Ok, so we haven't had quite as much luck yet as we would have liked, but I think as we continue to try out different approaches we will have some luck. I think it might be beneficial for us to have a an overview of what has been tried and what has been attempted thus far. So here is a list of things people have tried (please feel free to add anything that I may have left out or accidentally overlooked).
Registry Edit to access Zune storage
I believe this was the first approach that people took to gaining access to the KIN, and this link provides a great walkthrough.
Bitpim
This is a pretty good overview of what has been attempted through Bitpim. Recently some have even tried using some other software, namely CDMA Workshop, (Look at the last post of the page.) I would suggest that we also try a couple more:
RevSkills
UniCDMA
Nvidia Tegra Flash
I forgot this when I first posted.
OpenZDK
This was another potential since much of the hardware, namely the processor is the same on both the kin and zune.
Looking for clues in the log files
To put it simply in the hidden menu there is an option to have system log s emailed to you. I tried reading through some and noticed some of the events and files that the KIN uses, but have not had any luck yet.
FTP
This link is the same as the link for the Log Files above.
Export/Import in hidden Menu
Once again, the linked used here is the same one for Log Files and FTP.
Please add anything that I may have left out, either different approaches or links to helpful information. I haven't had a chance to tinker with RevSkills too much yet, but it looks real promising.
Ah, we mods like these threads. Keep it up. Stickied.
The hidden import feature becomes active if you create a contact while using
qpst. It imports but I don't know where it put that info.
Interesting to note is that None of my phone entered contacts show up in qpst.
It is like that directory is mapped to some other place.
I was able to create directories and added txt files using qpst that remain even after power cycling the phone. I haven't found any of this using the phone yet.
I am getting the same results as you when I use the EFS manager and service programming. I can create files and make changes and they last after reboot.
I find it odd that when I export contacts from the hidden menu the file is visible in windows explorer if I have edited the registry as noted in the first post. I find this odd because everything else that is visible on the device using this method is related to the Zune, i.e. photos, music, and videos.
I have started looking back at some of the log files that I had the phone email me through the hidden menu and I have found some AT commands for the phone along with some other information. Here is a little bit of one file that I just started sorting through. The formatting isn't perfect because the log files have a lot of unreadable characters, but I have bolded files and commands. I also left everything in the case (upper and lower) as I found it in the file. The name of this file is:
MICROSOFT-PMX-DEBUGSTRINGPROVIDER-CHANNEL.02.clg
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_PRE_UPDATE
MPM_BB_USB_DRIVER_LOAD_UPDATE_EVENT, dwWaitTime: -1
MPM_Util:USB Client 1 has been Loaded
MPM_Util:USB Client 2 has been !UnLoaded!
CDMA Radio Updeate: Text stored version : v0.4.727
CDMA Radio Update:Registry Key version: v0.4.727
CDMA Radio Update: Current Modem version: v0.4.727
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_PRE_UPDATE
MPM_MainsSmThread
MPM_BB_UPDATE_REQ_EVENT - No modem update is needed
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_POST_UPDATE
MPM_END_RSTISR_REQ_EVENT, dwWaitTime: -1
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_POST_UPDATE
MPM_END_RSTISR_REQ_EVENT MODEM RESET ISR Init Completed.
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_POST_UPDATE
MPM_POWER_ON_REQ_EVENT, dwWaitTime: -1
RILNDIS: GetPacketInterface Initialize = c117d634
Shutdown = c117c4e4
RILDrv : i : Accumulated response (1) : <cr><lf>
IOPTMODE: 6 <cr><lf>
RILDrv : i : Sending cmd: ATV0E0X3 <cr>
RILDrv : t : LoadEriData : Opening file
\RoamingIndicator\eri.bin
RILDrv : i : Accumulated response (1) : ATV0E0X3 <cr> 0 <cr>
RILDrv : t : LoadEriData:
\RoamingIndicator\eri.bin not exist. Err 0x00000002
RILDrv : i : Sending cmd:
AT+cstt=0, 1, 75, 85, 95, 100 <cr>
RILDrv : t : LoadEriData: Opening file
\Windows\eri.bin
RILDrv : i : Accumulated response (1) : 0 <cr>
RILDrv : i : Sending cmd :
AT+CSTT=1,1,18,22,26,30 <cr>
PMIC Boot cookie: rb7262h
RILDrv : i : Accumulated response (1) : 0 <cr>
RILDrv : i : Sending cmd :
AT+CSQT=1<cr>
RILDrv : i : Accumulated response (1) : 0 <cr>
RILDrv:i: Sending cmd:
AT+GMI; +GMM; +GMR; +CKEYPAD?25<cr>
RILDrv:i: Accumulated response: +CKEYPAD:25
RILDrv:i: Accumulated response (2): equesting :
IUSBON, USBST, New PLMST, timestamp, 10, 2,2944 <cr><lf>
RILDrv:i:Accumulated response(1): +IQMIREADY <cr><lf>
+IUSBON<cr><lf>+IECHO: Requesting:IUSBON, USBST,
New PLMST, timestamp, 10, 2, 2944 <cr><lf>
RILDrv:i: ParseNotificationOEM: +IQMIREADY: SetEvent for QMI Init
RILDrv:i: Accumulated response(1): +IUSBON<cr><lf> +IECHO:
Requesting: IUSBON, USBST, New PLMST, timestamp, 10, 2, 2944<cr><lf>
RILDrv:i: Accumulated response(1): +IECHO:
Requesting: IUSBON, USBST, New PLMST, timestamp, 10, 2, 2944<cr><lf>
RilDrv:arseGetEquipmentInfo Modem Version: 727
I found out one more thing, if you use the s+l+power comination when the phone is powered off and connected to the computer another USB device is found. I just found this thanks to conflipper's early work We will have to come up with some sort of driver for this now.
Here is the name of the device and the hardware IDs
Microsoft Pink Bootstrap
USB\VID_045E&PID_2345&REV_0000
USB\VID_045E&PID_2345
I also just found this hardware id when having the computer turned off and plugged into the pc. When I hold down u+s+b+power Windows finds another device with the following name and hardware IDs (According to what I have found online this VID is Nvidia.) So this might be where we can use the tegra chipset stuff.
APX
USB\VID_0955&PID_7416&REV_0103
USB\VID_0955&PID_7416
Thought I would also add that my phone is currently unusable, but on the positive side, I wouldn't found those other two usb hardware IDs if this hadn't happened. Sidenote, I was using QPST Configuration program, and I right clicked on the my phone in the active phones tab. I then clicked on "Configure service to port mapping..." and added one property (unforturnately, I can no longer go back to the window because the program doesn't recognize my phone now). At this point, my phone rebooted and is now stuck trying to boot up.
I don't think it is completely bricked, but I fear that until we pull a rom it is probably useless because it is stuck in a constant cycle trying to reboot. The only way to stop this is to remove the battery. I have since tried using the various key combinations provided by conflipper and have found that the bootstrapper combination (s+l+power) would probably work if we had a rom. I then tried the hard reset combination (c+b+power) which initially looks like it might work but then it gets stuck in the cycle of rebooting.
I am going to continue working on it, hoping that somehow now that I might have some extra sort of access to hardware, but I am afraid my contributions may be limited until we are able to pull a rom.
Sorry to hear that. There has to be a way of getting it out of the loop.
RevSkills Hardware Log.
Diag Port Supported Command List.
7E - TRS FRM MSG supported.
5A - CHECK AKEY supported.
59 - EFS CMD supported.
58 - GET IS95B supported.
57 - SET MAX SUP CH supported.
56 - SUP WALSH CODES supported.
55 - FER INFO supported.
51 - GET FEATURES supported.
49 - READ PRL supported.
47 - UNKNOWN unknown response:
45 - GET CDMA RSSI unknown response:
44 - CHANGE SERIAL MODE unknown response:
43 - GET PARAMETER unknown response:
42 - UNKNOWN unknown response:
40 - SET PILOTS unknown response:
3F - GET STATE unknown response:
3E - UNKNOWN unknown response:
3D - CONF SLEEP unknown response:
3C - GET PACKET SEQNO unknown response:
22 - DISPLAY EMU supported.
04 - PEEK DWORD supported.
03 - PEEK WORD supported.
02 - PEEK BYTE supported.
01 - Show ESN supported.
00 - Version Info supported.
Click to expand...
Click to collapse
(the phone rebooted many times while doing this test, hence the unknown responses).
I tested more of the options provided by the free version of Revskills and it was kind of funny to see how the keyboard emulator worked, but only for numbers.
After all the reboots and so, i got some hex descriptions for errors in a new folder, called Err. Uploaded a new screenshot from that folder contents.
Easy CDMA just lets you browse the filesystem we already know.... not so much fun.
Little update.
You seem to be able to enter the recovery mode holding the U S B + power option but, as i tried right now, also using "Volume -" + power as stated for other tegra devices. Can't check if that loads ok on the computer, as i dont have the usb cable here right now.
OOPS I made a mistake. I am not seeing anything using windows 7 using u+S+B and power up. Should I disable zune, change registry for zune back to normal etc??
You shouldn't have to because the device has a different hardware id, so the drivers installed for the zune portion aren't applicable. Try turning your phone off, plugging in the usb cable and then using the key combinations. If the new hardware message box doesn't appear, you should still see an unkown device in device manager.
Also you have to hold the u+s+b+power for a few seconds before it will be recognized. When I have done this the screen stays blank on my phone and the only way I know it is working is through Windows.
Using Windows 7 OS. I had to uninstall the zune driver located in portable devices in the device manager then it found new APX device and i was able to point to the NVIDIA driver. Tried ruining the phone (Flashing android to it) as in another thread but it also got stuck on the flashing prompt. Restarted phone normally and the windows found another device and loaded the zune drivers back.
Incidently, holding the volume down and power on does the same as the U+S+B+Power and is easier on the fingers.
Thanks and keep up the great work.
I again may have spoken to soon. I cannot duplicate the above scenario anymore.
I also can no longer transfer pictures taken with my phone on to my pc. I can add pictures to the phone from pc and back but not the ones taken with the camera. Originally I could with zune software. The folders for uploaded pictures are different then the ones taken with the phone. I really think that I screwed something in the phone up by playing with qpst and others.
I'm not sure about what you did there, but in my testing & curiosity purposes trials, i wasnt able to alter the device (do a write to memory), so i doubt that qpst or the others did it for you.
Also, according to coinflipper notes, the kin has several layers, including the SBL that is the one operating with the os directly (the "Ms Pink bootstrap" device), not the recovery mode, which basically put us handling a modem....
I'm trying some things, but no results yet... gonna take some time....
I have changed the USB password and added contacts (somewhere) while writing to the device using qpst. I changed the password to 000001. Is this a different part of memory I am fooling with?
Thanks
I am not sure. I have no previous experience with any phone deving nor Qualcomm tools. Just pointed what coinflipper said.
I said "basically a modem", cause you got diag(nostics) mode within a com port, and some users (in other posts) showed logs with AT commands.
I'm working with some tools to connect to the device, but using the driver we all got (zune software). Not promising anything, just peeking around some tests.
@mcdietz
Here I pasted a public output of the linux command "lsusb -vv" (ultraverbose) where Kin (factory default settings) values are.
http://pastebin.com/rZscb9wz
Is useful for usb access to the kin. Use at will.
I have been testing usb connections to the kin devices (the ones we used in this forum) and i checked this:
Kin mode (normal Zune mode):
- Using MTP protocol:
-- You can browse files/folders/track related to Zune values using the lib-mtp tools in the system you like.
-- You can format the device (zune related folders) & delete zune files using the lib-mtp tools.
-- You can't download files from the device using the lib-mtp tools (kin doesn't allow you to)
-- You can't upload files to the device using the lib-mtp tools (kin doesn't allow you to)
- Using raw USB:
-- You can Write & Read values to the device (Kin VID 0x045e, PID 0x0641). Protocol allowed: MTP
Click to expand...
Click to collapse
Of course, Zune software does use this mode and is allowed to write to the filesystem. But that's because before doing so, it uses MTP protocol values to send and receive crypto values based on JANUS from Microsoft (Microsoft DRM for Mobile Devices) and after crypto relationships, the usb commands enable the "Connected" window at the Kin.
Capturing and replaying this values over usb does not work (ever) and does not work for the kin (had to try), so no go-go from here. Also, we cannot know if it would be able (dreaming after bypassing the DRM) to go outside the pictures/music/etc folders.
On the other hand, MTP tools reports that our little friend is able to reproduce the following files:
Firmware file
MediaCard
Abstract Playlist file
Abstract Album file
JPEG file
Microsoft Windows Media Video
MPEG-4 Part 14 Container Format (Audio+Video Emphasis)
Advanced Audio Coding (AAC)/MPEG-2 Part 7/MPEG-4 Part 3
MPEG-4 Part 14 Container Format (Audio Emphasis)
Microsoft Advanced Systems Format
Microsoft Windows Media Audio
ISO MPEG-1 Audio Layer 3
Click to expand...
Click to collapse
Where firmware is strange and good but the question is... how to upload the firmwares files (you can get zune firmwares from the net) to the zune software on the device (and run them)?.
It's more interesting when you notice that firmwares contain "Zboot.bin" which is "Tegra device bootloader" but, sadly, doesnt work with nvflash because of what I said below. Those updates are WinCE updates too...
APX mode (nvidia "flashing" mode), with or without Nvidia driver.
- Using nvflash
-- You can't start flashing due to writing to usb error
-- Following attemps block the nvflash and device access.
- Using raw USB:
-- You can't Write or Read values to the device (APX VID 0x0955, PID 0x7416). Protocol allowed: None
Click to expand...
Click to collapse
This matches the post where coinflipper told us that you cannot dump the rom image.
Microsoft Pink Bootstrap (No driver):
- Using raw USB:
-- You can Write & Read values to the device (Kin VID 0x045e, PID 0x2345). Protocol allowed: Unknown
-- Phone answers "01" to all the write requests i did (from "00" to "FF").
Click to expand...
Click to collapse
markspace. com/kin/
Here's some software that was developed for it, but I'm guessing it is only client end?
I'm not allowed to link, so assemble the spaces yourself please
The link for the download (direct) , being for Mac(only) is:
http://www.markspace.com/kin/download.php
But you must register to get an activation code from the main page (posted by shlhu). It will need internet access to activate the software during installation and reboot after it.
Requires Itunes (for audio sync), Iphoto (for image, also have started it once), and Quicktime (for video).
I tested it with a fresh installed Snow Leopard and i can say that it works. I dunno how it does (without zune installed), but it works.
Unfortunately, i wasnt able to analyze the usb transmission there, so i cant compare with the windows one. If it can skip the JANUS drm, then we may have a chance. If it is the same process as windows... we are done... lol.
Related
So I tried to flash android on to the phone using the tegra 250 images when I realized I need the apx series images for android. The thing about that is I can't find them anywhere. Anyone have any idea where a development site for the tegra apx series is? It seems Nvidia has no support for the old series anymore.
how do you upload android to the phone? what program or steps do you do? is there a debug mode or recovery mode? I believe we have to make are own images.
I was using a program provided by nvidia for programming a tegra based development kit. It is capable of flashing android and windows ce 6. If anybody with more experience would like to take a look at the drivers images and program here are the files.
http://tegradeveloper.nvidia.com/tegra/downloads
Don't the images you are looking for have to have drivers for the hardware interfaces specific to this phone?
stetkas said:
Don't the images you are looking for have to have drivers for the hardware interfaces specific to this phone?
Click to expand...
Click to collapse
I wasn't exactly worried about the hardware working as much as getting android onto the tegra and viewing the os. Creating drivers is the easy part.
dezgrz said:
I wasn't exactly worried about the hardware working as much as getting android onto the tegra and viewing the os. Creating drivers is the easy part.
Click to expand...
Click to collapse
Do you think you could write a driver for this.
APX
USB\VID_0955&PID_7416&REV_0103
USB\VID_0955&PID_7416
This VID supposedly belongs to Nvidia. This is the device that is found by Windows if you plug your phone into the usb when it is turned off and then press the u+s+b+power buttons.
I tried the Recovery Mode, like the person described above me, and it came up with the APX device.. So, if someone makes a driver for that, then we might be able to jailbreak it? (iPod Touches and iPhones jailbreak though Recovery Mode). This doesn't seem much diffirent from an iPhone or an iPod Touch.
I found out a driver that we might be able to modify to give us access. I downloaded both the froyo and c36 downloads available from the tegra site that was mentioned earlier. http://tegradeveloper.nvidia.com/tegra/downloads
These file paths could be different if your hard drive has a different drive letter and perhaps also if you have a 64-bit processer, but I found the drivers in the following directories.
C:\Program Files\NVIDIA Corporation\tegra_froyo_20101105\usbpcdriver\NvidiaUsb.inf
C:\Program Files\NVIDIA Corporation\ce6_tegra_250_5265393\os\usbpcdriver\NvidiaUsb.inf
These drivers have the hardware ID in the inf file and so Windows recognizes it and starts to install the driver and finishes, but says there is an error. I'll keep working on it though.
So, the drivers do actually work; it was my computer that was causing the problems, not the drivers. Now that the drivers are installed I think we can use the SDKs provided by Nvidia on the Tegra download page.
If this works, we now have a serious decision to make. Do we try to get android on the phone or do we stick with the Windows CE based os?
mcdietz said:
So, the drivers do actually work; it was my computer that was causing the problems, not the drivers. Now that the drivers are installed I think we can use the SDKs provided by Nvidia on the Tegra download page.
If this works, we now have a serious decision to make. Do we try to get android on the phone or do we stick with the Windows CE based os?
Click to expand...
Click to collapse
Personally, I would rather stick with current OS. Just because I don't want to brick my phone. Maybe have some additions to the current OS? Enable hidden features or something? Customizations? etc?
First off, I wanted to thank everyone who is working on trying to develop an update to improve on the Kin Two. I currently am interested in getting the TWOm when my contract expires but there is a dealbreaker for me, which is that the phone does not alert you when you have a missed call. I know there are other annoying flaws (pointed out in details at the verizon forums by fisharefriends), but this is the only flaw I cannot deal with.
I do not know what is possible of being changed/edited, but I think mcdietz should focus on implementing basic functions that are currently not on the Kin Two phone, but are on other simple lower spec feature phones.
zero2duo said:
First off, I wanted to thank everyone who is working on trying to develop an update to improve on the Kin Two. I currently am interested in getting the TWOm when my contract expires but there is a dealbreaker for me, which is that the phone does not alert you when you have a missed call. I know there are other annoying flaws (pointed out in details at the verizon forums by fisharefriends), but this is the only flaw I cannot deal with.
I do not know what is possible of being changed/edited, but I think mcdietz should focus on implementing basic functions that are currently not on the Kin Two phone, but are on other simple lower spec feature phones.
Click to expand...
Click to collapse
Implementing missing features.. That's a good start. Also, would It be possible to make it be USB device (so you can go into the phone and let's say.. change the default themes).
@mcdietz
Humm, i installed all those downloads long time ago (i guess when posted or before), but didnt tested the drivers with the APX connection.
It worked with errors in linux connection to the usb (got device errors while reading from the USB device) and didnt worked with virtual machine (though vmware detected it).
On the other hand, it worked ok in a win7 real machine and got the driver installed.
I tried to flash android on the device, using the provided images (heh, tests...) and nvflash. But you always get an error on the first try and then, in further attempts you get a "Starting flash" message loop which does nothing.
Same results if you try to do "nvflash --get-partitions" (stuck at 2nd attempt).
You may thing that it's a non working thing, but if you dont connect the device, nvflash.exe it outputs that there is no USB device connected.
A little weird...
I would want to have android at the kin (as i think that has more future than our wince version, looking @ tegra forums) and anyway, if we can somehow read/write the phone roms, we can made a backup from the current OS.
Installed the same tools on linux (native, no emulation) and the flash option didnt worked here either (normal / root user).
Code:
./nvflash --getpartitiontable test.log
outputs (if no phone connected)
Nvflash started
no usb phone found
Click to expand...
Click to collapse
outputs (if Kin on APX connected)
Nvflash started
rcm version 0X4
Command send failed (usb write failed)
Click to expand...
Click to collapse
in the first attempt. Then if called again, seems to get frozen on "Nvflash started" message.
Maybe the recovery has no way to get that data....
Windows Phone Connector?
has anyone tried using the program WP7 connector for the KIN? it works with the zune hd so why not the KIN?
Mmm just to inform....
This is what (physically) happens when the Kin is on the nvflash attempts. Phone must be just booted (not previous nvflash attempt in this boot).
Code:
PC <- Kin: 80 30 18 16 B9 E8 00 00
PC -> Kin: [1028 bytes of data]
Pc <- Kin: 04 00 00 00
PC -> Kin: [39252 bytes of data]
Seems like the response we get (rcm 0x04000000), and the next writing is done with the device autolocked, so last PC -> Kin fails.
Further attempts do not try the same procedure but directly send the last 39252 packet again, failing and getting stuck.
Using some selfmade software (cause no other works so far), i repeated the same procedure, changing the first "byte pack" to send a lame pack, and this is the output:
Code:
# ./kingateway
Opening the controller
Checking for kernel attaching
Claiming the interface
Reading from the Kin.
Received data. 8 bytes. Content:
80 30 18 16 B9 E8 00 00
Writing [02 01 00 00] to the Kin.
Reading Kin response.
Received data. 4 bytes. Content:
08 00 00 00
Writing again to the Kin
KinGATEWAY:: Error while writing to the KIN. Error Code is -9 EXITING.
So in short, fails again (haha, expected...really), but the second response from the kin is not "0400...00" but "08 00 ... 00" meaning a rcm 0x0800..000 or whatever that means.
The above error ("autolock"), tagged as Error code "9" on the program, is a integrity-defense method from the kin, not for the flashing issue but from the "command sent" over usb, which is wrong or unknown on how to operate, and is called "Endpoint Stall". Is a way to express "You'r doing it wrong and i wont hear you again".
One of my ideas is that this version of nvflash is not what was used to operate with the kin and all we get are not errors or devil's corporation actions but uncompatibility protections.
What we need, from my point of view is the Tegra SDK and/or a document where the responses from an APX device are listed (like 0x04000 is "wrong certificate" and 0x08000 is "certificate too short", etc), so we know what it's telling to us. Maybe it's easier to contact nVidia for "old" SDKs than roms...
i hate to be a party crasher but i think this thread needs to be a bumped? why did this thread randomly die? maybe i'm missing something.
I believe it died because johnkussack doesn't have a working kin right now and I don't believe anyone else here wants to try things that may "brick" their phone (I'm one of them). I'm currently trying to buy another kin two (or, uh two), then I'll definitely be digging deeper into those. I may try a hardware route on one and a software route on the other.
This is definitely the most exciting thread the kin two section of xda!
It's been a while but I now have a working KIN device and can continue my efforts. Using the resume mode command to try and force nvflash to write to the kin it displayed a message that said "writing" and then displayed "Failed to perform the following commands: create". It's been a PITA but I feel I will get something written to the device soon.
dezgrz said:
It's been a while but I now have a working KIN device and can continue my efforts. Using the resume mode command to try and force nvflash to write to the kin it displayed a message that said "writing" and then displayed "Failed to perform the following commands: create". It's been a PITA but I feel I will get something written to the device soon.
Click to expand...
Click to collapse
before doing what i lastly underlined, considering what i underlined first... i suggest that you do the reading part, relating to the partition listing.
Just a safe way to find out if the experiments work. Then you can write... with a bit of safety on your side. I mean... you know that testing things writing could not be the best idea on the brikings
I finally found some time to inspect the NST board for a spare UART and the search was successful!
The serial port can be accessed on U2713, pin 2 is RX, pin 3 is TX, device node is /dev/ttyS1.
I use it with a 3.3V USB-to-UART adapter, but any voltage between 1.2 and 3.6 should be fine, thanks to the TI voltage-level translator TXB0104.
There is also a second uart connected to J151 (ttyS0), but that one has no voltage-level-translator and runs with 2V. (TX is on pin 9 of J151, no idea where RX is).
I'm still trying to redirect the boot console to ttyS1, i think i have to recompile uboot.
/edit:
Patching u-boot worked, I have the boot console on ttyS1.
Good job!
I wanted to look for this sometime, but you beat me to it.
ttyS0 is for the (cell phone) radio
ttyS1 is for the Bluetooth.
Could the connector place there be for JTAG?
Renate NST said:
Good job!
I wanted to look for this sometime, but you beat me to it.
Click to expand...
Click to collapse
I wanted to do this since my last failed kernel porting attempt. I hope it helps me debugging non succesfully booting configurations.
ttyS0 is for the (cell phone) radio
ttyS1 is for the Bluetooth.
Click to expand...
Click to collapse
Is that an actual android standard, or just some leftovers from the reference platform the nst and nook color are based on (the remains in the init.rc)?
Could the connector place there be for JTAG?
Click to expand...
Click to collapse
I think the JTAG is more probably on J151 together with ttyS0, than on U2713.
ttyS0 was the standard console, and it would make more sense that the J151 was used as debug-port.
mali100 said:
The serial port can be accessed on U2713, pin 2 is RX, pin 3 is TX, device node is /dev/ttyS1.
I use it with a 3.3V USB-to-UART adapter, but any voltage between 1.2 and 3.6 should be fine, thanks to the TI voltage-level translator TXB0104.
Click to expand...
Click to collapse
Mali,
My USB-to-UART adapter needs 3.3V (to set “upper voltage” level)
Could you help, where can I get in on Nook board?
Renate NST said:
ttyS0 is for the (cell phone) radio
ttyS1 is for the Bluetooth.
Click to expand...
Click to collapse
Do you know any devices that can be connected to this ports? It would be great to enable only Bluetooth or even cell phone.
ApokrifX said:
Mali,
My USB-to-UART adapter needs 3.3V (to set “upper voltage” level)
Could you help, where can I get in on Nook board?
Click to expand...
Click to collapse
You can use pin 1 of U2713, it's connected to VCCb on the TXB0104. Altough the voltage is disabled when the nook sleeps, but that shouldn't be a problem.
mali100 said:
You can use pin 1 of U2713, it's connected to VCCb on the TXB0104. Altough the voltage is disabled when the nook sleeps, but that shouldn't be a problem.
Click to expand...
Click to collapse
Ok... But it's gotta be 3.3V somewhere, right?
ApokrifX said:
Ok... But it's gotta be 3.3V somewhere, right?
Click to expand...
Click to collapse
Quick! Break the laws of physics and pull power from a penny!
I haven't had a driving need to use this until I tried an upgrade to 1.2 and got a boot loop.
There are various versions of u-boot.bin.
The easiest way to patch it is to simply search for ttyS0 and replace the two occurrences with ttyS1.
ttyS0 appears also in env.txt inside uRamdisk (and uRecRam).
I found a old fax that has the 10 pin connector that fits on the Nook.
I might try to put it on. For now I have the soldered wires.
In any case, the 1.2 boot loops and the last message is:
Code:
binder: 988:1039 transaction failed 29189
I've screwed with a lot of things on my Nook, but the "update" should have wiped about everything.
Just a short update:
I soldered in the connector successfully. It looks nice.
The level converter to standard 9 pin "RS-232" is simple and cheesy, 2 resistors and a transistor.
It works fine though. I can see the boot up.
After that I can switch to logcat over ADB over USB.
Here's a really poor photo of my setup.
My next cell phone must have auto-focus and macro mode.
Excellent setup, especially for the ribbon cable! It seems something nice its going to happen in the next days
Just a bit of an update.
If you want to do your own level shifting you've got access to two UARTs.
The MSP stuff is I2C to the MSP430 microprocessor that handles the touch screen.
You could eavesdrop on that and have a little multitouch pad.
I'm still trying to see which of the rest of the pins are for JTAG on U151.
The other 4 pins on U2713 are 3.3 level but don't come from the TXB0104 level shifter.
The JTAG stuff is apparently on the 22 pin, 0.5 mm pitch CON6.
The four side buttons are on CON6 too.
I've looked at this a bit and I've determined that using UART2 is a dead end.
The TXB0104 is neither powered nor enabled until late in the boot sequence.
Using the default UART1 is a much better choice.
Yes, you could modify things to use UART2 over UART1 but it's an uphill battle.
u-boot has a nice command interface where you can do lots of stuff (edited a bit):
Code:
Texas Instruments X-Loader 1.41 (Dec 7 2012 - 14:34:26)
Starting OS Bootloader from EMMC ...
U-Boot 1.1.4-carbon1.2_1.2.1.24^{} (Dec 7 2012 - 14:34:22)
OMAP3630-GP rev 2, CPU-OPP2 L3-165MHz
OMAP3621-Gossamer 1.2 Version + mDDR (Boot NAND)
DRAM: 256 MB
In: serial
Out: serial
Err: serial
Hardware arch: GOSSAMER rev: EVT3
Power button is not pressed
pmic watchdog time 0
Power Button Active
gossamer charger init
Booting from eMMC
OMAP36XX GOSSAMER # help
? - alias for 'help'
autoscr - run script from memory
base - print or set address offset
battery - gas gauge BQ27520 info
bdinfo - print Board Info structure
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootm - boot application image from memory
calc - perform mathematical operation
charger - charger BQ24073 info
clock - Manage system clocks
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
date - get/set/reset date & time
echo - echo args to console
epd tests dspon dspoff image1 image2
exit - exit script
fastboot- use USB Fastboot protocol
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
fatsave - save binary file to a dos filesystem
ggflash - flash bq27500 from .dffs script
go - start application at address 'addr'
gpio - set/display gpio pins
help - print online help
ibatck - used to track battery id
ibus - Select i2c Bus
icrc32 - checksum calculation
iloop - infinite loop on address range
imd - i2c memory display
iminfo - print header information for application image
imm - i2c memory modify (auto-incrementing)
imw - memory write (fill)
inm - memory modify (constant address)
iprobe - probe to discover valid I2C chip addresses
itest - return true/false on integer compare
loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mm - memory modify (auto-incrementing)
mmcinit - initialize mmc
mmc - Read/write/Erase mmc
mspflash- used to flash a new msp430 firmware file
mtest - simple RAM test
mw - memory write (fill)
nm - memory modify (constant address)
printenv- print environment variables
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
setenvmem - set environment variable from memory
sleep - delay execution for some time
test - minimal test like /bin/sh
version - print monitor version
OMAP36XX GOSSAMER #
Just adding the battery pinout to the diagram for completeness.
Excellent! I recently bought a JTAG (http://www.ebay.co.uk/itm/Altera-FP...al_Components_Supplies_ET&hash=item257fc5c582)
I will give it a go... is there anything you'd like me to do?
Cheers
Heres a quick hack to talk to uboot over UART2
Edit: all that's different is enabling the TXB0104 by setting gpio 37 high instead of low.
and redefining the uarts so 2 is used instead of 1.
includes the OP's patch so kernel logs show after boot also.
this second version fixes autoboot. UART2 gets a spurious byte which needs to be cleared otherwise autoboot never works.
This patch is meant to be applied without the first one, i put the uart numbers back to normal and just changed the index of which gets used for console.
I also enabled ^C checking for the case where bootdelay is zero, you can't lock yourself out of u-boot by messing with the env variables. ( Guess why I decided to do this?
NB: There is a third uart, uart3. one of the sets of pins it can be muxed onto are the usbhs0_data0 and 1 pins.
these go to the tps65921, which also has a uart mode , whereby we could have uart access over the usb pins without cracking the case.
droid phones had something similar, called emu-uart. i will look into this more when i get a nook with a working usb port.
Ok guys, I'm trying to look for the product code registry to change it because every time I restore the system it goes back to the original one which from an operator and I'd like to have country variant one. Anyone knows where this registry is?
And the other thing is, how could we add our operator so the roaming triangle is removed?
Thank you guys!
Hello @skyleth,
The product code is never mentioned in the registry.
If the Windows Device Recovery Tool detects normally a Lumia device connected in universal serial bus (USB) on the computer where it is installed, it will then ask you, since its user interface (UI), to select it.
Thus, are retrieved and exploited, by the software, some informations from the Lumia device. Among these, note the presence of a string value representing the product code, written in a file named product.dat, stored in a path of the device provisioning partition (DPP).
Then, the Windows Device Recovery Tool software compares this string value with those on the Microsoft Azure repository servers, to determine which package should it download. After finding this answer, it downloads, itself, a file with the extension *.vpl (variant packing list), which will be stored in a path, intended for this, of the %ProgramData% environment variable of the computer.
In the same time, the Windows Device Recovery Tool software displays, among other things, an Install software button. Once passed the three boring steps directly following the pressing this button, the package download starts. This involves several files of a few kilobytes (KB) and a *.ffu file (full flash update) of more or less than 3 gigabytes (GB), that will be stored from the same path where the *.vpl file is already previously downloaded.
Then, the Windows Device Recovery Tool software checks that the charge level of the battery of Lumia device is of 25% minimum, then sends a command to it to rebooting it immediately in the flash mode. The software checks the status of the anti-theft protection and, that it is enabled or disabled, starts the package installation.
This involves several steps, such as for example the cyclic redundancy check (CRC) of the downloaded files, the root key hash (RKH) control of Lumia device and of *.ffu file, or Platform ID control. However, list all the steps would be much too long.
The installation process completed correctly, the Windows Device Recovery Tool software sends a command to the Lumia device to rebooting it normally, thus initiating, a few seconds later, the out-of-box experience (OOBE).
If you want to change the product code writed in the device provisioning partition, you can do this easily by using the thor2 program (provided with Windows Device Recovery Tool software), by executing the thor2 -mode uefiflash -ffufile "Path\Of\FFU\File.ffu" -productcodeupdate 059x -skip_flash -reboot command.
Best regards,
Thank you, it worked! I'm going to try and see if and update pops up and fix the roaming triangle
I got a hard bricked HTC Desire 816 single SIM, EU version, Qualcomm MSM8928 Snapdragon 400 chipset
I know for sure it's a HTC single SIM phone, the rest I googled with the help of part numbers printed on various parts of the phone.
I can post the numbers if it helps to identify the phone
I guess it's an European model and not an import.
When I connect it to a PC I get a Qualcomm HS-USB QDLoader 9008 (Com4) port detected
I fully charged the battery on an external charger.
I have tried this guide: https://forum.xda-developers.com/t/guide-unbrick-htc-816w-a5_dug-from-hard-bricked-9008.3391110/ but the phone does nothing, when I press Vol- & Power button.
I see the phone in various SW like QFIL but I have no idea what firmware is the correct one.
I would like to read the whole phone content to identify which firmware I need - but how?
Or is there a other how identify the phone? Perhaps restore only the preloader, bootloader ... ?
Any advice how to proceed?
Thank you
Some progress ...
I need QPST or something similar, what is able to flash in emergency download mode - done
I need to download and extract probably suitable firmwares - done
I need a suitable programmer for the MSM8928 - probably done
But the firmwares are not in an usable format for the QPST Software Download.
How do I convert them to mbn or hex?
The firmwares are incomplete, it seems I need a complete mmcblk0 dump ...
It seems I'm out of luck.
I've tried different tools under Windows and Linux (to rule out Windows driver issues) but the result is the same.
I can download the prog_emmc_firehose_8928.mbn but that's it, the port stops responding after that.
I've also tried to boot two images (A5_DUG and A5_DWGL) from a SD Card and nothing, no sign of life.
I know need a A5_UL image but I thought the phone should show at least some sign of life but nothing :-(
The only sign of life is the port in EDL mode, when connected to a PC.
Is the phone dead or is there something else I could try?
I'm out of ideas ...
Some news.
I got some responses to SAHARA commands from the phone:
Attempting to switch device to mode: Command Mode
Device is awaiting client commands
Serial Number: AAA - BBB
Unknown ID 1: 0
Unknown ID 2: 0
MSM HW ID: 32993 - 000080E1
OEM Public Key Hash Hex:
========
Dumping Data For Command: 0x06 - Read Debug Data - 3904 Bytes
========
SBL SW Version: 0
========
Dumping Data For Command: 0x00 - NOP - 16 Bytes
========
Requesting mode switch from Command Mode (0x03) to Memory Debug (0x02)
Devices responded with an error: Invalid Command
Port Closed
Firehose programmer download:
/dev/ttyUSB1 USB VIDID=05c6:9008 Qualcomm CDMA Technologies MSM QHSUSB__BULK
Connected to /dev/ttyUSB1
Reading hello handshake
Device In Mode: Image Transfer Pending
Version: 2
Minimum Version: 1
Max Command Packet Size: 1024
Device requesting 80 bytes of image 0x0D - EHOSTDL
Sending image /prog_emmc_firehose_8928.mbn
Image /prog_emmc_firehose_8928.mbn successfully sent.
If there are no more images requested, you should send the done command.
Sending Done Command
Done Command Successfully Sent
No response from device
It seems that the prog_emmc_firehose_8928.mbn is not the correct one ...
I am a very happy owner of Huawei e8372h-153 that has firmware version 21.210.03.01.1080 and much less happy owner of similar device that has firmware version 21.333.03.00.00
I am looking to downgrade the 21.333.03.00.00 to 21.210.03.01.1080.
Is there a linux based way to dump firmware (and webui) from device 21.210 to file(s)? This would provide a backup before I start playing with these devices a little bit more...
Dumping the images is one important step in a backup procedure and restoring is as important There is more info available on that, but most solutions require Windows OS and a custom software. Is there a way to do it on linux using standard toolset (or optionally some custom tools, but these would need to have source code available for me to trust them).
I don't want to use images available on the network as I also can't trust them without verification and for that I would have to do lots of binwalking.
My initial goal is to replace/downgrade the firmware on the device 21.333 (and my ultimate goal is to get images that I can binwalk and learn from).
So far I have been able to explore these devices a bit
After connecting to USB device is shown (lsusb) as
12d1:1f01 Huawei Technologies Co., Ltd. E353/E3131 (Mass storage mode)
then two interesting devices appear /dev/sr0 (8MB mounted on /media/${USER}/MobileWiFi) and /dev/mmcblk0p1 (memory card partition mounted as /media/${USER}/1234-6789).
usb_modeswitch with option --huawei-alt-mode switches this device to
12d1:155e Huawei Technologies Co., Ltd. HUAWEI_MOBILE
then /dev/ttyUSB0, /dev/ttyUSB1 oraz /dev/ttyUSB2 appear in /dev (the first one allows for AT commands execution, function of the remaining TTYs is unclear to me, but I would love to find out soon)
usb_modeswitch with --huawei-new-mode option switches from device 12d1:1f01 to
12d1:14db Huawei Technologies Co., Ltd. E353/E3131
then only the memory card related devices appear and from what I understand the device is in hi-link mode (it is accessible from browser as 192.168.8.1)
after connecting with test pin number 2 connected to GND I get
12d1:1443 Huawei Technologies Co., Ltd. USB COM
here the device seems to be in boot mode (?) exposing only one TTY (/dev/ttyUSB0) that I have no clue how to use (as I want to avoid using any unverifiable software and Windows OS). BTW In this mode memory card partition also seems to be available.
My main question is: Where to search/explore from here to get dumps of firmware and webui partitions from the 21.210 device and restore from these (preferably also on 21.333 device -- fingers crossed).
Bonus question(s): Where one can learn more about the functionalities of /dev/ttyUSB1 and /dev/ttyUSB2 (in alt mode) and what is the /dev/sr0 (in storage mode) and how to use /dev/ttyUSB0 (in boot mode?
Any help/suggestions much appreciated
Below I include the output of the ^AAT^VERSION? command for both (21.210 and 21.333) devices
Code:
# DEVICE 21.210 (happy days)
^VERSION:BDT:Apr 13 2015, 19:43:32
^VERSION:EXTS:21.210.03.01.1080
^VERSION:INTS:21.210.03.01.1080
^VERSION:EXTD:WEBUI_17.100.09.02.1080
^VERSION:INTD:WEBUI_17.100.09.02.1080
^VERSION:EXTH:CL1E8372HM Ver.A
^VERSION:INTH:CL1E8372HM Ver.A
^VERSION:EXTU:E8372
^VERSION:INTU:E8372H-153
^VERSION:CFG:1005
^VERSION:PRL:
^VERSION:OEM:
^VERSION:INI:E8372hCUST-B01C00
Code:
# DEVICE 21.333 (devils' half)
^VERSION:BDT:Nov 13 2019, 09:37:21
^VERSION:EXTS:21.333.03.00.00
^VERSION:INTS:
^VERSION:EXTD:WEBUI_17.100.21.02.03_RE5
^VERSION:INTD:
^VERSION:EXTH:CL1E8372HM Ver.A
^VERSION:INTH:
^VERSION:EXTU:E8372
^VERSION:INTU:
^VERSION:CFG:1005
^VERSION:PRL:
^VERSION:OEM:
^VERSION:INI:E8372hCUST-B00C00
maybe @ValdikSS can provide any help or suggestions?
also see: https://www.sciencedirect.com/science/article/pii/S1742287613000479