WINCE 5 PNA unlock - MD5 hash for multiple files - Windows Mobile Software Development

I want to unlock my PNA GPS device – Alpine PND-K3. It’s a WinCE 5 device, and it runs only one application – PocketMap Navigator- from 4GB internal flash.
My goal is to reach WinCE Desktop. I tried different combinations of hardware buttons – no luck.
It does not start any application from SD card, I tried all possible unlockers.
ActiveSync does not see the device.
But the device exposes 2 USB mass storage drives (100MB each) when connected via USD to PC. First drive contains PC application, which downloads and unzips update file to second drive. Then PC application asks to disconnect USB, the device sees the update and updates itself. PC application (the updater) is very simple NET app and reflector did not reveal anything useful – it just downloads and unzips.
Here is the structure of update:
K3\chain.bin
K3\chain.lst
K3\EBOOT.nb0
K3\NK.bin
K3\TINYNK.bin
LITEON\CK5052_ROMRAM_RLS_PARROT.plf
$FileList.txt
$md5.bin
AlpineTool.exe
Interop.Shell32.dll
Navi090428.CAB
PND-K3manual.pdf
VERSIONS.txt
Everything under K3 folder is WinCE update, Liteon – Bluetooth, Navi090428.CAB – Pocket map update, AlpineTool.exe, Interop.Shell32.dll – the update app, which runs under PC
My idea is to modify Navi090428.CAB to replace PoketMap executable with explorer.exe or something, but update failes, and main reason I believe is MD5 checksum.
There is a 16 bytes file - $md5.bin. here is the content - >о?д?ДД¤■Н♣K♂mа▼, HEX view - 3E EE 9C E4 9D C4 C4 A4 16 CD 05 4B 0B 6D E0 1F. Probably HEX view represents the real MD5 – am I right?
I used the original update, but modified $md5.bin file and it failed with the same message – so the device definitely checks MD5.
That MD5hash does not match any MD5 hashes of other files, so my assumption is it somehow represents hashes of all files. Similar named file -$FileList.txt – contains list of all files in the update, so it might be used in MD5 calculations.
I checked the Internet, but all I found was hashes for each file, not for the list of files.
So my issue right now is to how calculate one 16 byte MD5 hash for group of files. Could anybody help, please?
Thank you

Please be aware that these forums are for Windows Mobile devices, not Windows CE in general.
It is unlikely that you can convert (or "unlock") your PNA into a normal Windows CE device merely by using a .cab; I recommend trying to find a similar forum for the brand of your PNA and asking on there

Related

Hacking the Ipaq RW6100 CDMA PPC ROM?

Hacking the Ipaq RW6100 CDMA PPC ROM?
I have an Ipaq RW6100 which is only avaiable in Korea.
http://www.ipaq.co.kr/product/rw6100/index.asp
It is awesome. pxa270 520 CPU, wifi, 260K LCD, Sharp 1.1 megapixel CCD Camera, 128 ROm, 64 RAM. Now running on wm2003se.
Surprisingly, the current ROM version of my Rw6100 does NOT support landscape function. u know, no landscape function certainly compromise the wifi internet browsing.
so i want 2 upgrade the rom. upgrade (the official way) is done on pc with ipaq is usb synced with desktop PC.
unfortunately, upgrade program needs to confirm the ipaq is correctly plugged with ac adapter. So it needs the orginal cradle, coz Rw6100 has no separate ac port. charging or usb sync is both done through the same port with different cable. Only the cradle can handle ac charging and usb sync at the same time.
I have only the usb sync cable and the ac adapter, but not the cradle. these two simply can not plug into the same port concurrently. usb sync and usb charging together can not fool the upgrade program.
Can anyone help? btw, i can not enter usb remote update mode with usual key pressing on HP PPCs. neither do i succeed running the enterbootloader.exe file and manually put the rw6100 into bootloader mode.
I have looked into the official rom. It is a 128M NBF file (coz this Ipaq has 128M ROM). If it is a usual NBF file, it is then 32 byte rom info+ROM. in theory, deleting the first 32 bytes will leave a .nb0 wince image. I have done this and leave the new nb0 file onto sd card. (I have found the sd card update method by myself)
the screen says the sd card has no rom image. Failed again. Is it because I have put no bootloader file on sd card too? Because I have no idea of where to get the bootloader file. No luck.
Email to HP Korea proves not much help.
Another reason. This PPC could not have a wince image as large as 128M. Now I have about 78m usable flash space on my current PPC. Is it because i have not successfully ripped off the right-sized wince rom?
Could anyone help rim the correct wince ROM from this 128M ROM update file? I need badly the native screen rotation function in wm2003se.
ROM update address:
http://h50177.www5.hp.com/support/FA294PA/more_info_local_19768.html
it is a 43m exe file download. running on host PC will get a 128M nbf file.
the upgrade proggie is the usual ruu.exe
btw, i have found the following bootloader info by hex editing the 128m nbf file.
enter your selection: R) View SD card
D) Download Image to SD card
L) Launch existing flash resident image now
P) Power Test
C) CPLD GPIO Set Test
W) WLAN Test
K) Flash Lock Status
F) Flash Write Test
E) Flash Erase Test
A) AC97 Test
V) View Memory
I) Download FLASH or SDRAM image through USB
8) LCD Test
USB Boot Loader Configuration:
If i can find out the way of entering it, there will be much hope of successful rom upgrading

How to modify Schaps 3.5x ROMS for BBconnect

Featuring the Master of WM6 ROMs, Mr. Schaps himself, I decided to publish this little recipe, how to patch the Schaps 3.5x ROMS to make them suitable for BB Connect.
WARNINGs:
You do, what you do at your own risk!
I will not maintain or Babysit this thread. It works for me, it may not for others!
I will not upload any patched ROMS or maintain these, because I have no time.
I provide this recipe to others, who need like me a BBconnect for job on a WM6 ROM and since Schaps ROMS seems to become a standard, here it is:
This is a recipe for users, who had BBconnect running before and have some experience. If you never run BBconnect on a WM device before, this is probably not for you to start here! Get it to work on a true Blackberry, then move to WM 5 device with a proven config; after that you might try this one.
BBconnect checks the OS version and the Device ID. In addition you need to have a Blackberry subscription, and your Provider must support BBc and your SIM card must be BB enabled. It works with a wide range of Radio Stacks. The radio stack is also NOT relevant for the BB OS check algorithm.
This patch is ONLY to 'correct' the OS version checking; it will not help for other incompatibilities!
My patch works for the HERMES 100.
I tested on Schaps 3.57a and 3.54b
I used BBconnect 4.0.0.67
To do the patch, you need:
Schaps ROM
an Archiver like WinRar or Powerarchive (tm)
A HexEditor
A Registry Editor
a cab file BBconnect 4.0.0.67
Active Synch BB connect Desktop SW 4.0.0.17
You don't need a Rom Kitchen environment; it's just adding a little bit of cracked Pepper to the perfect dishes the cook has cooked in the kitchen.
How to:
Open Schaps ROM with the Archiver (do not double click); Schaps ROM is a self extracting and running archive.
You will find 2 files in it:
Ruu_Signed.nbh
Ruuwrapper.exe
Extract Ruu_signed.nbh (leave the archiver open)
run HexEdit
Open Ruu_Signed in the HexEditor
Search the following Hex String:
30 40 2D E9 59 3E A0 E3 0D 30 83 E3 45 2F A0 E3 05 10 A0 E3 02
You should find it EXACTLY 2 times in the .nbh file. If you don't find it, or only once or more than 2 times, you can abort the process here, because something is wrong! On the other hand, if you find it also exactly 2 times in the 3.6 beta ROM, you can almost be sure that it will work as well there, but I have not tested it.
If you found it 2 times, search again from the top.
At the first occurence change the following bytes in BOLD:
30 40 2D E9 59 3E A0 E3 0D 30 83 E3 45 2F A0 E3 05 10 A0 E3 02
as following
45 change to C3
2F change to 30
02 change to 01
Search for the 2nd occurence and change the same bytes to the same values as above.
save (overwrite) Ruu_signed.nbh and quit Hexedit
Now replace the Ruu_signed.nbh file in the archive with the modified Ruu_signed.nbh in your directory. It may be good to check the time stamps of the files to be really sure that you will have the modified file in the archive.
Save (overwrite) Schaps ROM.exe and leave the archiver.
You can now flash your device, by double clicking on the modified Schaps Rom.exe. Follow the instructions there. I have encountered an error message at the end of the flash process, but this has no effect, the device will boot properly.
After you have configured your Hermes, check on the Start|settigns|system|about screen the version.
You should see: 5.1.195...
If you dont see that, or if you see 5.2.... you did something wrong in the patch process. In that case, flash again with a ROM of your choice and forget BBconnect.
Load and execute the Registry editor onto your device.
Modify the HKLM/system/Version key
from .0.3.2 to .2.3.0 (don't forget the leading .)
Go again to the Start|settings|system|about screen.
You should see now: CE OS 5.1.195(build 17944.2.3.0)
If you don't, abort the process and re-flash with a ROM of your choice.
If you see EXACTLY this, you have successfully patched the OS to run w/ BBconnect 4.0.0.67
Load the BBC.cab to your device and install.
You'll find 2 new icons
1) in Start|settings|system BlackBerry
2) Start|settings|personal BlackBerry-Security
Run Start|settings|system BlackBerry and follw the instructions (prepare for 1st use). When it asks you, which info to synchronise from PIM, leave all boxes UNchecked. Just let's try to get mail working first; you can later change to synch your cal, contacts etc.
After reset, you'll find the BB symbol :x in the tray. After a few seconds it will change to : and start to try to connect via the radio. Something should move in the Start screen top line above the Radio Strength icon.
After a while you should see the BB icon as :: Click on the symbol and go to the Identity tab. You should see there a PIN (starting amongst others w/ 6...) and more over a valid IP adress. This adress is given to you from the provider network. If you don't have a PIN or IP address, it won't work for you.
If you have a PIN and an IP address, there is hope, but no confirmation, yet.
Make sure, you have MS ActiveSynch 4.5 properly partnered. UNcheck under Options all synch items, like mail, calendar etc.
Disconnect the Device from the Desktop after synchronisation completed.
Install the BBconnect Desktop Software and connect the device, when told so.
Follow the procedure or configuration. Eventually you will see a pop up window saying "Sending provisioning data to Handheld". After that, "Handheld configured successfully". Give it time!
Disconnect the device and it should now connect over the air interface, as following:
The device will lock and prompt you for a new passwd. (The BB security passwd). After that
you'll find the BB symbol :x in the tray. After a few seconds it will change to : and start to try to connect via the radio. Something should move in the Start screen top line above the Radio Strength icon.
After a while you should see the BB icon as :: Click on the symbol and go to the Identity tab. You should see there a PIN (starting amongst others w/ 6...) and more over a valid IP adress.
Go to the e-mail tab and you should see your e-mail adress as provisioned by the Desktop Program.
The typical behavior, if your connection is REJECTED is as follwing:
Click on the BBc symbol in the tray; open the Status Tab.
Stop the service
start the service again.
you'll find the BB symbol :! in the tray. After a few seconds it will change to : and start to try to connect via the radio. Something should move in the Start screen top line above the Radio Strength icon. The status line says:
Network available
Datec Tunnel Available (a fraction of a second only)
and then, instead of going to 'connected' it goes to Not Connected AND THE IDENTITY TAB SHOWS NO IP ADDRESS
In that case, your connection is refused and you can forget about it.
If connected, you are done, read the BBc manual and configure your device as needed.
BBconnect is a complex program, which needs a lot of CPU power and server/network communication. BE PATIENT! In case, wait a few seconds longer, rather than confusing everything!
Good Luck
alternatively you could just try the new BBConnect release from HTC that was posted a couple of days back on this forum
Would you please be so kind and direct me to the thread?
I was searching the forums up&down and couldn't find anything.
tonyb15re said:
alternatively you could just try the new BBConnect release from HTC that was posted a couple of days back on this forum
Click to expand...
Click to collapse
Yes, please use the new cab file and save yourself some work.
BBC 4.0.0.90
http://www.sendspace.com/file/38eex2

Kin 2 nvidia tegra

So I tried to flash android on to the phone using the tegra 250 images when I realized I need the apx series images for android. The thing about that is I can't find them anywhere. Anyone have any idea where a development site for the tegra apx series is? It seems Nvidia has no support for the old series anymore.
how do you upload android to the phone? what program or steps do you do? is there a debug mode or recovery mode? I believe we have to make are own images.
I was using a program provided by nvidia for programming a tegra based development kit. It is capable of flashing android and windows ce 6. If anybody with more experience would like to take a look at the drivers images and program here are the files.
http://tegradeveloper.nvidia.com/tegra/downloads
Don't the images you are looking for have to have drivers for the hardware interfaces specific to this phone?
stetkas said:
Don't the images you are looking for have to have drivers for the hardware interfaces specific to this phone?
Click to expand...
Click to collapse
I wasn't exactly worried about the hardware working as much as getting android onto the tegra and viewing the os. Creating drivers is the easy part.
dezgrz said:
I wasn't exactly worried about the hardware working as much as getting android onto the tegra and viewing the os. Creating drivers is the easy part.
Click to expand...
Click to collapse
Do you think you could write a driver for this.
APX
USB\VID_0955&PID_7416&REV_0103
USB\VID_0955&PID_7416
This VID supposedly belongs to Nvidia. This is the device that is found by Windows if you plug your phone into the usb when it is turned off and then press the u+s+b+power buttons.
I tried the Recovery Mode, like the person described above me, and it came up with the APX device.. So, if someone makes a driver for that, then we might be able to jailbreak it? (iPod Touches and iPhones jailbreak though Recovery Mode). This doesn't seem much diffirent from an iPhone or an iPod Touch.
I found out a driver that we might be able to modify to give us access. I downloaded both the froyo and c36 downloads available from the tegra site that was mentioned earlier. http://tegradeveloper.nvidia.com/tegra/downloads
These file paths could be different if your hard drive has a different drive letter and perhaps also if you have a 64-bit processer, but I found the drivers in the following directories.
C:\Program Files\NVIDIA Corporation\tegra_froyo_20101105\usbpcdriver\NvidiaUsb.inf
C:\Program Files\NVIDIA Corporation\ce6_tegra_250_5265393\os\usbpcdriver\NvidiaUsb.inf
These drivers have the hardware ID in the inf file and so Windows recognizes it and starts to install the driver and finishes, but says there is an error. I'll keep working on it though.
So, the drivers do actually work; it was my computer that was causing the problems, not the drivers. Now that the drivers are installed I think we can use the SDKs provided by Nvidia on the Tegra download page.
If this works, we now have a serious decision to make. Do we try to get android on the phone or do we stick with the Windows CE based os?
mcdietz said:
So, the drivers do actually work; it was my computer that was causing the problems, not the drivers. Now that the drivers are installed I think we can use the SDKs provided by Nvidia on the Tegra download page.
If this works, we now have a serious decision to make. Do we try to get android on the phone or do we stick with the Windows CE based os?
Click to expand...
Click to collapse
Personally, I would rather stick with current OS. Just because I don't want to brick my phone. Maybe have some additions to the current OS? Enable hidden features or something? Customizations? etc?
First off, I wanted to thank everyone who is working on trying to develop an update to improve on the Kin Two. I currently am interested in getting the TWOm when my contract expires but there is a dealbreaker for me, which is that the phone does not alert you when you have a missed call. I know there are other annoying flaws (pointed out in details at the verizon forums by fisharefriends), but this is the only flaw I cannot deal with.
I do not know what is possible of being changed/edited, but I think mcdietz should focus on implementing basic functions that are currently not on the Kin Two phone, but are on other simple lower spec feature phones.
zero2duo said:
First off, I wanted to thank everyone who is working on trying to develop an update to improve on the Kin Two. I currently am interested in getting the TWOm when my contract expires but there is a dealbreaker for me, which is that the phone does not alert you when you have a missed call. I know there are other annoying flaws (pointed out in details at the verizon forums by fisharefriends), but this is the only flaw I cannot deal with.
I do not know what is possible of being changed/edited, but I think mcdietz should focus on implementing basic functions that are currently not on the Kin Two phone, but are on other simple lower spec feature phones.
Click to expand...
Click to collapse
Implementing missing features.. That's a good start. Also, would It be possible to make it be USB device (so you can go into the phone and let's say.. change the default themes).
@mcdietz
Humm, i installed all those downloads long time ago (i guess when posted or before), but didnt tested the drivers with the APX connection.
It worked with errors in linux connection to the usb (got device errors while reading from the USB device) and didnt worked with virtual machine (though vmware detected it).
On the other hand, it worked ok in a win7 real machine and got the driver installed.
I tried to flash android on the device, using the provided images (heh, tests...) and nvflash. But you always get an error on the first try and then, in further attempts you get a "Starting flash" message loop which does nothing.
Same results if you try to do "nvflash --get-partitions" (stuck at 2nd attempt).
You may thing that it's a non working thing, but if you dont connect the device, nvflash.exe it outputs that there is no USB device connected.
A little weird...
I would want to have android at the kin (as i think that has more future than our wince version, looking @ tegra forums) and anyway, if we can somehow read/write the phone roms, we can made a backup from the current OS.
Installed the same tools on linux (native, no emulation) and the flash option didnt worked here either (normal / root user).
Code:
./nvflash --getpartitiontable test.log
outputs (if no phone connected)
Nvflash started
no usb phone found
Click to expand...
Click to collapse
outputs (if Kin on APX connected)
Nvflash started
rcm version 0X4
Command send failed (usb write failed)
Click to expand...
Click to collapse
in the first attempt. Then if called again, seems to get frozen on "Nvflash started" message.
Maybe the recovery has no way to get that data....
Windows Phone Connector?
has anyone tried using the program WP7 connector for the KIN? it works with the zune hd so why not the KIN?
Mmm just to inform....
This is what (physically) happens when the Kin is on the nvflash attempts. Phone must be just booted (not previous nvflash attempt in this boot).
Code:
PC <- Kin: 80 30 18 16 B9 E8 00 00
PC -> Kin: [1028 bytes of data]
Pc <- Kin: 04 00 00 00
PC -> Kin: [39252 bytes of data]
Seems like the response we get (rcm 0x04000000), and the next writing is done with the device autolocked, so last PC -> Kin fails.
Further attempts do not try the same procedure but directly send the last 39252 packet again, failing and getting stuck.
Using some selfmade software (cause no other works so far), i repeated the same procedure, changing the first "byte pack" to send a lame pack, and this is the output:
Code:
# ./kingateway
Opening the controller
Checking for kernel attaching
Claiming the interface
Reading from the Kin.
Received data. 8 bytes. Content:
80 30 18 16 B9 E8 00 00
Writing [02 01 00 00] to the Kin.
Reading Kin response.
Received data. 4 bytes. Content:
08 00 00 00
Writing again to the Kin
KinGATEWAY:: Error while writing to the KIN. Error Code is -9 EXITING.
So in short, fails again (haha, expected...really), but the second response from the kin is not "0400...00" but "08 00 ... 00" meaning a rcm 0x0800..000 or whatever that means.
The above error ("autolock"), tagged as Error code "9" on the program, is a integrity-defense method from the kin, not for the flashing issue but from the "command sent" over usb, which is wrong or unknown on how to operate, and is called "Endpoint Stall". Is a way to express "You'r doing it wrong and i wont hear you again".
One of my ideas is that this version of nvflash is not what was used to operate with the kin and all we get are not errors or devil's corporation actions but uncompatibility protections.
What we need, from my point of view is the Tegra SDK and/or a document where the responses from an APX device are listed (like 0x04000 is "wrong certificate" and 0x08000 is "certificate too short", etc), so we know what it's telling to us. Maybe it's easier to contact nVidia for "old" SDKs than roms...
i hate to be a party crasher but i think this thread needs to be a bumped? why did this thread randomly die? maybe i'm missing something.
I believe it died because johnkussack doesn't have a working kin right now and I don't believe anyone else here wants to try things that may "brick" their phone (I'm one of them). I'm currently trying to buy another kin two (or, uh two), then I'll definitely be digging deeper into those. I may try a hardware route on one and a software route on the other.
This is definitely the most exciting thread the kin two section of xda!
It's been a while but I now have a working KIN device and can continue my efforts. Using the resume mode command to try and force nvflash to write to the kin it displayed a message that said "writing" and then displayed "Failed to perform the following commands: create". It's been a PITA but I feel I will get something written to the device soon.
dezgrz said:
It's been a while but I now have a working KIN device and can continue my efforts. Using the resume mode command to try and force nvflash to write to the kin it displayed a message that said "writing" and then displayed "Failed to perform the following commands: create". It's been a PITA but I feel I will get something written to the device soon.
Click to expand...
Click to collapse
before doing what i lastly underlined, considering what i underlined first... i suggest that you do the reading part, relating to the partition listing.
Just a safe way to find out if the experiments work. Then you can write... with a bit of safety on your side. I mean... you know that testing things writing could not be the best idea on the brikings

What we have tried and where to go from here

Ok, so we haven't had quite as much luck yet as we would have liked, but I think as we continue to try out different approaches we will have some luck. I think it might be beneficial for us to have a an overview of what has been tried and what has been attempted thus far. So here is a list of things people have tried (please feel free to add anything that I may have left out or accidentally overlooked).
Registry Edit to access Zune storage
I believe this was the first approach that people took to gaining access to the KIN, and this link provides a great walkthrough.​
Bitpim
This is a pretty good overview of what has been attempted through Bitpim. Recently some have even tried using some other software, namely CDMA Workshop, (Look at the last post of the page.) I would suggest that we also try a couple more:
RevSkills
UniCDMA​
Nvidia Tegra Flash
I forgot this when I first posted.​
OpenZDK
This was another potential since much of the hardware, namely the processor is the same on both the kin and zune.​
Looking for clues in the log files
To put it simply in the hidden menu there is an option to have system log s emailed to you. I tried reading through some and noticed some of the events and files that the KIN uses, but have not had any luck yet.​
FTP
This link is the same as the link for the Log Files above.​
Export/Import in hidden Menu
Once again, the linked used here is the same one for Log Files and FTP.​
Please add anything that I may have left out, either different approaches or links to helpful information. I haven't had a chance to tinker with RevSkills too much yet, but it looks real promising.
Ah, we mods like these threads. Keep it up. Stickied.
The hidden import feature becomes active if you create a contact while using
qpst. It imports but I don't know where it put that info.
Interesting to note is that None of my phone entered contacts show up in qpst.
It is like that directory is mapped to some other place.
I was able to create directories and added txt files using qpst that remain even after power cycling the phone. I haven't found any of this using the phone yet.
I am getting the same results as you when I use the EFS manager and service programming. I can create files and make changes and they last after reboot.
I find it odd that when I export contacts from the hidden menu the file is visible in windows explorer if I have edited the registry as noted in the first post. I find this odd because everything else that is visible on the device using this method is related to the Zune, i.e. photos, music, and videos.
I have started looking back at some of the log files that I had the phone email me through the hidden menu and I have found some AT commands for the phone along with some other information. Here is a little bit of one file that I just started sorting through. The formatting isn't perfect because the log files have a lot of unreadable characters, but I have bolded files and commands. I also left everything in the case (upper and lower) as I found it in the file. The name of this file is:
MICROSOFT-PMX-DEBUGSTRINGPROVIDER-CHANNEL.02.clg
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_PRE_UPDATE
MPM_BB_USB_DRIVER_LOAD_UPDATE_EVENT, dwWaitTime: -1
MPM_Util:USB Client 1 has been Loaded
MPM_Util:USB Client 2 has been !UnLoaded!
CDMA Radio Updeate: Text stored version : v0.4.727
CDMA Radio Update:Registry Key version: v0.4.727
CDMA Radio Update: Current Modem version: v0.4.727
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_PRE_UPDATE
MPM_MainsSmThread
MPM_BB_UPDATE_REQ_EVENT - No modem update is needed
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_POST_UPDATE
MPM_END_RSTISR_REQ_EVENT, dwWaitTime: -1
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_POST_UPDATE
MPM_END_RSTISR_REQ_EVENT MODEM RESET ISR Init Completed.
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_POST_UPDATE
MPM_POWER_ON_REQ_EVENT, dwWaitTime: -1
RILNDIS: GetPacketInterface Initialize = c117d634
Shutdown = c117c4e4
RILDrv : i : Accumulated response (1) : <cr><lf>
IOPTMODE: 6 <cr><lf>
RILDrv : i : Sending cmd: ATV0E0X3 <cr>
RILDrv : t : LoadEriData : Opening file
\RoamingIndicator\eri.bin
RILDrv : i : Accumulated response (1) : ATV0E0X3 <cr> 0 <cr>
RILDrv : t : LoadEriData:
\RoamingIndicator\eri.bin not exist. Err 0x00000002
RILDrv : i : Sending cmd:
AT+cstt=0, 1, 75, 85, 95, 100 <cr>
RILDrv : t : LoadEriData: Opening file
\Windows\eri.bin
RILDrv : i : Accumulated response (1) : 0 <cr>
RILDrv : i : Sending cmd :
AT+CSTT=1,1,18,22,26,30 <cr>
PMIC Boot cookie: rb7262h
RILDrv : i : Accumulated response (1) : 0 <cr>
RILDrv : i : Sending cmd :
AT+CSQT=1<cr>
RILDrv : i : Accumulated response (1) : 0 <cr>
RILDrv:i: Sending cmd:
AT+GMI; +GMM; +GMR; +CKEYPAD?25<cr>
RILDrv:i: Accumulated response: +CKEYPAD:25
RILDrv:i: Accumulated response (2): equesting :
IUSBON, USBST, New PLMST, timestamp, 10, 2,2944 <cr><lf>
RILDrv:i:Accumulated response(1): +IQMIREADY <cr><lf>
+IUSBON<cr><lf>+IECHO: Requesting:IUSBON, USBST,
New PLMST, timestamp, 10, 2, 2944 <cr><lf>
RILDrv:i: ParseNotificationOEM: +IQMIREADY: SetEvent for QMI Init
RILDrv:i: Accumulated response(1): +IUSBON<cr><lf> +IECHO:
Requesting: IUSBON, USBST, New PLMST, timestamp, 10, 2, 2944<cr><lf>
RILDrv:i: Accumulated response(1): +IECHO:
Requesting: IUSBON, USBST, New PLMST, timestamp, 10, 2, 2944<cr><lf>
RilDrv:arseGetEquipmentInfo Modem Version: 727
I found out one more thing, if you use the s+l+power comination when the phone is powered off and connected to the computer another USB device is found. I just found this thanks to conflipper's early work We will have to come up with some sort of driver for this now.
Here is the name of the device and the hardware IDs
Microsoft Pink Bootstrap
USB\VID_045E&PID_2345&REV_0000
USB\VID_045E&PID_2345
I also just found this hardware id when having the computer turned off and plugged into the pc. When I hold down u+s+b+power Windows finds another device with the following name and hardware IDs (According to what I have found online this VID is Nvidia.) So this might be where we can use the tegra chipset stuff.
APX
USB\VID_0955&PID_7416&REV_0103
USB\VID_0955&PID_7416
Thought I would also add that my phone is currently unusable, but on the positive side, I wouldn't found those other two usb hardware IDs if this hadn't happened. Sidenote, I was using QPST Configuration program, and I right clicked on the my phone in the active phones tab. I then clicked on "Configure service to port mapping..." and added one property (unforturnately, I can no longer go back to the window because the program doesn't recognize my phone now). At this point, my phone rebooted and is now stuck trying to boot up.
I don't think it is completely bricked, but I fear that until we pull a rom it is probably useless because it is stuck in a constant cycle trying to reboot. The only way to stop this is to remove the battery. I have since tried using the various key combinations provided by conflipper and have found that the bootstrapper combination (s+l+power) would probably work if we had a rom. I then tried the hard reset combination (c+b+power) which initially looks like it might work but then it gets stuck in the cycle of rebooting.
I am going to continue working on it, hoping that somehow now that I might have some extra sort of access to hardware, but I am afraid my contributions may be limited until we are able to pull a rom.
Sorry to hear that. There has to be a way of getting it out of the loop.
RevSkills Hardware Log.
Diag Port Supported Command List.
7E - TRS FRM MSG supported.
5A - CHECK AKEY supported.
59 - EFS CMD supported.
58 - GET IS95B supported.
57 - SET MAX SUP CH supported.
56 - SUP WALSH CODES supported.
55 - FER INFO supported.
51 - GET FEATURES supported.
49 - READ PRL supported.
47 - UNKNOWN unknown response:
45 - GET CDMA RSSI unknown response:
44 - CHANGE SERIAL MODE unknown response:
43 - GET PARAMETER unknown response:
42 - UNKNOWN unknown response:
40 - SET PILOTS unknown response:
3F - GET STATE unknown response:
3E - UNKNOWN unknown response:
3D - CONF SLEEP unknown response:
3C - GET PACKET SEQNO unknown response:
22 - DISPLAY EMU supported.
04 - PEEK DWORD supported.
03 - PEEK WORD supported.
02 - PEEK BYTE supported.
01 - Show ESN supported.
00 - Version Info supported.
Click to expand...
Click to collapse
(the phone rebooted many times while doing this test, hence the unknown responses).
I tested more of the options provided by the free version of Revskills and it was kind of funny to see how the keyboard emulator worked, but only for numbers.
After all the reboots and so, i got some hex descriptions for errors in a new folder, called Err. Uploaded a new screenshot from that folder contents.
Easy CDMA just lets you browse the filesystem we already know.... not so much fun.
Little update.
You seem to be able to enter the recovery mode holding the U S B + power option but, as i tried right now, also using "Volume -" + power as stated for other tegra devices. Can't check if that loads ok on the computer, as i dont have the usb cable here right now.
OOPS I made a mistake. I am not seeing anything using windows 7 using u+S+B and power up. Should I disable zune, change registry for zune back to normal etc??
You shouldn't have to because the device has a different hardware id, so the drivers installed for the zune portion aren't applicable. Try turning your phone off, plugging in the usb cable and then using the key combinations. If the new hardware message box doesn't appear, you should still see an unkown device in device manager.
Also you have to hold the u+s+b+power for a few seconds before it will be recognized. When I have done this the screen stays blank on my phone and the only way I know it is working is through Windows.
Using Windows 7 OS. I had to uninstall the zune driver located in portable devices in the device manager then it found new APX device and i was able to point to the NVIDIA driver. Tried ruining the phone (Flashing android to it) as in another thread but it also got stuck on the flashing prompt. Restarted phone normally and the windows found another device and loaded the zune drivers back.
Incidently, holding the volume down and power on does the same as the U+S+B+Power and is easier on the fingers.
Thanks and keep up the great work.
I again may have spoken to soon. I cannot duplicate the above scenario anymore.
I also can no longer transfer pictures taken with my phone on to my pc. I can add pictures to the phone from pc and back but not the ones taken with the camera. Originally I could with zune software. The folders for uploaded pictures are different then the ones taken with the phone. I really think that I screwed something in the phone up by playing with qpst and others.
I'm not sure about what you did there, but in my testing & curiosity purposes trials, i wasnt able to alter the device (do a write to memory), so i doubt that qpst or the others did it for you.
Also, according to coinflipper notes, the kin has several layers, including the SBL that is the one operating with the os directly (the "Ms Pink bootstrap" device), not the recovery mode, which basically put us handling a modem....
I'm trying some things, but no results yet... gonna take some time....
I have changed the USB password and added contacts (somewhere) while writing to the device using qpst. I changed the password to 000001. Is this a different part of memory I am fooling with?
Thanks
I am not sure. I have no previous experience with any phone deving nor Qualcomm tools. Just pointed what coinflipper said.
I said "basically a modem", cause you got diag(nostics) mode within a com port, and some users (in other posts) showed logs with AT commands.
I'm working with some tools to connect to the device, but using the driver we all got (zune software). Not promising anything, just peeking around some tests.
@mcdietz
Here I pasted a public output of the linux command "lsusb -vv" (ultraverbose) where Kin (factory default settings) values are.
http://pastebin.com/rZscb9wz
Is useful for usb access to the kin. Use at will.
I have been testing usb connections to the kin devices (the ones we used in this forum) and i checked this:
Kin mode (normal Zune mode):
- Using MTP protocol:
-- You can browse files/folders/track related to Zune values using the lib-mtp tools in the system you like.
-- You can format the device (zune related folders) & delete zune files using the lib-mtp tools.
-- You can't download files from the device using the lib-mtp tools (kin doesn't allow you to)
-- You can't upload files to the device using the lib-mtp tools (kin doesn't allow you to)
- Using raw USB:
-- You can Write & Read values to the device (Kin VID 0x045e, PID 0x0641). Protocol allowed: MTP
Click to expand...
Click to collapse
Of course, Zune software does use this mode and is allowed to write to the filesystem. But that's because before doing so, it uses MTP protocol values to send and receive crypto values based on JANUS from Microsoft (Microsoft DRM for Mobile Devices) and after crypto relationships, the usb commands enable the "Connected" window at the Kin.
Capturing and replaying this values over usb does not work (ever) and does not work for the kin (had to try), so no go-go from here. Also, we cannot know if it would be able (dreaming after bypassing the DRM) to go outside the pictures/music/etc folders.
On the other hand, MTP tools reports that our little friend is able to reproduce the following files:
Firmware file
MediaCard
Abstract Playlist file
Abstract Album file
JPEG file
Microsoft Windows Media Video
MPEG-4 Part 14 Container Format (Audio+Video Emphasis)
Advanced Audio Coding (AAC)/MPEG-2 Part 7/MPEG-4 Part 3
MPEG-4 Part 14 Container Format (Audio Emphasis)
Microsoft Advanced Systems Format
Microsoft Windows Media Audio
ISO MPEG-1 Audio Layer 3
Click to expand...
Click to collapse
Where firmware is strange and good but the question is... how to upload the firmwares files (you can get zune firmwares from the net) to the zune software on the device (and run them)?.
It's more interesting when you notice that firmwares contain "Zboot.bin" which is "Tegra device bootloader" but, sadly, doesnt work with nvflash because of what I said below. Those updates are WinCE updates too...
APX mode (nvidia "flashing" mode), with or without Nvidia driver.
- Using nvflash
-- You can't start flashing due to writing to usb error
-- Following attemps block the nvflash and device access.
- Using raw USB:
-- You can't Write or Read values to the device (APX VID 0x0955, PID 0x7416). Protocol allowed: None
Click to expand...
Click to collapse
This matches the post where coinflipper told us that you cannot dump the rom image.
Microsoft Pink Bootstrap (No driver):
- Using raw USB:
-- You can Write & Read values to the device (Kin VID 0x045e, PID 0x2345). Protocol allowed: Unknown
-- Phone answers "01" to all the write requests i did (from "00" to "FF").
Click to expand...
Click to collapse
markspace. com/kin/
Here's some software that was developed for it, but I'm guessing it is only client end?
I'm not allowed to link, so assemble the spaces yourself please
The link for the download (direct) , being for Mac(only) is:
http://www.markspace.com/kin/download.php
But you must register to get an activation code from the main page (posted by shlhu). It will need internet access to activate the software during installation and reboot after it.
Requires Itunes (for audio sync), Iphoto (for image, also have started it once), and Quicktime (for video).
I tested it with a fresh installed Snow Leopard and i can say that it works. I dunno how it does (without zune installed), but it works.
Unfortunately, i wasnt able to analyze the usb transmission there, so i cant compare with the windows one. If it can skip the JANUS drm, then we may have a chance. If it is the same process as windows... we are done... lol.

Edit product code and remove roaming triangle in old lumias X2X ?

Ok guys, I'm trying to look for the product code registry to change it because every time I restore the system it goes back to the original one which from an operator and I'd like to have country variant one. Anyone knows where this registry is?
And the other thing is, how could we add our operator so the roaming triangle is removed?
Thank you guys!
Hello @skyleth,
The product code is never mentioned in the registry.
If the Windows Device Recovery Tool detects normally a Lumia device connected in universal serial bus (USB) on the computer where it is installed, it will then ask you, since its user interface (UI), to select it.
Thus, are retrieved and exploited, by the software, some informations from the Lumia device. Among these, note the presence of a string value representing the product code, written in a file named product.dat, stored in a path of the device provisioning partition (DPP).
Then, the Windows Device Recovery Tool software compares this string value with those on the Microsoft Azure repository servers, to determine which package should it download. After finding this answer, it downloads, itself, a file with the extension *.vpl (variant packing list), which will be stored in a path, intended for this, of the %ProgramData% environment variable of the computer.
In the same time, the Windows Device Recovery Tool software displays, among other things, an Install software button. Once passed the three boring steps directly following the pressing this button, the package download starts. This involves several files of a few kilobytes (KB) and a *.ffu file (full flash update) of more or less than 3 gigabytes (GB), that will be stored from the same path where the *.vpl file is already previously downloaded.
Then, the Windows Device Recovery Tool software checks that the charge level of the battery of Lumia device is of 25% minimum, then sends a command to it to rebooting it immediately in the flash mode. The software checks the status of the anti-theft protection and, that it is enabled or disabled, starts the package installation.
This involves several steps, such as for example the cyclic redundancy check (CRC) of the downloaded files, the root key hash (RKH) control of Lumia device and of *.ffu file, or Platform ID control. However, list all the steps would be much too long.
The installation process completed correctly, the Windows Device Recovery Tool software sends a command to the Lumia device to rebooting it normally, thus initiating, a few seconds later, the out-of-box experience (OOBE).
If you want to change the product code writed in the device provisioning partition, you can do this easily by using the thor2 program (provided with Windows Device Recovery Tool software), by executing the thor2 -mode uefiflash -ffufile "Path\Of\FFU\File.ffu" -productcodeupdate 059x -skip_flash -reboot command.
Best regards,
Thank you, it worked! I'm going to try and see if and update pops up and fix the roaming triangle

Categories

Resources