CP Crash Screen, fried EFS? no COM ports - Samsung Epic 4G Touch

I'm working on a ET4G for a friend right now. He seems to have screwed up his diag interface somehow. When the phone is put in CP I get a bunch of Data Interfaces in Device Manager, but no COM ports. Then in QPST Configuration, I go to add a port and I see a COM 3. When I add the COM 3 port, the screen on the ET4G goes to CP Crash Mode, and it says it's transferring information from CP to AP.
(I attached the picture because I can't post links).
In About Phone > Status both the phone number and MSID are 0000000585. The MEID is intact, though it's 99............. because he had it flashed to MetroPCS at one point. Here's what he says he did before it stopped working.
*Backed up and deleted his EFS folder (I've since restored it). Though he said it still worked after that.
*Flashed international ICS Galaxy S2 firmware (I think this might have done it).
*Did something where he tried to change the boot animation. He did this around the same time he flashed the firmware, it could be either we think.
***What we're looking to do*** is get the phone connecting to PST software again (ie show real COM ports). It's starting to get a bit beyond me. I'm still working at it on my own, but I figured I could leave this thread out there as a cry for help.
Thanks!

Throw it away or donate it to be thrown away ;-)

Related

[Q] Evo vibrates 5 times and turns blank with flashing green LED

I was trying to root my phone using unrevoked 3.32 and during the install it, it stop with a back up CID error missing or something like that. i checked to see in hboot if it was rooted with it showing s-off, and it was but recovery still showed the regular triangle red error. So i restarted normally and tried into install terminal emulator on the phone and thats when it first started vibrating 5 times, then go blank with a green led flash. the phone will boot normally usually be able to use it for a min or less then it will repeat with the blank screens. After checking back into hboot it now shows that its unrooted with s-on. Now i also have problems with the usb/sdcard.
Things i have done to get it back to normal:
- hard reset using clear storage.
-Checking in the SD storage menu i could see it wasn't reading the SDCard so i restarted it in bootload and thru fastboot typed: fastboot oem enableqxdm 0.
- flash through bootloader this file : 3.70.651.1_PC36IMG.zip
After flashing it still takes multiple battery resets to finally get it through the first start up menu and then to the regular home screen. Seems to read the SDcard fine but when connecting the usb from wall charger or PC it doesn't recongnize at all.
The phone is 4 days old and seems to be back to stock except it still vibrates and goes blank with green led flash and it wont recognize charging/pc connection. Will i have any problem if i just go back to sprint and say i want a new one its not working right?
Phone info:
Baseband: 2.15.00.11.19
kernel: 2.6.32.17-gee557fd
Software: 3.20.651.1
PRI: 1.90_003
PRL: 60676
Hardware: 0003
HBOOT-2.10.0001
strdrk1 said:
I was trying to root my phone using unrevoked 3.32 and during the install it, it stop with a back up CID error missing or something like that. i checked to see in hboot if it was rooted with it showing s-off, and it was but recovery still showed the regular triangle red error. So i restarted normally and tried into install terminal emulator on the phone and thats when it first started vibrating 5 times, then go blank with a green led flash. the phone will boot normally usually be able to use it for a min or less then it will repeat with the blank screens. After checking back into hboot it now shows that its unrooted with s-on. Now i also have problems with the usb/sdcard.
Things i have done to get it back to normal:
- hard reset using clear storage.
-Checking in the SD storage menu i could see it wasn't reading the SDCard so i restarted it in bootload and thru fastboot typed: fastboot oem enableqxdm 0.
- flash through bootloader this file : 3.70.651.1_PC36IMG.zip
After flashing it still takes multiple battery resets to finally get it through the first start up menu and then to the regular home screen. Seems to read the SDcard fine but when connecting the usb from wall charger or PC it doesn't recongnize at all.
The phone is 4 days old and seems to be back to stock except it still vibrates and goes blank with green led flash and it wont recognize charging/pc connection. Will i have any problem if i just go back to sprint and say i want a new one its not working right?
Phone info:
Baseband: 2.15.00.11.19
kernel: 2.6.32.17-gee557fd
Software: 3.20.651.1
PRI: 1.90_003
PRL: 60676
Hardware: 0003
HBOOT-2.10.0001
Click to expand...
Click to collapse
That's weird. I'm pretty sure the vibrate 5 times and green blinking led indicates that the phone is in diagnostic mode. I'm not sure how to remedy the situation, I would've suggested a PC36IMG back to stock, but you already tried that. I would try taking the battery out for an hour or more (i've read of people being stuck in diagnostic mode, and leaving the battery out for a good length of time fixed it, i think) then try booting up, and seeing if it works. If not, to answer your question, as long as the bootloader shows S-on, you will have no problems taking it back to Sprint. You need to make sure you have no 'evidence of rooting' on your sd card, just to make sure that the sprint tech doesn't see anything on there. Good luck.
I formatted the sdcard, but it seems to be creating these files QXDM_some numbers.dm is this normal or any indication of rooting the phone.
Sorry to be the bearer of bad news but I had the same issue and eventually gave up after 3 solid days of working on it. You name it, I tried it. Had to get it replaced.
Something about unrevoked and my old 002 phone didn't jive together and the root aborted at an unrecoverable stage. No sd card mount, no adb, not even able to connect via usb, so running an ruu or new pc3600img wasn't an option.
As for the 5 buzzes and shut down after a min or so... Your guess is as good as mine. You can put it in diagnistic mode with the arrow up/power button boot, but thats 3 buzzes not 5.
Wish I could offer some actual help :/ Let us know if you find a fix.
Oh, before I took it back in I did a hard reset so it would reboot before they could get past the setup menus and see the superuser permissions app. Not that they'd care, but just in case.
I have just returned my EVO to sprint for this same problem. He told me it was a common problem. I get my new on today. They could have cared less that it was rooted, he told me it did not matter.
derekstory said:
I have just returned my EVO to sprint for this same problem. He told me it was a common problem. I get my new on today. They could have cared less that it was rooted, he told me it did not matter.
Click to expand...
Click to collapse
I ended up exchanging mine also. The lady really could have cared less. i wish i would of known cause i spent some time trying to get it back to normal. My sister also ended up exchanging hers because she got the white one and wanted the black one instead.
thanks for any help and replies.
I too had the same problem. It all happened when I was trying to flash cyanogen 7 RC2, I wiped all data, and all seemed fine. I rebooted and it went right to the bootloader and I noticed I was S-ON. Tried to re-root, and run a RUU. I did actually get it to boot to sense, but it froze and then I got the buzzes, and the green lights. I went to sprint since I have insurance. They checked it out and then an hour later, they gave me another one.
My EVO is currently stuck in the same state. I have spent a huge amount of time working on it, and have some information. I'm just dumping as much as I can remember in to this post, so excuse the lack of organization.
Before I go any further - I have not been able to fix the issue!
My phone was about as stock as possible when I took it to the Sprint store. They ordered me a new one and gave the broken one back. I have taken a few more risks now that my new one is on the way.
The initial problem started after flashing MIUI recently. The phone booted normally, but I noticed that the SD card was inaccessible. I would bet that the phone was refusing to charge over USB at this point as well, as that issue goes hand-in-hand with the sdcard problem.
The sdcard and its contents were fine. I later made a backup of the card and lost nothing.
Symptoms, high level info:
Phone immediately vibrates 5 times and begins flashing a green indicator, screen black at power on
Under unknown circumstances, the phone will display the white EVO boot screen before exhibiting the above behavior
Cannot exit this mode unless phone is unplugged and battery is removed
Bootloader can be accessed by holding volume down and power when starting fresh
SD Card is accessible in bootloader - indicates the problem is not purely hardware related
Fastboot can be used to temporarily (1 boot) gain access to sd card
Phone can be flashed with official PC36IMG
Phone can be set into RUU mode and flashed with official RUU
Official update.zip can be flashed from stock recovery
Qualcomm diagnostic tools can be used
Phone will remain in the installed OS for a very short amount of time
Bootloader shows S-ON, 'fastboot oem boot' shows Super CID and CID=111111111 instead of SPCS_001
Because one of my initial ideas was to flash a stock PC36IMG from the bootloader, I lost access to a custom recovery very early in the process. Other users may have better luck if they do not immediately flash a stock recovery.
Flashing PC36IMG is accomplished as usual. Vol- + Power.
To temporarily enable the sd card, disable Qualcomm Download mode:
Boot into bootloader
Wait for it to scan the SD Card
Select Fastboot (Power to select)
Plug into computer
Open a command prompt and ensure you have the fastboot executable
Command: fastboot oem enableqxdm 0
Exit fastboot
Select Clear Storage and select No to reboot OR
Select Recovery
The phone will boot into the OS. Under unknown circumstances, the phone will reboot. The amount of time can vary quite a bit. Enabling Airplane mode does not help. Using diagnostic tools to put the phone in Offline mode does not help.
If you would like to use Qualcomm diagnostic tools, the phone will have to be in diagnostic mode, rather than Download mode. The above steps will get you most of the way there, with the added annoyance that the phone will not enter proper diagnostic mode if left plugged in the entire time.
To ensure diagnostic mode correctly enables (or rather, that download mode disables):
Perform the fastboot command to disable qxdm
Unplug the phone
Navigate back to the bootloader, select Clear Storage
Select No (Vol-) to reboot
The white EVO boot screen will display
The screen will go black before the Sprint/4G animation plays
Plug the phone as soon as the white screen disappears, before the Sprint/4G animation
The phone will display in QPST Configuration without saying *Download* everywhere. The phone number will be incorrect, but that value is actually stored as a Directory ID in the NAM. In other words, it's okay.
The QPST Service Programming tool looked like a good place to start. If you would like to look at the configuration options for the EVO, you can start an offline connection using the profile "FFA/SURF QSD8650 Rev 2.0".
Note that the phone will always reboot after writing any values to the phone. This means you will have to pull the battery, unplug it, boot into fastboot, disable qxdm, boot into the OS each time.
You will need your MSL code for many of these applications. You can get it by calling Sprint and asking. They will not provide the code through email.
I can confirm that at least some changes in the Service Programming app will stick. I changed the banner, under the Display tab, to "Brick" (from Sprint), and it showed up in the Notification dropdown.
The NV util can read the values from the phone correctly.
QXDM can issue command to the phone.
ADB will not work. This limits the ability of tools like unrEVOked to do whatever they do. Getting ADB to work could be useful. Note that I did re-enable Debugging in the Setting->Applications menu to no avail. I believe this is a general side effect of this problem and perhaps a key symptom.
The bottom line is that I have run out of ideas. I have not found a setting in any of the QPST or QXDM tools that indicate this mode can be turned off. I have a hard time believing that there is some permanent switch in the Qualcomm SOC that says "always boot into this mode forever", but who knows.
Any suggestions would be great.
To summarize, I have installed a stock PC36IMG, update.zip, RUU. I have access to almost any setting in the phone, but cannot write to NV because it's in the S-ON state, which limits certain fastboot wipe options and the ability to push new images to system partitions from fastboot. I can, in theory, use the QPST Download software to move images if I can find one that might work.
When is the last time you tried running a 3.70 PC36IMG RUU?
I ran the 3.70 RUU literally minutes ago.
RUU_SuperSonic_S_Sprint_WWE_3.70.651.1_Radio_2.15.00.11.19_NV_1.90_release_161482_signed
Apparently still not taking?
That's the thing - it *is* taking. Whatever is triggering this mode is not being reset by the RUU (or any other full clear/flash technique).
I have a dump of the NV memory, but I want to run through it with a hex editor to make sure it doesn't have anything that would identify my Sprint account or identity before posting it.
SLOSifl said:
That's the thing - it *is* taking. Whatever is triggering this mode is not being reset by the RUU (or any other full clear/flash technique).
I have a dump of the NV memory, but I want to run through it with a hex editor to make sure it doesn't have anything that would identify my Sprint account or identity before posting it.
Click to expand...
Click to collapse
Ah I see, and good precaution.
My ESN is in the qcn file, and I assume my MEID is as well. I will try to zero them out if I can find them all.
If my phone's ESN is 12345678, then it is in the qcn file as 78 56 34 12.
Does anyone else happen to have a known good QCN? Maybe I can compare them side by side to locate the differences. I suspect that there will be a lot of them, but I can eliminate most of them pretty easily.
While I work on the file (and debate whether or not it's safe to post), here is some information from the NV dump:
Code:
File Version: Major 2, Minor 0, Revision 0
File Summary:
Phone Model: 16 [FFA/SURF QSD8650 Rev 2.0], Configuration Name: default, Total NV Item Count: 1650
Phone Model 16 [FFA/SURF QSD8650 Rev 2.0] Configurations:
Configuration Name: default
Mobile Properties:
ESN: 0xMASKED
Phone Model: 16 [FFA/SURF QSD8650 Rev 2.0]
NV Major: 0
NV Minor: 0
SW Version: 8650B-SDCAPLYM-324026
Client Name: QPST Software Download 2.7.0.362
Code:
Feature Mask:
...Removed for brevity....
Total Set Bits: 108 of 432
Without bothering to specify all the set bits (although there are some interesting ones like "Bit 306: F_UI_GOOFY_MENU_BIT"), maybe someone can confirm that 108 or 432 is close to correct.
I loaded up a nv.img from a nandroid backup I took the day this problem happened (before flashing a ROM). I suspected that the nv.img and the qcn I just pulled should both represent the same general memory in the phone.
The image is...definitely an image. Exactly 640kb, tons of empty space and apparent padding. Much different in overall layout than the QCN, and no trace of my ESN. However, I was able to locate the GPS URLs in both files. While not even close to the same offset in the file, that small section of similarity indicates that the same memory was probably accessed.
Unfortunately I know of no way to push the nv.img to the phone in its current state. If I were able to get the nandroid backup's nv.img onto the phone I could at least eliminate the entire NV memory as a variable. If it fixes it, then awesome, and if it doesn't, then I can ignore the file entirely.
Here is the QCN file with my ESN removed. There may be other private information in the file, but at this point, Sprint is ordering me a new phone, and gave me this one back, so I don't know if they can really do anything about this.
http://rapidshare.com/files/455015717/public.qcn
My enthusiasm toward poking around this file is dropping off pretty quickly since I no longer believe this is where the problem lies.
I had the same thing happen to my EVO last week. Pretty much the exact same symptoms as you. I was able to get the RUU to run, and return my phone back to stock thinking this would fix the problem. I can boot into Sense, but the phone will shut off and do the 5 vibrate thing within a couple of minutes.
I took it into the Sprint store, and the rep told me there is nothing they would do and they would not replace my phone. He assumed it had been rooted (which it had, but I returned it 100% to stock before taking it in), but I have also read of this same thing happening on unrooted phones. I plan on calling Sprint and/or HTC directly to try and get the phone replaced.
From what I've read, it kind of sounds like this is a hardware failure. Possibly something in the internal memory or RAM. Of course, this is just mostly a guess I have. It seems this happens to unrooted phones, but is more common on rooted phones, possibly because of all the flashing we do.
Like I said, it's just a guess of mine, but it kind of makes sense. I wish I could be more help, and I'll definitely be following this thread because this seems to be a fairly common problem with EVOs and Incredibles that nobody has seemed to figure out yet.
hello,
the problem is heat.try to use your evo on the AC vent in your car with ac on you will not get reboot or eny shut down than try to use with out ac...
whenever internal temp goes more than 38C the evo goes off 5 vib. and flashig..
i spent long time testing this so i almost 100% sure that heat is the problem with my evo...
i dont know if there is a way to change the seting on shut down due to heat but it mey be...
adasio said:
hello,
the problem is heat.try to use your evo on the AC vent in your car with ac on you will not get reboot or eny shut down than try to use with out ac...
whenever internal temp goes more than 38C the evo goes off 5 vib. and flashig..
i spent long time testing this so i almost 100% sure that heat is the problem with my evo...
i dont know if there is a way to change the seting on shut down due to heat but it mey be...
Click to expand...
Click to collapse
I was never able to fix mine, but before getting it exchanged i let it sit all night with the battery out and would have the same results. So i know mine wasn't overheating.
strdrk1 said:
I was trying to root my phone using unrevoked 3.32 and during the install it, it stop with a back up CID error missing or something like that. i checked to see in hboot if it was rooted with it showing s-off, and it was but recovery still showed the regular triangle red error. So i restarted normally and tried into install terminal emulator on the phone and thats when it first started vibrating 5 times, then go blank with a green led flash. the phone will boot normally usually be able to use it for a min or less then it will repeat with the blank screens. After checking back into hboot it now shows that its unrooted with s-on. Now i also have problems with the usb/sdcard.
Things i have done to get it back to normal:
- hard reset using clear storage.
-Checking in the SD storage menu i could see it wasn't reading the SDCard so i restarted it in bootload and thru fastboot typed: fastboot oem enableqxdm 0.
- flash through bootloader this file : 3.70.651.1_PC36IMG.zip
After flashing it still takes multiple battery resets to finally get it through the first start up menu and then to the regular home screen. Seems to read the SDcard fine but when connecting the usb from wall charger or PC it doesn't recongnize at all.
The phone is 4 days old and seems to be back to stock except it still vibrates and goes blank with green led flash and it wont recognize charging/pc connection. Will i have any problem if i just go back to sprint and say i want a new one its not working right?
Phone info:
Baseband: 2.15.00.11.19
kernel: 2.6.32.17-gee557fd
Software: 3.20.651.1
PRI: 1.90_003
PRL: 60676
Hardware: 0003
HBOOT-2.10.0001
Click to expand...
Click to collapse
It's bricked. Happened to me when I tried to fix a problem with my phone not mounting the microSD card to any computer (got error message back on a Windows computer saying that the device wasn't recognized). You could probably try to flash the PC36IMG.zip file again from the bootloader, this time without all the addenda at the beginning (if you did that already, the nevermind).
My guess: pray that Sprint doesn't see any evidence of root. If you RUUed back already, they may not see it. You're probably in better position than I am, since the brick happened before I could RUU back with a PC36IMG file (and thus Sprint could see the root. At least Asurion doesn't seem to care about root, as long as I say nothing about it).

[Q] Restoring IMEI i747 ATT

So I hope this thread isn't too useless. I've been researching how to restore my imei after losing 4g signal when my phone randomly (just sitting there on the desk, not touching it), decided to get stuck in a reboot loop.
Here's my specs:
Network: AT&T
ROM: CyanogenMod 11-20141112-SNAPSHOT-M12-d2lte
Modem: UCUEMJB
Recovery: ClockworkMod 6.0.4.3
Device Model: SAMSUNG-SGH-I747
Product Code: Not Active
PDA Version:
Baseband Version: I747UCUEMJB
CSC Version:
Kernel Release: 3.4.104-cyanogenmod-g9f57632
Kernel Version: #1 SMP PREEMPT Tue Nov 11 22:15:56 PST 2014
ROM Build: d2uc-user 4.3 JSS15J I747UCUEMJB release-keys
Android Version: 4.4.4
BusyBox Version: 1.22.1
SU Binary Version: 2.40:SUPERSU
So here's what I've learned. My IMEI was lost due to a weird Samsung backup procedure that backed up my /efs folder with essentially a blank copy of important information. I have my IMEI, but writing it to the phone is very difficult. From this tutorial I learned to download QPST, and somewhere else I heard about EFS Professional.
So I tried to use EFS Professional first, and have been able to connect my phone (Had to install adb first via the official android sdk). I was able to make a backup of my efs folder. I was also able to change the usb settings to DIAG + MODEM + ADB. Then I launched the Qualcomm NV Tools. From there, by unchecking "Send SPC" and "Read Phone" I was able to connect to the phone, but any other button I pressed didn't accomplish anything except disconnecting the phone again.
This is when I turned to QPST. I knew from EFS Professional which COM port my phone was using each time, and I added the COM ports to the QPST Configuration program for listening. But my phone was never listed as available in the ports tab, nor was it listed in my device manager under COM ports. I tried using the RF NV Item Manager anyway, entering in my IMEI "backwards" with an 8 in the first line and an "a" after the first real number in my IMEI, but my phone was never really connected, so of course nothing happened.
I learned this was probably because I have no IOTHiddenMenu / Qualcomm USB Settings Menu / whatever you want to call it with USSD codes, because I'm using an AOSP ROM (Cyanogenmod). This thread and this thread were useless in enabling DIAG mode, because of broken links and scripts that no longer work on newer versions of CM.
My next plan is to change ROMs to a TouchWiz ROM, but I haven't found a good one yet, especially considering I've upgraded my bootloader and I know that if I flash a ROM with a downgraded bootloader, I'll definitely brick my phone. So is there a ROM I can use with an upgraded bootloader that won't brick my phone and will allow me to enter DIAG mode so that I can connect to QPST via a COM Port, use the RF NV Item Manager, and put in my old IMEI? Or am I just going about this all wrong?
You do have to be on a TW ROM with a stock dialer for ussd codes to work. Based on everything you posted you should be on the mjb boot loader, but confirm that first. Enter this into a terminal or adb shell:
Code:
getprop ro.bootloader
If you are on an mjb bootloader, then this ROM should work for you http://forum.xda-developers.com/showpost.php?p=47816011&postcount=18. It's a rooted deknoxed at&t stock mjb.
Good luck.
---------- Post added at 12:04 PM ---------- Previous post was at 11:57 AM ----------
You probably already discovered this in your research, but just in case. When you get your imei problem solved, before flashing something other than a TW ROM, enter this in a terminal or adb shell:
Code:
su
reboot nvbackup
That will fix Samsung's whoops and give you a working efs backup partition instead of a blank one.
Thanks! I'll try this and get back.
alexalexalex09 said:
Thanks! I'll try this and get back.
Click to expand...
Click to collapse
You were right about the bootloader - when I looked up the ro.bootloader property, it spit back what I thought was my modem identifier, I747UCUEMJB - so yes, MJB. I'll get a chance to flash the new ROM tomorrow or the next day and see how it goes.
So, two steps forward and three steps back. I did install the new ROM. Initially, it appeared to work, because I was able to dial *#7284# to access the service mode menu and change UART to MODEM, and then dial *#0808# to access the USB Settings menu and change that to RMNET+DM+MODEM. After that, the phone showed up under COM5 in the Device Manager. I opened up QPST Configuration and added COM5 (labelled it "COM5") under ports. However, the phone never showed up (Phone column read "No Phone").
I then tried EFS Professional, but it was unable to detect the phone. I opened up the command line and tried an adb shell, but it didn't connect. Of course, the phone was in RMNET+DM+MODEM mode, not and ADB mode. I then went back into USB settings, changed it to DM+MODEM+ADB, and reconnected the phone. The phone wasn't detected by the computer, and hasn't been since.
I've restarted the phone and the computer multiple times (Windows 7 32 bit), uninstalled the phone drivers, reinstalled them in two different versions, uninstalled and reinstalled QPST (removing the relevant registry entries in between installs), and went through a number of combinations of settings on the phone. I tried with UART set to MODEM and PDA, with USB settings set to DM+MODEM+ADB, RMNET+DM+MODEM, MTP, and MTP+ADB. I made sure superuser was installed correctly and that developer mode was enabled. I still have not gotten the phone to charge in that USB port or show up in Device Manager in any way, even though the USB port on the computer still functions (can access flash drives from it). I plan to do some more googling and troubleshooting about this, but I haven't had the time to yet. On Wednesday I'll hopefully have a minute to try using my work laptop to access the phone. I think once I get the phone to be recognized via USB again I'll be able to have QPST Configuration recognize it, then I'll be able to use that RF NV Item Manager to enter in the new IMEI.
Also, in potentially unrelated news, my install of Titanium Backup is unable to recognize any apps I backed up, even ones that have been previously restored. It sees them in the backup folder (backup folder location says this folder contains 52 backups), but no apps wee listed in the backup/restore tab. Maybe this has something to do with the mount namespace separation setting in SuperSU? I'll test that later.
Some newer ROMs will install but not give you cell service without the newest bootloader and modem.
Try flashing the last release of CM11. I would not touch the bootloader, modem, or EFS folder until you try an older ROM.
audit13 said:
Some newer ROMs will install but not give you cell service without the newest bootloader and modem.
Try flashing the last release of CM11. I would not touch the bootloader, modem, or EFS folder until you try an older ROM.
Click to expand...
Click to collapse
Thanks for chiming in, but I don't understand how this applies. I was on CM11 when my IMEI was removed. When you lose your IMEI, the main symptom is that you can't connect to 4g anymore, and you're stuck on EDGE, which is what happened in my case. I can in fact make calls and send texts, and even load web pages without wifi. It's just slow and prone to call dropping.
As for your advice to install an older ROM, I just flashed a stock ROM, the one linked above. It didn't cause my current lack of USB connection, because I had a USB connection for a while until I changed the UART and USB settings.
I definitely will not touch the bootloader - I've been warned about the dangers of downgrading from an MJB bootloader. I'm not sure what you mean by not touching the modem, but I'm going to assume it's as scary/difficult as the bootloader, so I'll be sure to stay away from changing that too.
As far as not touching the EFS folder, as far as I see it, that's my only way out of this hole, because my end goal is to replace the IMEI that I randomly lost last week, and that's part of the EFS folder in some way that hasn't been explained to me (although I know it has to do with NV settings, maybe some file called nvdata.bin that I've never found, or the /EFS/IMEI folder?). So I think I have to ignore that bit of advice, unless you can give me a good reason to change my goal in all this.
alexalexalex09 said:
As far as not touching the EFS folder, as far as I see it, that's my only way out of this hole, because my end goal is to replace the IMEI that I randomly lost last week, and that's part of the EFS folder in some way that hasn't been explained to me (although I know it has to do with NV settings, maybe some file called nvdata.bin that I've never found, or the /EFS/IMEI folder?). So I think I have to ignore that bit of advice, unless you can give me a good reason to change my goal in all this.
Click to expand...
Click to collapse
I should note that I took a look at my EFS folder while writing this last post, and it's completely empty now. So that's fun.
I suggested flashing back to an older ROM because you made some changes since your original post.
I suggested not touching the bootloader, modem, and EFS because flashing an incompatible bootloader/modem combination can hard brick the phone.
Since your bootloader and modem match, I'm out of suggestions other than perhaps visiting a repair shop to have it fixed.
audit13 said:
I suggested flashing back to an older ROM because you made some changes since your original post.
I suggested not touching the bootloader, modem, and EFS because flashing an incompatible bootloader/modem combination can hard brick the phone.
Since your bootloader and modem match, I'm out of suggestions other than perhaps visiting a repair shop to have it fixed.
Click to expand...
Click to collapse
Thanks for the clarifications. I did visit a shop to see if they could fix it, and all I got were blank stares and people who don't want to deal with IMEI repairs. So back to my own attempts! I realized a couple days ago that my problem in connecting to the computer is that I've developed a crack on my phone's USB port. Also, I think my home desktop's messed up. So with a nice, sturdy cable I installed all the necessary program on my work laptop (Samsung Drivers, ADB, ES Professional, and QPST just for fun). I tried ES Professional first and by using the Qualcomm NV tools I was able to restore my IMEI! I rebooted the phone and now by dialing *#06# I see my IMEI followed by "/ 17".
So now onto the next problem: Still no 4g signal. Under Connections > More Networks > Mobile Networks, there are some errors. I only have one APN, named "ATT Phone" with an APN of "phone" and an MMSC of mmsc.mobile.att.net, and under network operator it simply says "Default Setup". Some research later, I realized this is a common problem, and I guess it has to do with my NV Data being messed up. Obviously, item 550 (0x226) is correct, which I was able to verify using a program called NV-items-reader-writer, but something else is screwed up. Peoplearmy has released a tool that can restore a backup up QCN file, which of course I don't have, so I'm in the process of seeking help from a generous soul who has an app that might help me. Apparently I could also use someone else's NV Items backup, replacing their IMEI with my own. But, I don't have one, so I'm stuck waiting on someone to be nice to me
I did try the method posted here: http://forum.xda-developers.com/showthread.php?t=1808408&page=16
But it didn't work. This thread and this thread and this thread were helpful to me for research.
alexalexalex09 said:
Thanks for the clarifications. I did visit a shop to see if they could fix it, and all I got were blank stares and people who don't want to deal with IMEI repairs. So back to my own attempts! I realized a couple days ago that my problem in connecting to the computer is that I've developed a crack on my phone's USB port. Also, I think my home desktop's messed up. So with a nice, sturdy cable I installed all the necessary program on my work laptop (Samsung Drivers, ADB, ES Professional, and QPST just for fun). I tried ES Professional first and by using the Qualcomm NV tools I was able to restore my IMEI! I rebooted the phone and now by dialing *#06# I see my IMEI followed by "/ 17".
So now onto the next problem: Still no 4g signal. Under Connections > More Networks > Mobile Networks, there are some errors. I only have one APN, named "ATT Phone" with an APN of "phone" and an MMSC of mmsc.mobile.att.net, and under network operator it simply says "Default Setup". Some research later, I realized this is a common problem, and I guess it has to do with my NV Data being messed up. Obviously, item 550 (0x226) is correct, which I was able to verify using a program called NV-items-reader-writer, but something else is screwed up. Peoplearmy has released a tool that can restore a backup up QCN file, which of course I don't have, so I'm in the process of seeking help from a generous soul who has an app that might help me. Apparently I could also use someone else's NV Items backup, replacing their IMEI with my own. But, I don't have one, so I'm stuck waiting on someone to be nice to me
I did try the method posted here: http://forum.xda-developers.com/showthread.php?t=1808408&page=16
But it didn't work. This thread and this thread and this thread were helpful to me for research.
Click to expand...
Click to collapse
I got it! Problem solved!!
So what I realized after going back over those research threads quickly was that I was using Peoplearmy's QCN generator incorrectly. Here's how I fixed it.
1. Opened QPST, followed directions here to connect my phone and start up QPST Software Download.
2. Having already injected my IMEI, I used the backup tab to make a backup.
3. I opened Peoplearmy's SG3QCNGenerator and imported the QCN file that QPST just created. I left "inject IMEI" unchecked, since I already had my original IMEI. I clicked Save As to set the directory and name of the new file, and clicked the Verify IMEI button that appeared to verify that it was correct.
This was the step I had missed - because I never had a valid QCN file to import, I never was able to create a new QCN file. My error in thinking was that, since my current QCN file was obviously messed up, I couldn't use it to make a new QCN file, but that's the whole point of this software.
4. Once I had the new QCN file, I went back to QPST's Software Download program and used the Restore tab. The QCN file generated by Peoplearmy's tool didn't match my model number, but I approved it anyway. It restored the QCN file correctly, but it had an error when it tried to reset the phone.
5. I rebooted the phone manually, and I now have 4G signal!
So, to summarize the difficulties I had:
1. I didn't make an nvbackup before I flashed CM a year ago, and it didn't hurt me until now.
2. I lost my IMEI and couldn't restore it because 1) I was on CM, which stopped me from putting my phone in DM + MODEM + ADB mode and 2) The computer/cable I was using to work on my phone, for whatever reason, were being stupid.
3. I didn't understand that in order to fix my phone I needed to restore my IMEI and repair my nv items (.qcn file)
4. I didn't realize that I could use Peoplearmy's tool to take a messed up nv items qcn file, fix it, and restore it to my phone.
All the tools I ended up needing: Samsung Drivers, ADB, ES Professional, QPST, and Peoplearmy's SG3 Data Restorer. Hope this helps someone else out there.
:good: thanks for posting fix.
"all i can really do , is stay out of my own way and let the will of heaven be done"
Great job. Thanks for posting your solution back here so others can find it.

[Q] ERM... I tried something without knowing fully what it would do.

I know that it was foolish of me to not fully research this set of commands I have copied the before and after of tit all from the command line. I was attempting to mess around with my phone with QPST. I know, I can REALLY REALLY make things hideous if I don't tread carefully with QPST, but I am willing to take the risk in order to learn, even if I do get burned because my phone bursts into flames.
Any who here is the output from my commandline which I ran because using *#0808# and switching to either RNDIS+DM+MODEM or DM+MODEM+ADB didn't make my phone visible for QPST. And I also tried while in recovery, download mode, and all the other settings in the *#0808# menu, plus variations of the menu and then booting into recovery, normal boot, and download mode. All to no avail, then in frustration I tried the following and it's gotten to the point I can't see my phone via adb anymore. So could someone please give me the undo set of commands for typing into my phones terminal as I can't type them via my computer due to adb not seeing it anymore? Thanks
C:\Users\xxxxx>adb devices
List of devices attached
0123456789ABCDEF device
C:\Users\xxxxx>adb shell
$ echo MODEM USB > /sys/class/sec/switch/usb_sel
echo MODEM USB > /sys/class/sec/switch/usb_sel
cannot create /sys/class/sec/switch/usb_sel: permission denied
$ su
su
# echo MODEM USB > /sys/class/sec/switch/usb_sel
C:\Users\xxxxx>adb shell
error: device not found
Oh!, and if anyone can explain either what the commands did or better yet where I can go read about such commands and what they do that would be great too. Thanks
Not sure how relevant this is or if it will help you but this man seems to be in kinda the same boat, why don't you take a look at this thread particularly post #2 http://forum.slimroms.net/topic/2008-broken-usbuart-path-causing-loss-of-adb/
Sent from my Nexus 7 2013 using Tapatalk
crazymonkey05 said:
Not sure how relevant this is or if it will help you but this man seems to be in kinda the same boat, why don't you take a look at this thread particularly post #2 http://forum.slimroms.net/topic/2008-broken-usbuart-path-causing-loss-of-adb/
Sent from my Nexus 7 2013 using Tapatalk
Click to expand...
Click to collapse
Thank you for the link I haven't tried anything based on the information yet, actually haven't read it all yet. Very complex stuff just lets me know how far I have to go. Odd thing is that I now for some reason have ADB working again. I did a factory reset recently and the other day I reinstalled/refreshed my computer. My computer was infected by a bunch of viruses and malware the phone was just sluggish and I had way more apps I wanted rid of than to keep. Anyway, I don't know if the virus on my system had anything to do with the malfunction or if it was the command I used but for now it is back to working.
I was working on a friends HTC Desire and was having a hell of a time getting fastboot commands to work. I got hboot USB working but when giving a command it would generate a "device connected toi USB has malfunctioned" also the USB ports would shut off untill reboot too intermittantly and even my wifi three or four days ago became disabled and I reset the adapter fine for 5mins then it went a level deeper and deeper till I reinstalled the driver. That being said it is more likely that it was the virus and or the person messing with my system that was causing all the grief. They even triggered email alerts on a couple of my accounts that passwords were input wrong 5 times in a row and that some security settings were being changed. Hopefully I have dealt with that if not I'll have to wait till they get bored. Sorry if that was a little off topic it sort of conencts to my recent problems.

Nexus 7 (2013) multiple "Unfortunately..." after motherboard swap / image reflash

Nexus 7 (2013) multiple "Unfortunately..." after motherboard swap / image reflash
Hello all - I'm hoping someone can provide some assistance / suggestions...
A few months ago, my son's tablet went for a quick swim (dropped into the toilet ) Unfortunately, I wasn't at home (on a business trip) to immediately power it down and pull the battery. I'm not sure if it was turned off / back on / off again or what, but it was quickly put into a bag of rice to try and minimize the damage until I came home to review.
Inspection of the tablet confirmed it was dead - no response to either buttons or plugging in the charger. Found the ifixit how-to, and after obtaining some tools I popped the back case off to see what was what. Disassembly revealed an nice scorch mark on the underside of the motherboard, right where the main chip was, so it was pretty obvious what the failure was.
I decided that I'd give repairing it a go, and bought a replacement motherboard from ebay a couple of weeks ago. Swapping the board over was no problem, and I was happy to see that after letting it charge fully, it booted up and went into the 'Setup' routine.
However, this is where the problems started - as it was working through the setup (language / wifi / copy apps/data from other device etc) there were numerous "Unfortunately, xxx has stopped" messages. I kept 'ok'ing them, and the tablet made it to the point where it was starting to download the saved apps etc from the playstore before it rebooted.
When it powered back up, the 'Unfortunately" pop ups were worse than before, so after doing some searching I decided to try flash a factory image (razor-mob30x) , as per the link on the Nexus help forum. The flash seemed to work (no errors in fastboot mode, laptop was communicating with the tablet) but the pop ups were still as plentiful as before. I have tried the flash multiple times, even going back to lollipop, but with no real improvement. The last thing I tried tonight was to start the recommended flash process from step 1, re-downloading and installing all the required programs, but without success.
I'm not sure what else to try, as the factory image reflash should erase all the installed files.
My only thought is maybe trying to sideload the correct gapps / play services / etc in fastboot mode?
Any suggestions appreciated,
Roadie73
Update..
So, because I'm a glutton for punishment, I've been playing with the N7 again this evening...
Grabbed my old laptop, and went through the complete routine again - loading adb and fastboot onto the laptop, then the N7 factory image - and ended up with basically the same result - the tablet will look like the files have taken, but almost immediately after restarting and loading to the blue set up screen, the "Unfortunately..." messages start again.
I was able to get all the way through the set up, and have it copy and start to download the files off the tablet I was using previously, but the pop ups persisted, and it gets to a point where it is looking for a google play services update, and the process comes to a screeching halt.
I found another 'How To" and tried sideloading a rescue OTA update, which might be a little better, but the messages persist....
I'm almost wondering if it's worth reflashing the factory image back to whatever the N7 shipped with, and then trying updates from there, as it seems to be the play services / store / apps that is the issue.
The other strange thing is that when I sign in with my google account, it shows as a Nexus 7 2012, even though it's a 2013 - might the original software on the replacement motherboard have been corrupt?
Still trying...
Roadie73 said:
it shows as a Nexus 7 2012, even though it's a 2013 - might the original software on the replacement motherboard have been corrupt?
Click to expand...
Click to collapse
Interesting, please post the output of the 2 commands...
boot the Nexus in fastboot mode (when off press power+vol.dn)
connect it to your PC
on PC run:
fastboot getvar all
fastboot oem gpt-info​
If you can, also attach logs...
download get-logs.zip to a FAT32 flash drive
connect the flash drive to your N7 with OTG adapter
download TWRP to your folder with fastboot and adb apps
boot the Nexus in fastboot mode (when off press power+vol.dn)
on PC run: fastboot boot twrp-3.1.0-0-flo.img
when TWRP is up, go: install/select-storage/usb-otg/get-logs.zip/flash
logs.tgz will be saved on the flash drive
attach logs.tgz here
It's simpler if you have TWRP already installed. You can also use get-logs.zip from internal storage.
Hi k23m,
I ran the two commands you suggested (getvar all and oem gpt-info) , and grabbed the outputs of both as screen captures and dumped them into a ppt file (which I can't seem to attach - there is no 'manage attachments' option I can see )
I installed TWRP on the N7, but was unsuccessful in creating / grabbing logs.tgz file - which might have to do with the USB connector on the N7 being flaky - if the otg cable wasn't held in exactly the right way it wouldn't recognize the flash drive.
If I can figure out how to add the attachment I will in a separate post, or I can always email it to you direct.
Thanks,
Roadie
Hello k23m,
Finally ad a couple of minutes to play with the N7 again - copied the get-logs file over to the tablet (that was behaving for once).
Unfortunately, despite copying the file off the N7 onto the laptop, a *.tgz file can't be attached. So I did the next best thing and copied the screen caps into an excel doc, which is one of the valid extension.
Please see the attached file - I had a look at the output, but it means nothing to me...
Thanks,
Roadie
added 'logs.tgz' file run previously - please rename from *.xls
Hopefully it might provide some insights into why the N7 is mis-behaving.
Thanks,
Roadie
The logs are OK.
Roadie73 said:
when I sign in with my google account, it shows as a Nexus 7 2012, even though it's a 2013
Click to expand...
Click to collapse
If you have followed the factory image installation instructions and you see the error messages before setup's initial sign in, then your hardware is faulty.
If it happens after sign in, then perhaps Google has corrupt account data ("it shows as a Nexus 7 2012"). Try a new account. Try a custom ROM with Gapps.
Ok, thanks.
Just tried a factory reflash as per the link, but fastbooted the individual files (boot / recovery / system / userdata / cache) separately as from what I have read using the 'flash-all' batch file has intermittent results.
Looked like the files loaded in successfully, but I'm still getting the "Unfortunately.." messages popping up on the initial sign in screen for set-up
So, based on k23m's assessment above, it sounds like it's a hardware problem
As far as I know the touch screen is ok (it's responsive in all areas, as far as I can tell). The daughterboard is not the original (that took a swim) - it was swapped out of another N7 when the charging port started to spread (and that tablet was issue free) So it looks as if the issue is in the replacement motherboard.
I guess I could try removing and reinstalling it, on the off chance it's a flaky connection somewhere.
I will also check to see if there was any sort of gaurentee / replacement policy for the replacement mobo, but it sounds like I'm out of luck
Any other suggestions / checks I can perform to see if I can narrow down where the issue lies?
Thank you,
Roadie

Uconnect 8.4 ver 17.11.07 trying to "root"

I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
devmihkel said:
For good or for bad NOT everything appears correct, except the running 17.x version... As of now neither the "commercial jailbreak" supports new versions (well yes they were using exactly the same file to start with Also 16.51.x or newer appears to be no go: uconnect-8-4-8-4an-update
EDIT: haven't got 17.09.07 to try, but on 17.11.07 manifest.lua has changed and the last block/ search keyword is "ota_update" instead. Otherwise all the same, image valid after the edit and script.sh gets fired - at least on 16.33.29 that is @HanJ67 Did you actually try to mount installer.iso after the edit and checked /etc/manifest.lua for the end result before?
Click to expand...
Click to collapse
devmihkel said:
Yeah, 2nd attempt is much better as last lua block is correctly terminated and your script might actually run, but unfortunately no successful 17.x runs have been reported so far SWF scripts are not involved in update/jail-breaking run, these ones become relevant only once you are in (and need to enable some app or wifi or navi features etc). Afaik 17.x blocks ethernet dongle usage as well, but let's see if even the USB driver/link gets activated at all?
Click to expand...
Click to collapse
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Do You have an idea how to connect by USB2LAN adapter to uConnect ?
Do You know if there is an UART pins on the mainboard ?
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
Hello, any news about it?
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
sofro1988 said:
Hello, any news about it?
Click to expand...
Click to collapse
I have not had had much time to work on this.
I actually had an idea last week that brought me back to this. I plan to use a custom flash drive to present an unmodified ISO for verification, then swap nand to an identical image that has been he's edited to enable usb Ethernet and add a custom key for ssh access.
I thought to stack a NAND on top of the original on a is flash drive, then breakout the Chip Enable pin to a switch. I've seen this done for with guys modifying game consoles to be able to run modified firmware.
Once the 2nd NAND is in place I will restore an image of the original nand containing the unmodified update, then hex edit the required portions to allow access after updating.
If this method works, I should be able to pass the verification with the original nand chip, then switch it (hopefully there's a big enough window to do this by hand) then present the modified nand before it begins the flash procedure.
Hopefully someone more intimately familiar with the update scripts can verify I'm not missing anything in the process
Tajadela said:
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
Click to expand...
Click to collapse
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
thanks for answer.
I saw an ssh key with the hex editor, but I would like to see exactly what you have replaced.
if it's not too much trouble, it would be interesting to see with some screenshots the changes you've made.
So we could work on two fronts. The idea of the double nand is good, but not very simple to make ...
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
SquithyX said:
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
Click to expand...
Click to collapse
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
martinbogo1 said:
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
Click to expand...
Click to collapse
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
sofro1988 said:
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
Click to expand...
Click to collapse
I managed to connect with the cisco adapter (usb / ethernet), but I don't know the root password. is the problem at the moment insurmountable ..
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
martinbogo1 said:
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
Click to expand...
Click to collapse
I connected in telnet on a uconnect 6.5 with firmware 15.xx.xx. You can connect to Uconnect with static IP it brings up if no DHCP is offered is: 192.168.6.1
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
after rsa key replaced, do you have recalculate the checksum of UPD file?
have you replaced the first 64 bytes of the file?
thanks
@itsJRod, isn't it that you would like to explain the procedure to replace the RSA key in the swdl file? thank you
Hello,
have you made any progress? I am a bit lost. I put the EU uconnect MY15 to US dodge charger MY16 and Perf Pages were working fine even on 16.16.13, although after upgrade to 17.x (17.46.0.1 right now) I am meeting the problem of expired subscription (which is not possible to have on EU radio).
I am considering basically three solutions:
a) going back to US radio, but modify the language pack/nav/FM frequencies (it is doable, but I do not know how, although I can pay for it relatively less than time invested)
b) downgrade to 16.16.13 - I have no clue how to do it, I tried to put swdl.upd with swdl.iso as and installer.iso with no luck of course.
c) take xlets from KIM2/ of 16.16.13 to KIM23 of 17.46.0.1 secondary.iso - this is probably preferred way but I do not know how to make it to pass ISO validation.
Of course root on uconnect is extremely nice to have but I will be fully satisfied with Perf Pages working again.
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
djmjr77 said:
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
Click to expand...
Click to collapse
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
I created an account just to reply to this and All I have to say is you're literally an absolute life saver. I've been working on this every day for two weeks now, trying every trick people said, trying every USB, every format, every version and nothing ever worked from me. Uconnect support was absolutely no help and it was a lot of back-and-forth finger pointing and no you need to reach out to this person between them and the dealership. Dealership tried to charge me for a Proxy Alignment when I asked to just update my damn radio stuck in this loop.
I have a 2015 Jeep Cherokee 8.4AN VP4 NA Head Unit 68238619AJ. I was updating from 17.11.07 to 18.45.01 and got stuck at the step 11 1% and would get a failed sierra wireless every time and then got in that "bolo update failed" loop..Well to fix it just now all I did was download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in the previous comment and quick format to FAT32 on a 16GB Micro Center USB extracted the files from 16.33.29 to the USB with 7ZIP, plugged in like normal and BOOM it ran the first step restarted and I had a working radio again showing update 18.45.01.
(So i'm assuming you don't have to do the S Byte thing I didn't even mess with it I just used the 16.33.29 to bypass step 11 since that version only has 14 steps and 18.45.01 was already preloaded from attempting before. My navigation still is the wrong address but I don't care about all that just thankful to have my radio back before my wife killed me for trying to update it by myself. )
I hope this helps someone else one day because it took some deep research and hours on hours of forum hoping to finally find the solution. <3
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
Do you have another link to download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe files? I am trying to help a friend of mine they way this helped me. Thank you again for this!

Categories

Resources