required physically in order to connect jtag interface and re-flash DOC.
Sorry, but this is the only solution if your bootloader is damaged.
Of course, you can try to ship it to service center. If you are lucky they will change your device. This might more simple.
Good luck.
Click to expand...
Click to collapse
I know how to open device and solder some wires to testpoints. Do you have any information where the pins are located and what software and what JTAG adapter you used? I really need to get my phone working again. It was quite expensive to purchase and to ship it to my country. Please don't destroy my hope.
hello friends,
my cousin recently buy O2 XDa ( wallaby ) for cheap one, i check on device it seems cann't boot to windows but if i hard reset and came up red, green, blue and if i press ok it came up with test all thing i confuse all the test is OK, can you all tell me how to repair the phone and waht is the problem?
thank you
dead device hope on the horizon
note my device and troubles is on the xda2
hi - i have had exactly the same issue - i have managed to reload the rom i was trying to swop and here is what i did .... it took ages and lots of patience and it is not an exact work of science but if you try my method 2 or three times it actually comes back to life ... honest !!
down load an xda2i ( yes xda2i )rom extract it using winrar or zip on your pc place dead xda2 into cradle regardless of whats on screen run himupgradenoid - the rom will run and start to load onto your device it will fail once it has failed remove xda but do nt reset - take copy of original rom which was on the device prior to your failed upgrade and extract as above. replace xda into cradle might be detected or not dont worry - run the himupgradeut from your previous working rom and wait it takes ages to connect but eventually heypresto ... you will have a working device. i know cos i done it !!! - i have not resolved all my problems yet - i still want to load latest 02 rom but even after entering correct device data into nbfs using batch file method the device crashes saying incorrect counry id. - i accidently created my problems by accidently running the wrong upgrade rom and i guess it changed somthing on my device " country code" however when i use method above to get original rom inplace and working when i extract device data into windows folder on device i still see the wwe ( world wide english) so i am still in a pickle - can anyone help me .
hello
i'm working on the project of flashing the bootloader into a totally erased and dead phone. can you send us the test points from the prophet please? and if you know their location on a WIZARD. thank you..
Somebody here Please tell what soft to use with JTAG to recover da bootloader!!!!!!!!!!!!!
get the JTAG pins for me, I will send you soft.
Wizard and Charmer pins are both needed.
hi, i've succesfully wrecked my Blueangel PH20B by flashing a modded wm6-universal-rom... i've got all the hw & sw to resurrect the phone but the jtag pins on the BA-PCB...
can someone give me a hint where i may find them? (i'm not wanting to bake the pcb as i know i'll wreck it comletley)
thanks in advance,
mario
Same problem here
Hi,
I believe I'm having the same problem
Please help me
Thax a million
so can you help me i need to write the wizard(g4) bootloader or thell me how can i do this
T-Mobile USA SDA II
Me also, i'm i need of re-writing boot-loader of T-Mobile USA SDA II
well, ok I understand that you can get the Jflash_mm working with PXA systems, you can write the definition for yourself, as for the CPU.
but I have serious doubts that inspire me to suggest you will have tiny chance to actually program a DiskOnChip Millennium series (or familiar) chip used in many platforms (actually I believe most HTC devices).
after all this means that if you are not working for (or in affiliation or partnership with) SanDisk, you are not in position to program bootloader to (not limited to) UNIVERSAL, WIZARD, PROPHET, and CHARMER (and if I remember well, BLUEANGEL and HIMALAYA) devices over JTAG.
any news............

CDMA???!!!

I've googled for hours for this. I am looking to get the MSL/'unlock code'/SPC for my CDMA blueangel. I have not found the answer anywhere. Does anyone have any pointers for me in unlocking an HTC CDMA phone?
Any help will be SO greatly appreciated.
You can use this app (you need to run the 2003 version of the .exe). It will take your ESN HEX as input (use capital letters) and will produce your MSL (not OTKSL). This app works for all HTC CDMA phones--Harrier (CDMA Blue Angel), Apache, and Titan).
It was created by a guy named isosdcftp over at ppcgeeks.com. Here is a link to the thread in case you're interested (primarily concerns the titan/mogul though):
http://forum.ppcgeeks.com/showthread.php?t=5531
Also keep in mind some carriers use 000000 for the MSL. If neither that nor the code produced by GetSPC work, then perhaps the particular carrier who sold your phone used their own MSL algorithm (possible but unlikely).
doesnt work.. I'm with telecom new zealand if that's any help
Can you be more specific? Does the app run and produce an invalid MSL or can you not even get the app to run? If you want to PM me with your ESN HEX I will generate it on my end and PM it back to you to confirm.
I have a Sprint-branded Harrier (I'm in the US) and GetSPC spit out the correct MSL for me, but maybe TNZ programs in their own MSL instead of using the HTC default. In that case not much you can do unless you get the phone into DIAG mode and see if bitpim can read it.
Sorry man. It generates a MSL, but when I go into the pst (##778+talk) I enter it and it barks at me 'Your unlock code is not correct!'. I will pm you with my ESN.
And how would I put it into diag mode? I am fluent with bitpim and linux etc. but I can't figure out how to put it in diag mode.
If there's any more help from anyone it would be VERY greatly appreciated.
tatotato said:
Sorry man. It generates a MSL, but when I go into the pst (##778+talk) I enter it and it barks at me 'Your unlock code is not correct!'. I will pm you with my ESN.
And how would I put it into diag mode? I am fluent with bitpim and linux etc. but I can't figure out how to put it in diag mode.
If there's any more help from anyone it would be VERY greatly appreciated.
Click to expand...
Click to collapse
put the phone in diag mode ##DIAG send or ##3424 + send, then instal serial driver for the new hardware, you can google for the driver, then check the modem com port under modem in Device manager, and set the same com port for Bitpim using other CDMA phones, then check in NVM 000 or 001 and you should see the 6 digits SPC or once you know the virtual serial allocated to modem you may use other tools to check spc
Lets see how it goes,..
bR
doesn't work, when I go ##DIAG+talk it just calls the number.
please help to unlock my zte ev-do modern s/n 412823812444
am getting phone does not accept spc in cdma workshop thanks.

Creating HardSPL for HTC5800/S720/LIBRA

Alright,
I notice this phone gets very little attention by the community, however, I like the phone, form factor, etc..
I am looking to "cook" my own HardSPL for this phone. Other providers now support GPS, EVDO RevA, Win Mobile 6.1, and I'm still stuck in what I feel is the ice age..
Please note that any instructions with a prompt are to be done in dos..
So far, I have done the following to extract the SPL:
1) Download HTC update for phone and extract using appropriate zip program
2) c:\>NBHextract RUU_***.nbh
This should leave you with a slew of .nb files - one will be named XX_SPL.nb
Now, to disasm this SPL, you can either go straight to IDA PRO or take an intermediate step using dumprom - dumprom creates a pe.exe and handles the offsets for you, so it puts you a step ahead, imo.
1) c:\>mkdir SPLDISASM
2) c:\>dumprom -5 -d SPLDISASM XX_SPL.nb
Now, in the SPLDISASM folder, you should have an exe file that you can now open in IDA PRO.
Now, here's where it is starting to get foggy for me. I followed the same process to dump the stock SPL and the HardSPL from a Hermes phone and I am in the process of hand tracing and hand comparing it to see how SuperCID/Write protection/Protected FF writes is implemented in the HardSPL - hoping that I can port the differences to my phone.
So, I pose the following to the experts:
1) In order to test my HardSPL once it is complete, can I run it as a SSPL and load a new ruu as a test - or will that mean certain death to my device?
2) Now that I'm this far into the code, i've come to realize that reassembling the code will be a lot of pain. Do you guys disasm/asm, or do you just hand edit in a hex editor?
3) Any suggestions to look out for, any ideas, etc?
Let me finish with a few disclaimers
1) To the experts: I have no intention of reverse engineering the HardSPL codebase - if I do use any of the code I have found, I will be sure to give props to the people involved and ask for permission before distributing. I am not looking to profit or scam or steal ideas, i am simply looking at how to make my phone better.
2) To the beggers: I have nothing to release at this time, this is all vaporware, I don't know when it will be done, I don't even know if it's do-able. I'm just trying ATM.
3) To the beginners: any or all of the advice above can probably wreck your device. This is by no way a means to unlock your phone, it's just my thought stream as I take what I believe are the preliminary steps to make my Libra the phone it's meant to be.
desquirr decompiler
I am now using the desquirr decompiler plugin for IDA PRO - it's dumping the subroutines into rudimentry c code.
I am now far closer to understanding what it is my device does; as well as understanding some of the hardspl code.
I recommend this tool if you are also SPL "cooking"
More Progress!
No Replies yet? Man, this is starting to feel like a blog..
Okay, I have managed to dump my Libra SPL, and I have disassembled it, and I have also decompiled it - Well, partially.
All the subfunctions are now represented in C - it's not particularily the most efficient c code I've ever seen, but it's readable. You'll get a hang for it and start to notice the FOR loops, IF/ELSE, WHILE structures.. Multiple return values.. etc.. etc.
I have decided to attach the Stock Libra SPL - I am hoping that I can eventually turn this into a tutorial to build your own custom SPLS for devices that aren't supported by the general community (note, this is high risk stuff..)
Hopefully this will serve as a reference to the community as I progress.
I do hope I get a little feedback too. If I'm going down the wrong path in terms of my approach, or for sharing this project with the community, it would be good to know.
Once again, small disclaimer - this file will not do anything for your phone as of yet.. Just a development step.. (I hope...)
MegaHambone said:
1) In order to test my HardSPL once it is complete, can I run it as a SSPL and load a new ruu as a test - or will that mean certain death to my device?
Click to expand...
Click to collapse
The hard part is to make a patched SPL run as Soft SPL from within OS.
You can try pof's JumpSPL and/or Haret to start your SPL, however I'm not sure these will run on smartphone platform at all. If not, JumpSPL source code should be available, so you can try to figure it out.
Be sure you don't overwrite your stock SPL or radio when flashing a custom ROM with RUU, this is the best way to brick it!
Unless you really can't go without flashing a HardSPL, IMO it's safer to keep the stock SPL flashed for recovery purposes.
HardSpl to add new commands
I'm happy to hear that somebody is working on a hard SPL for HTC S720. Here's the deal, I really want to change esn in this phone but I realized that for now it's not possible.
It's a MSM7500.
**I've tryied QPST but the version 2.7 only support MSN6500.
**I've tried QXDM 3.9.19 and still can't write the new esn. It says read only.
_________________________
How to put it not in read only?
Could I use a anykind of ready/writer to change info directly on the chip?
-----------------------------
**CDMA Workshop 2.7 all kind os ESN write doesn't work.
-----So, two options left:
1- either I desolder the esn chip and change it for a new one (to be honest, I haven't discovered yet if the esn is inside the MSM or on a different chip. If it's the case (on a diff. chip) it's a bit a pain in the but to do but it's still an option.
2 - I want to try shadowmite's method for writing the ESN into a PPC6800. Again it need to be done in high level via MTTY.
Concerning MTTY I cannot run commands because I can't put the phone on the boot loader screen.
I will try to run RUU wich will put the phone in bootloader screen. And then try mtty.
If this fail, I guess my only hope will be a hard spl.
I guess I've said a ton of thing that gonna make me look like a newbie (wich I am in prgramming).
Any suggestion...? Or any help I could bring to create this hard spl?
I am using HTC S720 in India. Currently I am using windows 6. Is it possible to make it work for windows 6.1. Telus ROM for HTC S720 is already available.
HardSPL for HTC5800/S720/LIBRA
I am currently trying to create a HardSPL for this phone and am having a hard time. I really need a solution for this and if anyone can create a HardSPL the company I work for is willing to pay a reward.
Why not try get a goldcard for it.Try ask at http://psas.revskills.de/ or if you know anyone with a axebox i think they do goldcards

diamond stuck by htc debug tools

1. Run Debug Tool
2. Set [5]Debug flags to '435' as 0b110110011
3. Set [8]Radio Flags to '1795' as 0b11100000011
According to the help, it enables "Enable ATCMD Log", "Enable RIL Ioctl Log","MARM use UART","MARM use USB","MARM use SD", I don't know their meanings.
4. Reset device
then my diamond stuck on bootloader screen, i reflashed the rom and it doesn't help. I am sure at least the hardspl works.
can anyone help to unbrick it?
I'll repeat the same here as on MSN so it's useful for others maybe:
if you dont know the meanings why are you playing? I know you have MFG SPL, so warning here, if anyone wants to play like this, make sure you have MFG SPL installed first because then it is easy to fix the problem. (non MFG SPL : still possible to fix but then you'd have to flash a file via lnbs command, a bit more painful.)
basically, you have to set the flags back to get OS booting; in MFG SPL, using mtty or qmat, simply send the following command: eraseconfig
PS: "MARM use USB","MARM use SD" -> these two are not a problem, one of the rest is what ****ted OS (not sure which). and, when you set marm use USB / SD, windows mobile will not have access to them (but SPL will), so that is kind of pointless.
thanks a lot to cmonex.
I found i am not the first one play too much with htc debug tools.
here is another thread with similar problem that solved by cmonex too..
http://forum.xda-developers.com/showthread.php?p=2852488
I've been on this board a few years now and I have never even heard of htc debug tools. I also don't know its purpose so I wouldn't play with it, period.
I made a big mistake,
2. Set [5]Debug flags to '435' as Wrong:0b110110011Right:0b10000110101
3. Set [8]Radio Flags to '1795' as Wrong:0b11100000011 Right: 0b1011110010101
the field in debug tools is intepreted as in hex format.
BTW, I confirmed "MARM use UART"(Radio Flags to 1xx) may stick the mobile.

Newbie questions: GoldCard, Unlocking, Turning off security ?

Hi,
I'll only get my fist Android phone (HTC Desire) in a few days, so I'm fairly new to this, and have a fews questions :
What does a GoldCard do? Does it only disable the CID check, or also the signature check, or more? And if it also disables the signature check, isn't it enough to root the phone (just make a system image that contains the su utility)?
About unlocking : I've seen that other HTC phones can be unlocked by sending an [email protected] command to the radio from the SPL. What prevents us to do the same on the Nexus and Desire? My guess here would be the lack of a physical serial port on these devices ... and this is my next question.
Do someone have info about a possible access to a serial debug port on the Nexus and Desire?
About the security: I've had a quick look at the SPL, and it seems that the security byte is located in memory right after the IMEI and CID. So my guess is that the security is also controlled by the IPL & radio chip. And in the SPL, there is a reference to an [email protected] command ... I haven't looked deeper, but my guess is as good as yours
About the SPL: I think I have found a few interresting things:
- among the different modes (RRU, Fastboot, hboot ...), there is one called SIMLOCK, which seems to read the SD card, and uses the different files it contains to update the phone (MCC & MNC, IMEI, cid.txt ...). I think it might be used to send AT commands to the radio chip, to update those info, or am I wrong ?
- there seems to be one function that reads the security byte and check if its LSB is equal to 0, at offset 0xFC080 of what might be a SRAM. We could just replace the body of this function by a "MOV R0, #0", to bypass the security check, and have the SPL behave as if security were off. But then, the signature check would fail, wouldn't it? Or could a GoldCard prevent this signature check?
So in the end, if I got it right, I think there would be at least two ways to disable security on both the Nexus and Desire, given that their "logic architecture" (hardware, firmware, memory map ...) is extremely similar :
1/ find the serial debug port on the device, send the correct AT commands to the radio chip, that would make it flip to security=off.
2/ use an exploit to gain root privileges from android userland, then write a patched SPL to the correct /dev/mtdblock device with security check disabled. SPL should then behave as if security were off.
3/ maybe disassemble a bit more of this SD card update mode and learn how to craft one that would turn security off. My latest guess is that this mode might for instance take the content of "cid.txt", prepend "[email protected]=" to it, and send the whole string as a command to the radio chip. But I'm not sure yet if a security update is possible in this mode.
Also, for reference : when using a debugger/disassembler, the SPL should be loaded at 0x8E000000, and the entry point is at offset 0x1000. I haven't looked at the IPL/radio yet, any hints ?
So, do you have any (helpful) thoughts about this, or am I completely wrong ?
Edit: Ok, it seems to work now, I modified the above message. Please ignore (or delete, if you can) this post.
Pleast note that the "(AT)" in the above post should be replaced by the "@" sign. Seems I need a moderator to validate my account.
pipomolo42 said:
Do someone have info about a possible access to a serial debug port on the Nexus and Desire?
Click to expand...
Click to collapse
It seems I haven't searched well enough, as access to the Nexus serial port is described here : http://forum.xda-developers.com/showthread.php?t=625434
I just ebayed a CP2102 board, and I'll try it when I get my Desire.

Categories

Resources