Related
I have seen many people asking about bitpim and the kin phones and many with no solutions or answers to their questions. It IS possible to use bitpim to view the file system with these devices. I haven't seen any tutorials on how to do it so I've decided to post a step by step guide.
The things you will need:
Kin Two or Kin TwoM(I have not been able to test this on a Kin One or OneM)
A micro usb data cable
Bitpim
Drivers for the Kin available below
http://rapidshare.com/files/439206164/KinPixiPreCentroTreo800w_etc_DiagDrivers.zip
Don't worry about fixing the error in the qcser.inf, since I have already done this for you.
I would like to thank jennydevil for reminding us that these drivers are for 32-bit not 64-bit operating systems.
Step 1
On your kin device go to the phone application. Once there dial ##77647266488 and call. It will ask you for your Service Programming Code. The default code is 000000. You will now be in a menu labeled "SETTINGS". Navigate to OTHER and then swipe to the left. Here you will see PPro, USB Pass-Through, and USB VID Stream. All of these options will be off. You will want to turn USB Pass-Through on.
Step 2
Now connect your phone to your Windows PC. Your pc will try to find a driver called "Pink CDMA diagnostics" and will fail. Fear not. Open the start menu and right click on Computer then Manage. On the menu to the far left click device manager. In other devices you will see the Pink CDMA diagnostics. Right click it and press "Update Driver Software". Click "Browse My Computer for Driver Software". Browse for the location of the drivers downloaded earlier and click next. It will show a warning that the drivers are not signed. Continue anyways.
Step 3
Now you are ready to open up bitpim. Set it to the same COM as the phone and make sure in the View menu that View Filesystem is checked. Now feel free to browse through the file system of your kin.
If you run in to any problems feel free to ask questions. If you have any ideas or information to make this tutorial more useful feel free to speak your mind.
Fantastic!!
This is a great start to making our kin experience much better! Thank you, and keep up the solid work! Your friends at Microsoft Kin Forums thank you aswell! Check our sites for updates that could help, and together we can make KIN the phone it truely can be!
social.answers.microsoft.com/Forums/en-US/pmxphone/threads
link to MS kin forums (gotta add http)
Thank you for putting the tutorial together (and posting the pre-fixed drivers)! In case anyone else runs into the same hiccup I did - the drivers are for 32-bit OS, not 64-bit OS. Once I used the right system, the drivers and BitPim worked like a champ.
Thanks again!
I can see filesystem
Hey thanks, I can see the filesystem, I think? It says nothing is detected when I manually set the phone. I cannot "get phone data" but can read the filesystem.
.efs_private
CGPS_ME
CGPS_PE
DMU
...etc
But what does this all mean? Can I access ringtones/sounds to edit the list? Please all I want is to add and delete ringtones! Ugh why is this so difficult. Anybody know how to do this?
sabernat said:
Hey thanks, I can see the filesystem, I think? It says nothing is detected when I manually set the phone. I cannot "get phone data" but can read the filesystem.
.efs_private
CGPS_ME
CGPS_PE
DMU
...etc
But what does this all mean? Can I access ringtones/sounds to edit the list? Please all I want is to add and delete ringtones! Ugh why is this so difficult. Anybody know how to do this?
Click to expand...
Click to collapse
No at the moment you can't do that with BitPim but you can email a ringtone to your phone.
Help in step two
Can not find driver location on Windows Vista. I can get to Windows32 file/ then to driver file but new downloaded drivers as in step two.
Thanks
Ah ok, dang. Problem is...Kin has no function to delete ringtones. So once its on, its on forever. I just can't commit to that.
Moved to KIN two forum and stickied.
Also, fix the rapidshare link, the file seems to be unavailable.
jekikeyes said:
Can not find driver location on Windows Vista. I can get to Windows32 file/ then to driver file but new downloaded drivers as in step two.
Thanks
Click to expand...
Click to collapse
Download the drivers extract them somewhere like a folder on your desktop. Let's call the folder kindrivers. Then when you are browsing to the files you would go to C: (or the drive vista is located on)/Users/Yourusername/desktop/kindrivers
Hope that helps.
Any chance we'll be able to get 64-bit drivers soon?
activesack said:
Any chance we'll be able to get 64-bit drivers soon?
Click to expand...
Click to collapse
Not unless someone wants to take the time to write them.
After trying it myself I am not convinced that "we" are seeing anything. It states no phone is connected. There are no signs that I see anything from the phone. Keep trying and keep posting.
dezgrz said:
Not unless someone wants to take the time to write them.
Click to expand...
Click to collapse
someone please do
Kin_Two 2
I am at a lost, I did all the steps, plus the driver download. Everything went fine. I can see what port the phone is using, and have it set on bitpim. When I go to detect the phone on bitpim, it can not find the phone. Have tried on two different computers and can not get it to work. Bitpim can not find the phone, any thoughts?
Ron
phoneinu said:
I am at a lost, I did all the steps, plus the driver download. Everything went fine. I can see what port the phone is using, and have it set on bitpim. When I go to detect the phone on bitpim, it can not find the phone. Have tried on two different computers and can not get it to work. Bitpim can not find the phone, any thoughts?
Ron
Click to expand...
Click to collapse
Bitpim won't find the phone you have to manually set it to the correct COMM port.
I found the com port in device manager. It has been set, but it says it can not still detect phone. When I do go to settings in bitpim, I go to Verzion Wireless, Motorola, and then Kim? Is that correct, there is no Kin just Kim,so is that the same thing?
Ron Fone
phoneinu said:
I found the com port in device manager. It has been set, but it says it can not still detect phone. When I do go to settings in bitpim, I go to Verzion Wireless, Motorola, and then Kim? Is that correct, there is no Kin just Kim,so is that the same thing?
Ron Fone
Click to expand...
Click to collapse
It won't detect it. Just show the file system. Just set it to other cdma.
Hey, I'm about to be forced to get the Kin TwoM (its the best phone on Verizon without a data plan). Has there been any progress on the ROM dumping front? It seems like you would know. Thanks...
Just wanted to post in here saying that I just got myself a Kin TwoM this weekend without knowing anything about it's limitations or potential. I got it working with BitPim using this tutorial, but... yeah, I have no idea what to do now. I'll certainly be watching this board for anything cool that comes of this, though!
Well I have had my Kin Twom for more then a week. I am probably going to return it, its a shame because it is not a bad little phone. Microsoft and Verizon will be the death of this thing. Know what to do about my cell phone?
Ron
So I tried to flash android on to the phone using the tegra 250 images when I realized I need the apx series images for android. The thing about that is I can't find them anywhere. Anyone have any idea where a development site for the tegra apx series is? It seems Nvidia has no support for the old series anymore.
how do you upload android to the phone? what program or steps do you do? is there a debug mode or recovery mode? I believe we have to make are own images.
I was using a program provided by nvidia for programming a tegra based development kit. It is capable of flashing android and windows ce 6. If anybody with more experience would like to take a look at the drivers images and program here are the files.
http://tegradeveloper.nvidia.com/tegra/downloads
Don't the images you are looking for have to have drivers for the hardware interfaces specific to this phone?
stetkas said:
Don't the images you are looking for have to have drivers for the hardware interfaces specific to this phone?
Click to expand...
Click to collapse
I wasn't exactly worried about the hardware working as much as getting android onto the tegra and viewing the os. Creating drivers is the easy part.
dezgrz said:
I wasn't exactly worried about the hardware working as much as getting android onto the tegra and viewing the os. Creating drivers is the easy part.
Click to expand...
Click to collapse
Do you think you could write a driver for this.
APX
USB\VID_0955&PID_7416&REV_0103
USB\VID_0955&PID_7416
This VID supposedly belongs to Nvidia. This is the device that is found by Windows if you plug your phone into the usb when it is turned off and then press the u+s+b+power buttons.
I tried the Recovery Mode, like the person described above me, and it came up with the APX device.. So, if someone makes a driver for that, then we might be able to jailbreak it? (iPod Touches and iPhones jailbreak though Recovery Mode). This doesn't seem much diffirent from an iPhone or an iPod Touch.
I found out a driver that we might be able to modify to give us access. I downloaded both the froyo and c36 downloads available from the tegra site that was mentioned earlier. http://tegradeveloper.nvidia.com/tegra/downloads
These file paths could be different if your hard drive has a different drive letter and perhaps also if you have a 64-bit processer, but I found the drivers in the following directories.
C:\Program Files\NVIDIA Corporation\tegra_froyo_20101105\usbpcdriver\NvidiaUsb.inf
C:\Program Files\NVIDIA Corporation\ce6_tegra_250_5265393\os\usbpcdriver\NvidiaUsb.inf
These drivers have the hardware ID in the inf file and so Windows recognizes it and starts to install the driver and finishes, but says there is an error. I'll keep working on it though.
So, the drivers do actually work; it was my computer that was causing the problems, not the drivers. Now that the drivers are installed I think we can use the SDKs provided by Nvidia on the Tegra download page.
If this works, we now have a serious decision to make. Do we try to get android on the phone or do we stick with the Windows CE based os?
mcdietz said:
So, the drivers do actually work; it was my computer that was causing the problems, not the drivers. Now that the drivers are installed I think we can use the SDKs provided by Nvidia on the Tegra download page.
If this works, we now have a serious decision to make. Do we try to get android on the phone or do we stick with the Windows CE based os?
Click to expand...
Click to collapse
Personally, I would rather stick with current OS. Just because I don't want to brick my phone. Maybe have some additions to the current OS? Enable hidden features or something? Customizations? etc?
First off, I wanted to thank everyone who is working on trying to develop an update to improve on the Kin Two. I currently am interested in getting the TWOm when my contract expires but there is a dealbreaker for me, which is that the phone does not alert you when you have a missed call. I know there are other annoying flaws (pointed out in details at the verizon forums by fisharefriends), but this is the only flaw I cannot deal with.
I do not know what is possible of being changed/edited, but I think mcdietz should focus on implementing basic functions that are currently not on the Kin Two phone, but are on other simple lower spec feature phones.
zero2duo said:
First off, I wanted to thank everyone who is working on trying to develop an update to improve on the Kin Two. I currently am interested in getting the TWOm when my contract expires but there is a dealbreaker for me, which is that the phone does not alert you when you have a missed call. I know there are other annoying flaws (pointed out in details at the verizon forums by fisharefriends), but this is the only flaw I cannot deal with.
I do not know what is possible of being changed/edited, but I think mcdietz should focus on implementing basic functions that are currently not on the Kin Two phone, but are on other simple lower spec feature phones.
Click to expand...
Click to collapse
Implementing missing features.. That's a good start. Also, would It be possible to make it be USB device (so you can go into the phone and let's say.. change the default themes).
@mcdietz
Humm, i installed all those downloads long time ago (i guess when posted or before), but didnt tested the drivers with the APX connection.
It worked with errors in linux connection to the usb (got device errors while reading from the USB device) and didnt worked with virtual machine (though vmware detected it).
On the other hand, it worked ok in a win7 real machine and got the driver installed.
I tried to flash android on the device, using the provided images (heh, tests...) and nvflash. But you always get an error on the first try and then, in further attempts you get a "Starting flash" message loop which does nothing.
Same results if you try to do "nvflash --get-partitions" (stuck at 2nd attempt).
You may thing that it's a non working thing, but if you dont connect the device, nvflash.exe it outputs that there is no USB device connected.
A little weird...
I would want to have android at the kin (as i think that has more future than our wince version, looking @ tegra forums) and anyway, if we can somehow read/write the phone roms, we can made a backup from the current OS.
Installed the same tools on linux (native, no emulation) and the flash option didnt worked here either (normal / root user).
Code:
./nvflash --getpartitiontable test.log
outputs (if no phone connected)
Nvflash started
no usb phone found
Click to expand...
Click to collapse
outputs (if Kin on APX connected)
Nvflash started
rcm version 0X4
Command send failed (usb write failed)
Click to expand...
Click to collapse
in the first attempt. Then if called again, seems to get frozen on "Nvflash started" message.
Maybe the recovery has no way to get that data....
Windows Phone Connector?
has anyone tried using the program WP7 connector for the KIN? it works with the zune hd so why not the KIN?
Mmm just to inform....
This is what (physically) happens when the Kin is on the nvflash attempts. Phone must be just booted (not previous nvflash attempt in this boot).
Code:
PC <- Kin: 80 30 18 16 B9 E8 00 00
PC -> Kin: [1028 bytes of data]
Pc <- Kin: 04 00 00 00
PC -> Kin: [39252 bytes of data]
Seems like the response we get (rcm 0x04000000), and the next writing is done with the device autolocked, so last PC -> Kin fails.
Further attempts do not try the same procedure but directly send the last 39252 packet again, failing and getting stuck.
Using some selfmade software (cause no other works so far), i repeated the same procedure, changing the first "byte pack" to send a lame pack, and this is the output:
Code:
# ./kingateway
Opening the controller
Checking for kernel attaching
Claiming the interface
Reading from the Kin.
Received data. 8 bytes. Content:
80 30 18 16 B9 E8 00 00
Writing [02 01 00 00] to the Kin.
Reading Kin response.
Received data. 4 bytes. Content:
08 00 00 00
Writing again to the Kin
KinGATEWAY:: Error while writing to the KIN. Error Code is -9 EXITING.
So in short, fails again (haha, expected...really), but the second response from the kin is not "0400...00" but "08 00 ... 00" meaning a rcm 0x0800..000 or whatever that means.
The above error ("autolock"), tagged as Error code "9" on the program, is a integrity-defense method from the kin, not for the flashing issue but from the "command sent" over usb, which is wrong or unknown on how to operate, and is called "Endpoint Stall". Is a way to express "You'r doing it wrong and i wont hear you again".
One of my ideas is that this version of nvflash is not what was used to operate with the kin and all we get are not errors or devil's corporation actions but uncompatibility protections.
What we need, from my point of view is the Tegra SDK and/or a document where the responses from an APX device are listed (like 0x04000 is "wrong certificate" and 0x08000 is "certificate too short", etc), so we know what it's telling to us. Maybe it's easier to contact nVidia for "old" SDKs than roms...
i hate to be a party crasher but i think this thread needs to be a bumped? why did this thread randomly die? maybe i'm missing something.
I believe it died because johnkussack doesn't have a working kin right now and I don't believe anyone else here wants to try things that may "brick" their phone (I'm one of them). I'm currently trying to buy another kin two (or, uh two), then I'll definitely be digging deeper into those. I may try a hardware route on one and a software route on the other.
This is definitely the most exciting thread the kin two section of xda!
It's been a while but I now have a working KIN device and can continue my efforts. Using the resume mode command to try and force nvflash to write to the kin it displayed a message that said "writing" and then displayed "Failed to perform the following commands: create". It's been a PITA but I feel I will get something written to the device soon.
dezgrz said:
It's been a while but I now have a working KIN device and can continue my efforts. Using the resume mode command to try and force nvflash to write to the kin it displayed a message that said "writing" and then displayed "Failed to perform the following commands: create". It's been a PITA but I feel I will get something written to the device soon.
Click to expand...
Click to collapse
before doing what i lastly underlined, considering what i underlined first... i suggest that you do the reading part, relating to the partition listing.
Just a safe way to find out if the experiments work. Then you can write... with a bit of safety on your side. I mean... you know that testing things writing could not be the best idea on the brikings
Hi everyone,
Many people have complained about the Wave bootloader being closed and that being major problem for the development of alternative OS.
I had a closer look at the booting process and would like to contribute my observations to the community. I shall have little time (next to none) to work on it further, so I'd like someone to take it from this point.
OK, that said I can introduce you to what I found:
The booting process starts with initialization of the hardware, interrupts, etc. and gets to the selection of the booting mode. This is the place that checks the key combination, JIG and possible problems. Basing on this the bootloader will run the phone in either normal boot mode, go to dowload or upload mode.
Normal boot shall start with checking the FOTA module. If you already tried flashing your phone you probably noticed that some versions of the FW include a file with *.fota extension. The file is unencrypted and not signed. It's about 2MB, but the bootloader reserves exactly 3MB for it. FOTA is intended to be used for firmware update over the air, but I know nothing about it being used for Wave. You may read something about the design and get a concept of that process here:
http://www.freepatentsonline.com/pdfb/documents/usapp/patent_pdf/2010/017/US20100175062/pdf/US20100175062.pdf
Basically, it is possible that boot would need to perform some actions that are a result of FOTA. Therefore, during the normal boot it reads the FOTA module from the NAND (0xC600000) and checks whether the module exists and is in the right version. That is done by checking a magic (text "FOTA_ENGINE_VER_INFO_2.0") under the 0xC600100. If it is found missing or incorrect you will end up with the message "FOTA Engine is not intalled" or "FOTA Engine version mismatch" on the screen and you will need to restart your phone in the download mode to load it.
After that, the code checks for additional magic values at 0xC880000. In case it is "BPDZ" it jumps to the code in the FOTA file. The contents of the file is loaded to RAM location 0x43800000 and executed from there.
I've made an experiment as a proof-of-concept and have a confirmed that the above is true and valid information. I crafted a FOTA file longer that the usual attached (to be bigger than 2,5 MB). In case you want to repeat that, remember that last 1024 bytes are not loaded and insert additional data before that. My file had two magic values:
"FOTA_ENGINE_VER_INFO_2.0" at 0x100 offset and "BPDZ" at 0x280000. At offset 0 I've placed my code that started with several NOPs (just in case) and code that called original bootloader functions to display text on the screen.
After loading the file with Multiloader, the message appeared on the screen as expected. Reloading of the original FOTA file made the phone boot normally.
The discovery opens wide area of possibilities starting with replacing bootloader without signing it or using JTAG, multiboot, etc.
As the original bootloader is in the memory as well, we can use it, but I would not recommend that approach as we would need additional version control and changing original routines and data addresses for each version.
OK. I hope I made it clear enough to understand, but I can clarify what I might have omitted in the description. The idea is that someone here would pick that up from where I finished and develop a decent loader leaving the original files (apart from FOTA) untouched.
Best Regards,
mijoma
-----------------------------------
Edit: Added proof-of-concept FOTA file (based on XXJL2 FOTA). Use wisely - remember you take full responsibility for what you load on your phone. Works ONLY with XXJL2 bootloader.
Very interesting ... great job
My little knowledge/experiments...
1.
Before I NEVER updated manually FOTA. I never seen any Errors like other user... with FOTA not installed or something similar.
Maybe reason is, because my testdevice has NO active SIM card, so no network...
2.
I've tested examples from mijoma. On XXJL2 Boot...
Simple only flash FOTA with Multiloader.
At your own risk. Not all sideeffects known.
I had NO problems.
3.
Results... I can't see any special after Flashing. But I can go through internal menu, see Pictures.
http://forum.xda-developers.com/showthread.php?t=906966
Normally I have more messages... but with modified FOTA Wave restarts. So the way is correct.
4.
Delta files are sometimes in Firmware also with Boot... I will add next Link to what I found about Delta files...
Delta Files are part of FOTA concept...
5.
Depend on Firmware... Software update... but sometimes is this point removed and I can't login, because no network...
In other words, I have to start FOTA over this internal menu to see that it is doing something.
Best Regards
@adfree
I think you are testing the previous version. Could you confirm you are using mod version 2?
Best Regards,
mijoma
bplib_S8500OpEuro_XXJL2_mijoma_mod2.zip
You are right, not tested yet. Only prior Version.
I will test today mod2 and report later.
I have to flash back to XXJL2... as I play actual on Orange JE7.
Thank you.
Best Regards
YT: watch?v=A35k3E1F1O4
It's working....
Best regards.
Amazing job dude. It seems like this could help us to change booting stuff
Nice work mijoma !!!
I can confirm it works.
Now I see the same like on this Video:
http://www.youtube.com/watch?v=A35k3E1F1O4
Thanx jedil1 for Link.
Sorry mijoma.
I have no idea where I made mistake...
This time my first Test was Full Flash (without Boot)...
Second only FOTA and it works too... Original, then yours...
If you flash "Full", then you interrupt the Index process at Start, where Blue Screen shows...
Best Regards
Great job!!!
And my opinion,this is a single way to starting full working android on s8500,
because we need to initialize the modem at bootloader stage for fuel gauge.
i temporary use modem from m130k without fuel gauge.
Few Firmware packages have Delta files:
Code:
delta.bin
delta_AP.bin
delta_CFS.bin
delta_CP.bin
delta_CRSRC.bin
delta_FS.bin
delta_LFS_01.bin
delta_LFS_02.bin
delta_RSRC2.bin
Around 16 MB...
If I use Google for "Delta Files FOTA"... then I can also find this:
http://www.faqs.org/patents/app/20100175062
Theory/ideas
What we also can do with this Security hole:
- maybe "move" folder System to SD or internal Memory, to have no more problems with RC1
- maybe someone is smart enough, to integrate Dump Function for Dump whole RAM or moviNAND... like JTAG
See Upload function...
Best Regards
adfree said:
- maybe someone is smart enough, to integrate Dump Function for Dump whole RAM or moviNAND... like JTAG
See Upload function...
Best Regards
Click to expand...
Click to collapse
I think that Samsung have thought of that already. I had not analysed that as so far, but there's UPLOAD option in the bootloader (handled by a bit separate code from DLOAD). I haven't got the wave, so I never tested it.
You can make a patch on my mod and place a direct jump to that code. I've made a quick patch so you can try it out. I don't know whether there's any software that can handle that mode. I've made a look and there are several funny commands that can be used:
"PrEaMbLe"
"AcKnOwLeDgMeNt"
"PoStAmBlE"
"PoWeRdOwN"
"DaTaXfEr"
Remember that this time we're dealing with some real functionality of the bootloader and that may have some consequences so use on your own risk.
Best Regards,
mijoma
----------------------
Edit: Sorry if anyone tried loading it. By mistake I've used addressing from XXJEE. I've changed the name to represent what it was and added a correct file for XXJL2 bootloader
Upload to PC is in combination with Debug Mode higher then Low...
After you see Bluescreen with very interesting infos you can press Button, then Upload to PC on Screen. But I don't know how to catch Data, as no COM Port is visible.
Btw...
Now I know where I made big mistake.
First tests I used XEKC2 Firmware with XXJL2 Bootloader, as I thought its only Bootloader related. Sorry.
My fault.
So there must be more then Bootloader from XXJL2 in handset, to run successfully FOTA Mod2.
About new Mod with Upload, I will investigate this time better, before I'll report.
Thank you.
Best Regards
We need to get this guy a wave to test stuff on! Who wants to donate theirs ha
sabianadmin said:
We need to get this guy a wave to test stuff on! Who wants to donate theirs ha
Click to expand...
Click to collapse
It may have sounded like a joke, but I second that....
He's seems trustworthy and very capable of being sucessful Just like adfree, oleg_k and other guys over there.
I have my paypal account limited but in 1 month I'll b able to donate maybe 20€
Thanks guys, but I don't think it's necessary.
I do it for fun - don't need any other gratification. Wave got me interested with the effort the manufacturer put trying to keep it closed. I don't need a handset to disassemble the bootloader.
The question is more would you like a wave for you're efforts as otherwise you really won't be able to benefit from you're own work when we have meego, android, webOS etc booting on the Wave. Theres no extra pressure, sure you have already done the trickiest part of the work.
No, I'm being completely honest here. I find this rather a weird form of relax than work.
Wave is a nice phone and I think I'm going to get myself one, but I don't expect a gift.
mijoma said:
Wave is a nice phone and I think I'm going to get myself one, but I don't expect a gift.
Click to expand...
Click to collapse
You are a champ, buddy
Good luck !
Sent from my GT-I9003 using XDA App
Some Spreadtrum android phones are not very carefully tested ... They don't even check if the microphone is loud enough ...
And the fun fact is that it's very easy to fix !
WARNING: May only work with Windows XP 32Bits.
You just have to download the Spreadtrum drivers here: http://www.mediafire.com/download.php?2tyg0k2xp3ejgyg and there: http://www.mediafire.com/download.php?c5nf3rlhxmxhu4x
Then download the Spreadtrum debug tool: http://www.mediafire.com/download.php?rngukh111vqfr8h
Now plug your phone (turned on), and install the drivers.
Open Channelserver from the tools.
Then open Audiotester
Click on "Connect" from channelserver (the connect on the top)
Click on "Get Audio mode information"
Go to the handset tab
Click on "Volume config"
Now you can change "ul PGA" from usually 10.5 to 12 or more. Change it on all the lines.
Now you have 4 little buttons on the top-left corner of the window.
The first one is write to ram (to test if it work before changing the settings permanently)
The second is read from ram (to load the actual settings)
The third is write to flash (to permanently change the settings, so the phone can keep the settings after a reboot)
The fourth is read from flash (to load the permanent settings)
You can even change the settings while you are in the middle of a call !
So it makes it easy to test.
Just call somebody with a lot of time and patience, then change some settings, load them to ram, and shortly after this person will ear if it is successful or not.
If everything seems fine, click on write to flash, so theses settings will be made permanents.
You can now unplug the phone from your computer ^^
Great thanx!
Thank you very much, because I think maybe it is the problem what I had. Nobody was even able to help, but the information and the drivers you provide maybe I will be able to solve the problem. THANK YOU, THANK YOU AND THANK YOU!
Yet I just tried with the drivers, I have Win7 - and i was able to install the first SCI-android-usb-driver-jungo-v4 driver. Now, when I connect the phone via USB, my computer finds it as Spreadtrum phone. I started with turn on usb debugging on my phone, and it worked. I started with the channelserver, and i found a problem. Channelserver had a lot of options (UART/Winsocket), Port, Baud rate, endian, winsocket. I tried to leave the options as default, and i checked the client info, but i cannot see my phone as a client. I tried to find, what's the problem, and I realize, that i have only one option to choose as a port: COM1. But my phone was connected via USB, so there must be a problem. And because of this problem i cannot use audiotester. Now I try to figure out, what is the comm problem.
T
ElectronikHeart said:
Some Spreadtrum android phones are not very carefully tested ... They don't even check if the microphone is loud enough ...
And the fun fact is that it's very easy to fix !
Now plug your phone (turned on), and install the drivers.
Open Channelserver from the tools.
Then open Audiotester
Click on "Connect" from channelserver (the connect on the top)
Click on "Get Audio mode information"
Go to the handset tab
Click on "Volume config"
Now you can change "ul PGA" from usually 10.5 to 12 or more. Change it on all the lines.
Now you have 4 little buttons on the top-left corner of the window.
The first one is write to ram (to test if it work before changing the settings permanently)
The second is read from ram (to load the actual settings)
The third is write to flash (to permanently change the settings, so the phone can keep the settings after a reboot)
The fourth is read from flash (to load the permanent settings)
You can even change the settings while you are in the middle of a call !
So it makes it easy to test.
Just call somebody with a lot of time and patience, then change some settings, load them to ram, and shortly after this person will ear if it is successful or not.
If everything seems fine, click on write to flash, so theses settings will be made permanents.
You can now unplug the phone from your computer ^^
Click to expand...
Click to collapse
---------- Post added 5th March 2013 at 12:26 AM ---------- Previous post was 4th March 2013 at 11:52 PM ----------
O.K. I tried to figure out:
My settings with channelserver:
Type: Winsocket
Port: 36667
Adress: 127.0.0.1
Endian: little endian
Winsocket server port: 36666
Then i see in the client info:
client counts:1
IP: 127.0.0.1
Host: T-PC
I tried audiotester, I choose te top connect options than the get audio mode information. I get this message:
Get eq mode count from phone
Execute command time out! (CMD: AT+ SPEQPARA=0)
Read Untunable EQ (8800 G) mode count name from phone
Execute command time out! (CMD: AT+ SPHENA =0,0)
Read audio_dsp mode count from phone
Execute command time out! (CMD: AT+ SADM =0)
Unfortunately, I don'tknow what does it mean...
Round 3 - Fight
After changing the Win7 Os to an another computer, which had XP, i was able to use the channelserver and audiotester. I installed the drivers, and i was able to choose between SCI-DIAG (COM4) or SCI-VENDOR (COM5). With choosing the SCI-DIAG option I was able to run until the get audio information, and the computer has done the task, without any fault message. I try to find the handset tab, but I don't know, where can I find it. In the audioserver, thera are just only one settings, and I can choose from this options:
get audio mode information
get music mode information
make call
hang up,
export
import
control bye (I cannot choose it, bacause it is gray, and I cannot choose it.)
Where is the handset option?
gtxphoenix said:
Thank you very much, because I think maybe it is the problem what I had. Nobody was even able to help, but the information and the drivers you provide maybe I will be able to solve the problem. THANK YOU, THANK YOU AND THANK YOU!
Yet I just tried with the drivers, I have Win7 - and i was able to install the first SCI-android-usb-driver-jungo-v4 driver. Now, when I connect the phone via USB, my computer finds it as Spreadtrum phone. I started with turn on usb debugging on my phone, and it worked. I started with the channelserver, and i found a problem. Channelserver had a lot of options (UART/Winsocket), Port, Baud rate, endian, winsocket. I tried to leave the options as default, and i checked the client info, but i cannot see my phone as a client. I tried to find, what's the problem, and I realize, that i have only one option to choose as a port: COM1. But my phone was connected via USB, so there must be a problem. And because of this problem i cannot use audiotester. Now I try to figure out, what is the comm problem.
T
---------- Post added 5th March 2013 at 12:26 AM ---------- Previous post was 4th March 2013 at 11:52 PM ----------
O.K. I tried to figure out:
My settings with channelserver:
Type: Winsocket
Port: 36667
Adress: 127.0.0.1
Endian: little endian
Winsocket server port: 36666
Then i see in the client info:
client counts:1
IP: 127.0.0.1
Host: T-PC
I tried audiotester, I choose te top connect options than the get audio mode information. I get this message:
Get eq mode count from phone
Execute command time out! (CMD: AT+ SPEQPARA=0)
Read Untunable EQ (8800 G) mode count name from phone
Execute command time out! (CMD: AT+ SPHENA =0,0)
Read audio_dsp mode count from phone
Execute command time out! (CMD: AT+ SADM =0)
Unfortunately, I don'tknow what does it mean...
Click to expand...
Click to collapse
gtxphoenix said:
After changing the Win7 Os to an another computer, which had XP, i was able to use the channelserver and audiotester. I installed the drivers, and i was able to choose between SCI-DIAG (COM4) or SCI-VENDOR (COM5). With choosing the SCI-DIAG option I was able to run until the get audio information, and the computer has done the task, without any fault message. I try to find the handset tab, but I don't know, where can I find it. In the audioserver, thera are just only one settings, and I can choose from this options:
get audio mode information
get music mode information
make call
hang up,
export
import
control bye (I cannot choose it, bacause it is gray, and I cannot choose it.)
Where is the handset option?
Click to expand...
Click to collapse
It should be at the top, and I don`t use "Channelserver"
Same problem
Hi ElectronikHeart,
I'm having the same problem and I've been looking for a while for some solution so I was very happy when I saw your post.
I've followed your steps (on Win 7) but I'm stuck on step 4 (Get audio mode information).
When I press the button I get a lot of messages saying: Can not get endian mode from the phone.
Obviously I'm doing something wrong, but I'm totally lost.
Any suggestions are welcomen
Thanks
kurty154 said:
Hi ElectronikHeart,
I'm having the same problem and I've been looking for a while for some solution so I was very happy when I saw your post.
I've followed your steps (on Win 7) but I'm stuck on step 4 (Get audio mode information).
When I press the button I get a lot of messages saying: Can not get endian mode from the phone.
Obviously I'm doing something wrong, but I'm totally lost.
Any suggestions are welcomen
Thanks
Click to expand...
Click to collapse
I really do think that Spreadtrum AudioTester only work properly on Windows XP and 2K.
Thanks!
ElectronikHeart said:
I really do think that Spreadtrum AudioTester only work properly on Windows XP and 2K.
Click to expand...
Click to collapse
Thanks. It worked in XP!
I installed the drivers and the AudioTester worked just fine.
If it could be useful for others, just starting the AudioTester and connecting directly to UART worked fine for me.
Increased the volume and now the mic is fine
Audiotester - Debug tool
Hello. I installed debug toll under Win 7 and admin rights with XP SP3 compatibility, but the problem is, when I open Audiotester, there is no other possibility than "settings".
Thanks in advance for your help.
ElectronikHeart said:
Some Spreadtrum android phones are not very carefully tested ... They don't even check if the microphone is loud enough ...
And the fun fact is that it's very easy to fix !
WARNING: May only work with Windows XP 32Bits.
You just have to download the Spreadtrum drivers here: http://www.mediafire.com/download.php?2tyg0k2xp3ejgyg and there: http://www.mediafire.com/download.php?c5nf3rlhxmxhu4x
Then download the Spreadtrum debug tool: http://www.mediafire.com/download.php?rngukh111vqfr8h
Now plug your phone (turned on), and install the drivers.
Open Channelserver from the tools.
Then open Audiotester
Click on "Connect" from channelserver (the connect on the top)
Click on "Get Audio mode information"
Go to the handset tab
Click on "Volume config"
Now you can change "ul PGA" from usually 10.5 to 12 or more. Change it on all the lines.
Now you have 4 little buttons on the top-left corner of the window.
The first one is write to ram (to test if it work before changing the settings permanently)
The second is read from ram (to load the actual settings)
The third is write to flash (to permanently change the settings, so the phone can keep the settings after a reboot)
The fourth is read from flash (to load the permanent settings)
You can even change the settings while you are in the middle of a call !
So it makes it easy to test.
Just call somebody with a lot of time and patience, then change some settings, load them to ram, and shortly after this person will ear if it is successful or not.
If everything seems fine, click on write to flash, so theses settings will be made permanents.
You can now unplug the phone from your computer ^^
Click to expand...
Click to collapse
motorpoint said:
Hello. I installed debug toll under Win 7 and admin rights with XP SP3 compatibility, but the problem is, when I open Audiotester, there is no other possibility than "settings".
Thanks in advance for your help.
Click to expand...
Click to collapse
The original instructions contained an error (or were unclear)
I did this on a windows xp machine. I'm guessing it would work on a windows 7 machine.
Open Channelserver from the tools.
Then open Audiotester
Select SCI-DIAG option in the UART section
Click on "Connect" from UART section
If setup correctly, you'll get a number of status updates on the bottom.
A number of new tabs show up
Click on "Get Audio mode information"
Go to the handset tab
Click on "Volume config"
Now you can change "ul PGA" from usually 10.5 to 12 or more. Change it on all the lines.
(follow rest of writeup in original post)
thank you very much! will try it this weekend.
Many thanks to ElectronikHeart and Nimbus22!!!
Level was 7.5 only, not 10.5 as usually. I made change to 12 and now it is fine.
Thanks
Thanks a lot ElectronikHeart!
It worked on Win7 32bit and i changed it to 12 instead of 10.5.
I was looking at Audiotester and was wondering if it was possible to change other things
with it such as speaker volume and the calling speaker volume?
Ravage32 said:
Thanks a lot ElectronikHeart!
It worked on Win7 32bit and i changed it to 12 instead of 10.5.
I was looking at Audiotester and was wondering if it was possible to change other things
with it such as speaker volume and the calling speaker volume?
Click to expand...
Click to collapse
Yes you can also change the speaker volume, it's on the same place just some other settings.
Try it in ram before flashing the new settings in rom. and use the try and guess method ^^
ElectronikHeart said:
Yes you can also change the speaker volume, it's on the same place just some other settings.
Try it in ram before flashing the new settings in rom. and use the try and guess method ^^
Click to expand...
Click to collapse
That's cool! what about the speaker that is used for calling.
the one at the top front of the phone? Thats real quite on my phone.
Ravage32 said:
That's cool! what about the speaker that is used for calling.
the one at the top front of the phone? Thats real quite on my phone.
Click to expand...
Click to collapse
Yes I was talking about this one, It's exactly in the same place as the microphone but another setting. You may not be able to rise it a lot, but I already done this on one phone I had (Feiteng HT-G2), and it made a pretty good difference even if it was a little quiet for my taste even after this.
ElectronikHeart said:
Yes I was talking about this one, It's exactly in the same place as the microphone but another setting. You may not be able to rise it a lot, but I already done this on one phone I had (Feiteng HT-G2), and it made a pretty good difference even if it was a little quiet for my taste even after this.
Click to expand...
Click to collapse
Cheers mate, I'll give it a go!
It does not help
Hi,
thanks for this manual, but I've problem - I successfully connect to phone and retrieve data (via AudioTester), I changed in volume config "ul PGA" attribute from 7.5 to 12, I wrote to flash successfully, but problem is the same. Microphone is too silent...
Is there any other solution, or can I change some other attributes in "handset" tab to resolve it?
Please, help mi.. I have two phones with the same fault.
Photo in attachement.
I had factory value of 7.5, I changed to 18 and now it works nice with my wife's voice.
I can configure to not hear that noise?
ElectronikHeart said:
Some Spreadtrum android phones are not very carefully tested ... They don't even check if the microphone is loud enough ...
And the fun fact is that it's very easy to fix !
Open Channelserver from the tools.
Then open Audiotester
Click on "Connect" from channelserver (the connect on the top)
Click on "Get Audio mode information"
Go to the handset tab
Click on "Volume config"
Now you can change "ul PGA" from usually 10.5 to 12 or more. Change it on all the lines.
Now you have 4 little buttons on the top-left corner of the window.
The first one is write to ram (to test if it work before changing the settings permanently)
The second is read from ram (to load the actual settings)
The third is write to flash (to permanently change the settings, so the phone can keep the settings after a reboot)
The fourth is read from flash (to load the permanent settings)
You can even change the settings while you are in the middle of a call !
So it makes it easy to test.
Just call somebody with a lot of time and patience, then change some settings, load them to ram, and shortly after this person will ear if it is successful or not.
If everything seems fine, click on write to flash, so theses settings will be made permanents.
You can now unplug the phone from your computer ^^
Click to expand...
Click to collapse
hello,
I have uploaded the values of 7.5 to 12 and I hear much better, but still hear background noise
How I can configure to not hear that noise?
thank you very much
Same problem with background/interference noise
Woxter101 said:
hello,
I have uploaded the values of 7.5 to 12 and I hear much better, but still hear background noise
How I can configure to not hear that noise?
thank you very much
Click to expand...
Click to collapse
I did same thing with values, they were 7.5 and I tried 10.5 - 12 - 18. In every case, the only thing I could hear loudly, was that noise. It is the same noise that GSM lines do when close to non shielded speakers. Is there anyone who knows if it can be fixed? I hope so, as Audiotester has soooo many configuration options.
Thanks in advance!
Regards.
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
devmihkel said:
For good or for bad NOT everything appears correct, except the running 17.x version... As of now neither the "commercial jailbreak" supports new versions (well yes they were using exactly the same file to start with Also 16.51.x or newer appears to be no go: uconnect-8-4-8-4an-update
EDIT: haven't got 17.09.07 to try, but on 17.11.07 manifest.lua has changed and the last block/ search keyword is "ota_update" instead. Otherwise all the same, image valid after the edit and script.sh gets fired - at least on 16.33.29 that is @HanJ67 Did you actually try to mount installer.iso after the edit and checked /etc/manifest.lua for the end result before?
Click to expand...
Click to collapse
devmihkel said:
Yeah, 2nd attempt is much better as last lua block is correctly terminated and your script might actually run, but unfortunately no successful 17.x runs have been reported so far SWF scripts are not involved in update/jail-breaking run, these ones become relevant only once you are in (and need to enable some app or wifi or navi features etc). Afaik 17.x blocks ethernet dongle usage as well, but let's see if even the USB driver/link gets activated at all?
Click to expand...
Click to collapse
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Do You have an idea how to connect by USB2LAN adapter to uConnect ?
Do You know if there is an UART pins on the mainboard ?
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
Hello, any news about it?
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
sofro1988 said:
Hello, any news about it?
Click to expand...
Click to collapse
I have not had had much time to work on this.
I actually had an idea last week that brought me back to this. I plan to use a custom flash drive to present an unmodified ISO for verification, then swap nand to an identical image that has been he's edited to enable usb Ethernet and add a custom key for ssh access.
I thought to stack a NAND on top of the original on a is flash drive, then breakout the Chip Enable pin to a switch. I've seen this done for with guys modifying game consoles to be able to run modified firmware.
Once the 2nd NAND is in place I will restore an image of the original nand containing the unmodified update, then hex edit the required portions to allow access after updating.
If this method works, I should be able to pass the verification with the original nand chip, then switch it (hopefully there's a big enough window to do this by hand) then present the modified nand before it begins the flash procedure.
Hopefully someone more intimately familiar with the update scripts can verify I'm not missing anything in the process
Tajadela said:
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
Click to expand...
Click to collapse
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
thanks for answer.
I saw an ssh key with the hex editor, but I would like to see exactly what you have replaced.
if it's not too much trouble, it would be interesting to see with some screenshots the changes you've made.
So we could work on two fronts. The idea of the double nand is good, but not very simple to make ...
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
SquithyX said:
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
Click to expand...
Click to collapse
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
martinbogo1 said:
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
Click to expand...
Click to collapse
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
sofro1988 said:
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
Click to expand...
Click to collapse
I managed to connect with the cisco adapter (usb / ethernet), but I don't know the root password. is the problem at the moment insurmountable ..
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
martinbogo1 said:
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
Click to expand...
Click to collapse
I connected in telnet on a uconnect 6.5 with firmware 15.xx.xx. You can connect to Uconnect with static IP it brings up if no DHCP is offered is: 192.168.6.1
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
after rsa key replaced, do you have recalculate the checksum of UPD file?
have you replaced the first 64 bytes of the file?
thanks
@itsJRod, isn't it that you would like to explain the procedure to replace the RSA key in the swdl file? thank you
Hello,
have you made any progress? I am a bit lost. I put the EU uconnect MY15 to US dodge charger MY16 and Perf Pages were working fine even on 16.16.13, although after upgrade to 17.x (17.46.0.1 right now) I am meeting the problem of expired subscription (which is not possible to have on EU radio).
I am considering basically three solutions:
a) going back to US radio, but modify the language pack/nav/FM frequencies (it is doable, but I do not know how, although I can pay for it relatively less than time invested)
b) downgrade to 16.16.13 - I have no clue how to do it, I tried to put swdl.upd with swdl.iso as and installer.iso with no luck of course.
c) take xlets from KIM2/ of 16.16.13 to KIM23 of 17.46.0.1 secondary.iso - this is probably preferred way but I do not know how to make it to pass ISO validation.
Of course root on uconnect is extremely nice to have but I will be fully satisfied with Perf Pages working again.
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
djmjr77 said:
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
Click to expand...
Click to collapse
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
I created an account just to reply to this and All I have to say is you're literally an absolute life saver. I've been working on this every day for two weeks now, trying every trick people said, trying every USB, every format, every version and nothing ever worked from me. Uconnect support was absolutely no help and it was a lot of back-and-forth finger pointing and no you need to reach out to this person between them and the dealership. Dealership tried to charge me for a Proxy Alignment when I asked to just update my damn radio stuck in this loop.
I have a 2015 Jeep Cherokee 8.4AN VP4 NA Head Unit 68238619AJ. I was updating from 17.11.07 to 18.45.01 and got stuck at the step 11 1% and would get a failed sierra wireless every time and then got in that "bolo update failed" loop..Well to fix it just now all I did was download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in the previous comment and quick format to FAT32 on a 16GB Micro Center USB extracted the files from 16.33.29 to the USB with 7ZIP, plugged in like normal and BOOM it ran the first step restarted and I had a working radio again showing update 18.45.01.
(So i'm assuming you don't have to do the S Byte thing I didn't even mess with it I just used the 16.33.29 to bypass step 11 since that version only has 14 steps and 18.45.01 was already preloaded from attempting before. My navigation still is the wrong address but I don't care about all that just thankful to have my radio back before my wife killed me for trying to update it by myself. )
I hope this helps someone else one day because it took some deep research and hours on hours of forum hoping to finally find the solution. <3
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
Do you have another link to download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe files? I am trying to help a friend of mine they way this helped me. Thank you again for this!