Develop Bugs

Changing the splash screen on your Universal

I'm hoping this will be the kickoff and official thread on how to change the splash screen on your Universal.
DISCLAIMER: As with anything on this site, what you do with your Universal intentionally or inadvertently is done at your own risk. No one here is liable for any damages of any kind that is incurred as a result of the information posted on these forums.
Thanks to bal666 for coming up with the "HTC64 Extended ROM Tool" which he will post up shortly with instructions, I have been able to fully decode the NK.NBF file that's embedded in the Qtek 9000 Firmware Upgrade Utility.
From there, I was able to find and extract the 480x640 splash image starting at offset 3F00000H to 3F960010H (approximately) in the NK.FAT file.
Of course, this is your standard, headerless NB image file format. I contacted madkat who is aware of the issue and will hopefully find some time to update his very much appreciated .nb Image Converter utility to accomodate VGA images.
In the meantime, this old post explained that the NB file format is a headerless version compatible with the Red Storm Bitmap (RSB) file format, popular with games such as Rainbow Six.
While this post says that the header was 16 bytes long, I was able to determine that it's in fact 28 bytes long.
Thankfully, the game modders have a RSB plug-in for Photoshop that is available there. There is also a RSB to BMP (and vice-versa) image converter also available here.
As a test, I created a 480x640 bitmap and saved it as a BMP file in Photoshop, then used the RSB-BMP image converter and the 28-byte header was there. I also saved from Photoshop it as a RSB file using the plug-in and the same 28-byte header was also there.
The 28-byte header contains the following code:
Code:
RSB file format:
01 00 00 00 E0 01 00 00 80 02 00 00 05 00 00 00
06 00 00 00 05 00 00 00 00 00 00 00
Immediately following the 28 bytes was the image (in this case, the white image had FF FF FF FF...)
Naturally, I removed the first 28 bytes of the RSB file and saved it as an NB file.
Next, I created a custom 480x640 bitmap for myself with my owner information on it and pasted it directly overwriting the original bitmap at the same offset 3F00000H in the decrypted NB.FAT file.
Using bal666's utility, I reencoded the file back to NB.NBK.
At this point, I'm almost ready to flash with the upgrade utility. In theory, it should work.
My only concern is the fact that I thought only the bytes of the changed image would be different, even in the reencrypted file, but it appears to be the entire file, less the header of the NBK file. While it's very possible that the changed area affected the rest of the file, I want to make full certain that I won't be killing the kernel, or most importantly, my bootloader, in case I need to flash back again. So, I'm back to bal666 to make sure the reencryption process actually worked successfully before I go ahead and flash away.
The last thing I need is bricking my device again, this time because of vanity.
So, thanks to madkat, bal666, akira, itsme, and everyone here... I think we're almost there, if not already!

hey dude,
the encoding process will always result in a very different file, if anything in the file to be encoded has changed. Unfortunately this always gives me the willies when flashing as well :shock:
As a sanity check, you can decode your newly encoded file and compare the results to what you expect ... may help you feel slightly more secure!

SUCCESS! I flashed my Qtek 9000 with my own splash screen and the VGA image I used of a beach looks absolutely beautiful!
:lol: :lol: :lol:
If bal666 does not have any objections, I posted his Decryption/Encryption tool here, along with the MaUpgradeUt_noID.exe file.
http://www.beyondthetech.com/downloads/phone/nbftool/
The extracted Qtek 9000 image file, converted RSB file, and the RSB-BMP Image converter can be found here:
http://www.beyondthetech.com/downloads/phone/splash/
A couple points of interest:
1. The data I extracted from the decrypted NK.FAT file came out to 614,420 bytes.
2. The last twenty bytes of the extracted data seemed to be a repeat of the previous twenty bytes, much like overwritten data.
3. When you create an RSB image file, then strip out the header, you'll notice that the resulting "NB" image file is 614,400 bytes. THIS IS NORMAL.
4. For some reason, the first time around when I flashed the customized NK.NBF file successfully, while the splash screen was right, the colors were all screwed up. I don't know what caused this, but when I thought about the 20-byte discrepancy, I opened up my customized NB image file and duplicated the last twenty bytes of the file and added it to the end, making the file the same size as the extract Qtek 9000 splash image file (which was 614,420). The second time around, the image was perfect and with all the right colors. I can't say the extra 20 bytes solved it, but it didn't hurt, since it occupied the same space as the original extracted Qtek screen image.
5. The file size 614,400 is exactly 4 times the size of 153,600 - the QVGA splash image size, if you recall. 153,600 = 320 x 240 pixels x 16 bits (or 2 bytes), so 614,400 is 640 x 480 pixels x 16 bits (or 2 bytes).
6. I bricked my device for about an hour before I came up with the surefire method of flashing my device:
[list:f8d5464a79] a. Have a copy of the UNIVERSAL - JASJAR - Radio Version 1.04.02 extracted to a standalone folder.
b. Extract your device's upgrade utility files to a separate standalone folder.
c. Delete the RADIO_.NBK file from your device's upgrade utility files in step b.
d. Replace the NK.NBF file with the customized one you made.
d. Remove SIM and SD card, if applicable.
e. Get into bootloader mode on your Universal.
f. Start ROMUpgradeUt.exe and let it flash the Extended ROM and CE ROM (stages 2 and 3).
g. After it completed the upgrade, do not disconnect or reboot your Universal. Run the MaUpgradeUt_noID.exe in the separate radio upgrade folder from step a.
h. After a nice long walk or cup of coffee during the upgrade, disconnect the USB cable and hard reset your device.
i. Enjoy your fresh Universal and customized splash screen!
[/list:u:f8d5464a79]
For some reason, the Radio Stack Upgrade (stage 1) always hangs on me until it gives an Error 114 message. So, I delete the radio_.nbk file and it skips to Stages 2 and 3. Afterwards, I run back and let it do Stage 1, and it seems to work from there.
While it's a tedious process, it has consistently recovered me from the dreaded stuck bootloader mode. So, if you're ever trapped in that mode, find out what stage is not working and skip it by deleting, renaming, or moving that NBF file away for the upgrade.

Just another couple points:
This procedure will more than likely work for the HTC Wizard, accomodating the file size, resolution, injection offset, etc.
You will get a warning when encrypting the Universal's NK.NBF file with bal666's utility, saying it's too large for FAT16. THIS IS NORMAL. Allow it to continue and just make sure the the file sizes for the original NK.NBF and your customized NK.NBF are the same.

Just in case anyone wants to see my customized splash screen, it looks like this:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The original PSD file that you can customize with your own text, and the Adobe RSB Plug-in can be found in this folder:
http://www.beyondthetech.com/downloads/phone/splash/
Just throw the RSBBitmap.8bi file in your Adobe Photoshop's Plug-Ins folder and start it up. You'll be able to open and save RSB format, where you can strip out the 28-byte header and turn it into "NB" file format for injecting.

Great work BTT!
Man, people who are prepared to brick their devices show us all what sacrifice is!
What else can you glean from the ROM? Anything interesting going on in there?
V

bal666 said:
hey dude,
the encoding process will always result in a very different file, if anything in the file to be encoded has changed. Unfortunately this always gives me the willies when flashing as well :shock:
As a sanity check, you can decode your newly encoded file and compare the results to what you expect ... may help you feel slightly more secure!
Click to expand...
Click to collapse
hey bal666, i've told you, that you've made cool tool... )))
THANX guys...
buzz

Hi Buzz,
ahhh, this is the new and improved version :wink:
Although having said that, I've found a bug in the decoder/encoder tool. As long as you don't play with the ROM header settings, then all is well.
I plan to fix the bug and release another version soon - which will include a decent help file.
Well done BeyonetheTech, nice work with the splash screen!
Later
Bal

Hi,
Unfortunately I was born both lazy and stupid so is there any way any of you gurus could possibly write some sort of script so I basically can just...
a) load pic into Microsoft paint
b) trim to the right size
c) save as "x"
d) run script
e) select custom boot screen "x" (enter in filepath)
f) select ROM (enter in filepath)
g) sit back with tea can biscut wait for "finished" message
h) flash new ROM
??
Regards
Michael

Help Needed
All the Tech Gurus,
Can any one throw some light as how to inject the splash file into the nk.fat and then make it ti nk.nbf....pls help

You need a hex editor like WinHex or UltraEdit-32.
I used UltraEdit-32.
Verify that your splash file is exactly 614,400 bytes.
Open your splash file in UltraEdit-32.
Select all bytes by pressing Control+A, then copy it to the clipboard by pressing Control+C.
Open your NK.FAT file in a new window.
Click on the Go To Line icon and type in 0x3F00000.
The cursor should be blinking on offset 3F00000H, the first byte of the splash image area. For me, the Qtek 9000's image's first byte is a 1A and the previous byte is FF.
Go to Edit, then Hex Functions, then Hex Insert/Delete.
Select Delete, and enter 614400, then click OK.
Immediately paste the contents of the clipboard, and it should insert-paste the new image file.
Save the modified NK.FAT file.
If you file is short by 20 bytes, this is how to duplicate the last twenty bytes in the file:
Open your splash file in UltraEdit-32.
Press Control+End to position the cursor to the end of the file.
Hold down the Shift key and press the Left Arrow and/or Up Arrow until the last 20 bytes are highlighted. See the bottom-right corner where it says "Bytes Sel: xx."
Press Control+C to copy the highlighted bytes to the keyboard.
Press Control+End to position the cursor to the end of the file again.
Press Control+V to paste the bytes at the end of the image file.
See the bottom-right corner to make sure it says "File Size: 614400."
Save the splash image file.

Thanks
Thanks man...But a simple logical question...can we create splash.nb from the nb tool as we used to do to change the splash screen on 2003se devices using...Oh yes...I just opened the splash1.nb made earlier in Hex Editor and found that it is exactly of the size 153 kb...so it is possible,,
But there is splash2.nb also..so how to go about it...

As I stated before, the original NB Image Converter only works with 240x320 files. Hence 153K won't fill the 600K of the VGA image file area of the decrypted ROM file.

@anyone
I know, that BeyondtheTech already said this at the beginning, but it is never enough to say it once again:
IF ANYONE IS UNSURE, WHAT TO DO, DON'T DO THIS!!!
YOU CAN PERMANENTLY BREAK YOUR DEVICE!
buzz

Hi,
I guess this thread is the one talking about the image convertor..
http://forum.xda-developers.com/viewtopic.php?p=66133#66133
Is it possible to get it modified for the Universal?
Buzz, wouldn't a reflash of the ROM restore a failed attempt? Or is there something more sinister about altering this?
Regards
Michael

michaelg said:
Hi,
I guess this thread is the one talking about the image convertor..
http://forum.xda-developers.com/viewtopic.php?p=66133#66133
Is it possible to get it modified for the Universal?
Buzz, wouldn't a reflash of the ROM restore a failed attempt? Or is there something more sinister about altering this?
Regards
Michael
Click to expand...
Click to collapse
I take it you didn't actually read the first post of the thread:
I contacted madkat who is aware of the issue and will hopefully find some time to update his very much appreciated .nb Image Converter utility to accomodate VGA images.
Click to expand...
Click to collapse
If you don't read through, you might skip out on some important details and really screw up your device. I suggest you don't do it then.
As for the flashing, if you mess up the NK.NBF file which I believe contains the bootloader, and flash it, there's a possibility you may not be able to flash again if the bootloader gets corrupted. AFAIK, as long as the bootloader is alive, you still have chance for recovery from a bad flash, but let's hope you or anyone else never gets to that point.

@BtT
NK.nbf must not necessary contain the bootloader.
But it is always better to triple check that. Even if it contains a bootloader, it is usually not flashed.
buzz

Oh man, this is so over my head, it hurts.
*sob*
:lol:
I get the process, but there is no way I am going to attempt this without first letting the newness factor of my XDA Exec wear off significantly!

Hello nice guys !
Does this method work for Wizard WM2005 ?
I have problem in making Splash Image for Qtek 9100 ...

ta_mobile,
it won't work on a wizard - different rom structure :?

[HOW-TO] Bit-flip (nv_data.bin) unlock for the SGH-I927(R), keeps the IMEI valid!

Update: To work with the AT&T ICS ROM, this method requires installing a modified libsec-ril file. You do not need to bother with the MD5 checksums since they aren't output by this ROM and are bypassed altogether thanks to Phoenix84188's work.
Update 2: I made an update zip to easily apply Phoenix84188's modified libsec-ril file. It may also be worth mentioning that spocky12's GalaxSim Unlock works on this phone too.
Hello,
I was trying to figure out a way to unlock the phone while keeping my IMEI.
I tried tinkering with the CSC files and factory resets on stock recovery to reapply same. No luck, although I might have been able to relock it to another network, didn't bother testing. (Fixing these files also eliminates any re-locking possibilities on factory reset.)
After some research on other methods and programs for the SGS I, II and III, I managed to pull it off. There are some slight variations across models, but I got the right mix for this one. I've since called, texted and used cellular data with my Virgin Mobile Canada SIM, and it also took my T-Mobile USA SIM without complaint and roamed on Rogers. My ex girlfriend's now using it on Telus. Multiple confirmed unlocks from various parts of the world in this thread as well.
Requirements
Working ADB installation
Hex editor
Root (could also be done with CWM on an unrooted ROM.)
Instructions
Backup the /efs partition (ideally with a tar archive as it preserves ownership and permissions information)
Open nv_data.bin in a hex editor. (Frhed is one open-source option.)
In the hex editor, go to offset 0x181469. An offset is a byte's position in a file, it can be given in either decimal or hexadecimal format. (The 0x notation is for hexadecimal values)
On the hex side, change that value from 01 to 00 (To be technical I could have written 0x01 to 0x00)
Using the hex editor's search capabilities, look for the string "302720" (Rogers) or an appropriate AT&T MNC/MCC combination (try "310410" or "310380") as applicable.
This should bring you to a series of MNC/MCC pairs. (Which should match those found in your original CSC customer.xml file.) For information, the strings in my file started from offset 0x180069 and read: 30272030237030272#30237#00101#99999#999990001010001012
Overwrite the strings by changing them to xFF (ASCII non-breaking space.)
From the command prompt, push the modified nv_data.bin into place. On the stock, secure kernel:
Code:
C:\(Whatever your path is)>adb push nv_data.bin /sdcard/
C:\(...)>adb shell
$ su [I](check for a possible superuser prompt on the phone itself)[/I]
# cp /sdcard/nv_data.bin /efs/nv_data.bin
# chown radio.radio /efs/nv_data.bin
# reboot
Once the phone has done rebooting, from the command prompt:
Code:
C:\>adb shell
$ su
# cat /efs/nv.log
The log should spit out a pair of error messages like this:
Code:
Wed Aug 29 10:45:04 2012: MD5 fail. orignal md5 '9e1e52346ec8bc3ea07988c967dab04c' computed md5 'd931816e4be7d60a3e41f6fddc27e2e4' (rild)
Wed Aug 29 10:45:05 2012: backup NV restored.
Copy the freshly computed, lightly salted (i.e. not reproducible otherwise), md5 hash from the command prompt window. (Remember that you can use the mouse to select and copy)
Open nv_data.bin.md5 in a hex (or text) editor and paste it over the old one.
ADB push both the previously modified nv_data.bin and nv_data.bin.md5 back to /efs/ and don't forget to chown them both again.
Code:
C:\(...)>adb push nv_data.bin /sdcard/
C:\(...)>adb push nv_data.bin.md5 /sdcard/
C:\(...)>adb shell
$ su
# cp /sdcard/nv_data.bin /efs/nv_data.bin
# cp /sdcard/nv_data.bin.md5 /efs/nv_data.bin.md5
# chown radio.radio /efs/nv_data.bin
# chown radio.radio /efs/nv_data.bin.md5
Reboot (although on second thought, shutting down, inserting a foreign SIM and turning the phone back on should work)
Done! Confirm the unlock works with a "foreign" SIM, and for bonus points edit the CSC customer.xml file, setting the <NbNetworkLock> property to 0 and deleting the networks listed immediately below. You could also remove the leftover modified files on the SD card, from ADB shell:
Code:
$ rm /sdcard/nv_data.bin
$ rm /sdcard/nv_data.bin.md5
If you're having a hard time with this guide, please stick to public threads where more people can help you instead of PM-ing me. Thanks.
Goodbye,
Darkshado

Will try !!!
If this works, I can finally get rid of that piece of paper on my wallet with the Unlock Code for my phone XD

I purchased an "unlocked" glide from amazon and been using it no problem here in Mexico, do I have to worry about it locking at some point?
I flashed ICS / CWM and the backlight fix on it and so far so good

rovar said:
I purchased an "unlocked" glide from amazon and been using it no problem here in Mexico, do I have to worry about it locking at some point?
I flashed ICS / CWM and the backlight fix on it and so far so good
Click to expand...
Click to collapse
Going by my Ace and Gio experience, the following conditions have to be met for the phone to relock itself:
Native or no SIM card
Stock ROM with CSC files that contains network lock settings.
Stock Samsung recovery
Factory reset triggered, which makes the stock recovery reapply the CSC parameters.

Alright, thanks!. Guess I'll stick to reflashing the ROM instead of factory reset whenever there's a problem

is this method good for GB as well as ICS/JB ?

I've done it with the stock Rogers GB ROM.
With that said, if it doesn't work with the ICS leak, or with a custom ROM of some sort, you can always restore your original nv_data.bin and nv_data.bin.md5 files. You'll be back with a locked phone but no harm should be done.
IIRC, the RIL files are part of the proprietaries when used with a custom ROM anyway, so you should be good.

thanks for the reply,its seems a bit tricky for me but will try to get it working when i get my phone (in about a week or so), by the way backupin the /efs partition is with cwmr?

Either that or with a rooted phone. I suggest you make the backup as a tar archive, it'll keep the permissions.

Works like a charm. Running it unlocked since 24h on a foreign SIM without issues. Thank you so much!
(Running OsiMood 2.06.07 + Rogers kernel as posted on the rooting thread + SwissCom SIM card).

i used this method:
http://forum.xda-developers.com/showthread.php?t=859914
to backup my efs to an tar.gz file, is it good enough?
if i need to restore it then i use cwmr?

it's seem that my offset 0x181469 was already at value 00,
and i couldn't find 302720 any where in the file so i tries to go to the offset 0x180069
that you found the string at and saw its all 00
so maybe my phone is already sim free and didn't know it - as i didn't even tried putting my sim to check
cos i thought that its useless to do so.
one question if i will update to ICS, official at&t rom or custom one build upon that rom, will it change my nv_data.bin?
and if so can i put my, presumably sim free, nv_data.bin?

Taiber2000, you should have checked either with a "foreign" SIM or by dialing code *#7465625# which outputs lock status. It would have told you where you stood lock-wise.
Your phone might relock if you flash a stock ROM through Odin or otherwise trigger a factory reset with either no SIM card in the phone or an AT&T/Rogers (as applicable) one.
You could probably return to your unlocked nv_data.bin in that scenario, but in case the ICS update also applies other changes it may be better to unlock the nv_data.bin that's been relocked.

i see i will check it out and see, thanks for the help.

edit: scrach that i found out the problem is with my sim card on the phone, it works on my n97 but no on the glide, will change my sim at my mobile center.

nice unlock, but have some doubts
Darkshado said:
Hello,
I was trying to figure out a way to unlock the phone while keeping my IMEI.
I tried tinkering with the CSC files and factory resets on stock recovery to reapply same. No luck, although I might have been able to relock it to another network, didn't bother testing. (Fixing these files also eliminates any re-locking possibilities on factory reset.)
After some research on other methods and programs for the SGS I, II and III, I managed to pull it off. There are some slight variations across models, but I got the right mix for this one. I've since called, texted and used cellular data with my Virgin Mobile Canada SIM, and it also took my T-Mobile USA SIM without complaint and roamed on Rogers.
Requirements
Working ADB installation
Hex editor
Root (could also be done with CWM on an unrooted ROM.)
Instructions
Backup the /efs partition (ideally with a tar archive as it preserves ownership and permissions information)
Open nv_data.bin in a hex editor.
Go to offset 0x181469
Change the value from 01 to 00
Search for 302720 (Rogers) or an appropriate AT&T MNC/MCC combination (try 310410 or 310380) as applicable.
This should bring you to a series of MNC/MCC pairs. (Which should match those found in your original CSC customer.xml file.) For information, the strings in my file started from offset 0x180069 and read: 30272030237030272#30237#00101#99999#999990001010001012
Overwrite the strings by changing them to xFF
Push the modified nv_data.bin into place. On the stock kernel: push to /sdcard/ first, then adb shell, su, cp to /efs/ and chown radio.radio /efs/nv_data.bin
Reboot the phone
ADB shell, su, then cat /efs/nv.log
The log should spit out a pair of error messages like this:
Wed Aug 29 10:45:04 2012: MD5 fail. orignal md5 '9e1e52346ec8bc3ea07988c967dab04c' computed md5 'd931816e4be7d60a3e41f6fddc27e2e4' (rild)
Wed Aug 29 10:45:05 2012: backup NV restored.
Copy the freshly computed, lightly salted, md5 hash. Paste it over the old one in nv_data.bin.md5
Push both the previously modified nv_data.bin and nv_data.bin.md5 back to /efs/ and don't forget to chown them both again.
Reboot (although on second thought, shutting down, inserting a foreign SIM and turning the phone back on should work)
Done! Confirm the unlock works with a "foreign" SIM, and for bonus points edit the CSC customer.xml file, setting the <NbNetworkLock> property to 0 and deleting the networks listed immediately below.
Goodbye,
Darkshado
Click to expand...
Click to collapse
I tried this, but when looking at the nv.log it doesn't says the new md5 .
when changing the MNC/MCC I see there are 3 5-digit number which should be turned over to 0xFF as string or as hex value? Do I also have to substitute the large last number?

lol samsung accedently unlocked my phone

Luisrcastros: What ROM are you running? Does the nv.log report changes in the NV files and restoring the backup?
The last numbers in the MNC MCC codes are actually standard test MNC and MCCs that a carrier would want the phone to work with in addition to their network. You'll want to overwrite the whole set (54 bytes in the case of the Rogers lock) with 0xFF.

glide relocked ICS
Darkshado said:
Luisrcastros: What ROM are you running? Does the nv.log report changes in the NV files and restoring the backup?
The last numbers in the MNC MCC codes are actually standard test MNC and MCCs that a carrier would want the phone to work with in addition to their network. You'll want to overwrite the whole set (54 bytes in the case of the Rogers lock) with null characters (0xFF).
Click to expand...
Click to collapse
Darkshado: I got a Rogers unlocked glide, then updated to the ATT ICS, it locked the phone. So I´m trying to do the hack on ICS 4.0.4, yes the nv.log report says it´s restoring the nv file from the backup. When I open the nv_data.bin I found your exactly same data.
should I also put FF to the rogers data (302720)
Do you think this will work?
By the way, if anyone has Rogers 2.3 android unlocked, don't try the ATT firmware or you will get locked.
nv.log says:
date: cracking detected
date: NV backup has been rebuilt
date: NV restored

Done
After taking back to stock and root my Rogers captivate glide I was finally able to unlock my phone just by following the instructions from this thread. (hex edit and stuff)
Thanks a lot for the help. This works but you need the rogers kernel and root, you can't unlock with AT&T's kernel.
I'll try to upgrade again to AT&T ICS and let you know if it relocks .

[GUIDE] How to make a Goldcard on Mac/Linux - short version

Hi everyone, I've seen several guides around on how to make a Goldcard, and some were overly complicated, some were just wrong, most of them required pesky windows tools, hex editors etc etc so I'll try to make this one as short and functional as possible.
Goldcards are used to circumvent CID (Customer ID) check when flashing RUUs. So, without it, you can flash only RUUs for your carrier. With it, you can flash any RUU. Not as good as S-OFF, you still cannot flash individual RUU components like radio etc, only whole RUU, but still a step towards freedom.
Prerequisites:
- Your phone, with SD card you plan to make Goldcard of inside, fully booted, ADB debugging enabled, connected to your Linux/Mac box via USB
- Working adb binary for your Linux/Mac (get it from appropriate Android SDK for your OS) or Terminal app on your phone.
1) Get your SD card CID
Enter your phone's shell with adb (or use terminal app on your phone, whatever)
adb shell
Navigate to /sys folder containing your CID (path can be slightly different in your device, but look around a bit and you'll find it, can't be that hard)
cd /sys/class/mmc_host/mmc1/mmc1:0001
Get your CID by reading "cid" file
cat cid
1b534d303030303010749634be00c9a4
This is your CID, write it down
2) Transform your CID
First, split your CID in 2-digit groups
1b 53 4d 30 30 30 30 30 10 74 96 34 be 00 c9 a4
Reverse their order
a4 c9 00 be 34 96 74 10 30 30 30 30 30 4d 53 1b
Replace first group with 00
00 c9 00 be 34 96 74 10 30 30 30 30 30 4d 53 1b
Put them together again
00c900be3496741030303030304d531b
That's your transformed CID.
3) Generate goldcard image file
Go to
http://psas.revskills.de/?q=goldcard
Enter your transformed CID, make sure that Goldcard type is set to Android, fill captcha, and click on "Download Goldcard!", you should get goldcard.img file with length of 384 bytes
4) Flash image on your SD card
Put your SD card in card reader on your Mac/Linux box
Make sure it has only 1 partition and format it to Fat32 (won't explain how to do this, this is not Your OS for Dummies)
Don't mount your partition anywhere. Gnome/KDE/Mac OS X will auto-mount, so make sure it's umnounted.
Find out which device in /dev is your SD card using dmesg, mount or something. On Linux it's probably /dev/sdb or /dev/sdc etc. On Mac, /dev/disk1, /dev/disk2 etc. Important thing, look for device that corresponds to your whole SD card, not partition on it (not /dev/sdb1p1 or /dev/disk1s1 for example)
Use "dd" command to flash your goldcard image to your SD card. Triple check that you're targeting the right device in /dev or you will be sorry.
Linux:
dd if=goldcard.img of=/dev/sdb bs=512
Path to device can vary and use sudo if you're not root.
Mac:
sudo dd if=goldcard.img of=/dev/disk1 bs=512
Path to device can vary.
5) Profit
That's it, your SD card is now a Goldcard
Credits to many people around the Internet who provided various bits of this procedure.

Or you could use SimpleGoldCard Tool to do the CID crap.
Nevertheless, good tutorial, keep it up.
Sent from my HTC Wildfire S A510e using Tapatalk 2

I'm looking for some way to generate goldcard.img offline, without using http://psas.revskills.de/?q=goldcard ... After all, site may disapear and render this process impossible... People mention some Perl script?

dulemars said:
I'm looking for some way to generate goldcard.img offline, without using http://psas.revskills.de/?q=goldcard ... After all, site may disapear and render this process impossible... People mention some Perl script?
Click to expand...
Click to collapse
yup, it disappeared

speculatrix said:
yup, it disappeared
Click to expand...
Click to collapse
found a replacement
http://huygens.hoxnet.com/goldcard.html

AT&T Fusion 2 U8665 Root - General/Q&A

I will be editing this post, and organizing everything, so stay put.
EDIT: I am no longer using my Fusion 2 as my primary phone, but I will still be able to update this thread. If you need any help, just post here, or shoot me a PM.
Links and Guides
Root your Fusion 2
Installing CWM 6
How to install CM7.2
Q&A
Q1.How do I root my phone?
A1.There are several ways to root your phone.
Shagerty's Guide
RoboticBuddy's Guide
Q2.How do I install a Custom Recovery?
A2. User Oct3178 has discovered that the Y201 CWM works with our U8665. Check out his post here, and follow "Installing CWM Recovery":
User Shagerty has made a step-by-step guide for installing CWM.
Oct3178's Post
Shagerty's guide
Q3. Are there any ROMs for my phone?
A3. The post in A2 gives you that answer. You can use Huawei Y200 ROMs for the U8665.
RFE has also dumped a pre-rooted stock ROM.
NEW:Shagerty has developed CM7.2 for this device. Please refer to the links above the Q&A.
Oct3178's Post
RFE's Post
Thanks to RFE, who made rooting the Fusion 2 possible!

RoboticBuddy said:
I have made this thread to compile all the posts on rooting/custom ROMs for the Fusion 2.
Q1. How do I root my device?
A. I have put all the necessary files together in one package for rooting. https://www.dropbox.com/s/lm11rrn3z5c2j6v/Huawei-Fusion-2-Recovery-Root.zip
Q2. Is there any Custom Recovery?
A. There is no CWM or TWRP as of now, but you can boot into CWM via fastboot. http://forum.xda-developers.com/showpost.php?p=36534284&postcount=4
Q3. Is there any Customs ROMs for this phone?
A. As of now, there are NO developed custom ROMs for this phone, yet. There is a pre-rooted stock ROM, for anybody who has a bricked phone. http://forum.xda-developers.com/showpost.php?p=36533895&postcount=46
Will add more later, when I have the time.
Thanks to RFE, who made rooting the Fusion 2 possible!
Click to expand...
Click to collapse
Thank you for creating such a nice organized thread in a good place. I've bricked a few phones now and just successfully flashed the FIRST FUSION2 ROM EVER. All that is required to apply the new ROM is fastboot & fastboot tools working.
Thanks,
RFE

RFE said:
Thank you for creating such a nice organized thread in a good place. I've bricked a few phones now and just successfully flashed the FIRST FUSION2 ROM EVER. All that is required to apply the new ROM is fastboot & fastboot tools working.
Thanks,
RFE
Click to expand...
Click to collapse
If you could, please PM me the Rom, so I can add it to the OP.
Thank you,
-RoboticBuddy

Hello, super fresh noob here. I bought the "AT&T Fusion 2 GoPhone" three days ago, and successfully used this method of gaining root access on my device. I am an experienced linux user/developer who just bought his first Android phone.. :laugh: Instead of trying to remove the factory installed components, would it be possible to build a custom version of basic/minimal Android for this device? If this is what RFE is currently doing, I would be willing to help test/bug report any such images and/or help with development. You guys are awesome by the way.. really didn't expect this phone to turn out to be such a good deal.

statussticks said:
Hello, super fresh noob here. I bought the "AT&T Fusion 2 GoPhone" three days ago, and successfully used this method of gaining root access on my device. I am an experienced linux user/developer who just bought his first Android phone.. :laugh: Instead of trying to remove the factory installed components, would it be possible to build a custom version of basic/minimal Android for this device? If this is what RFE is currently doing, I would be willing to help test/bug report any such images and/or help with development. You guys are awesome by the way.. really didn't expect this phone to turn out to be such a good deal.
Click to expand...
Click to collapse
I do believe that RFE is working on a custom ROM that removes all the CrapWare that was pre-installed on the phone. Hopefully after that, he will be able to start to build CM for it.
If I could, I would attempt to start building CM for the Fusion 2, but I do not know how to setup a build environment.

Thanks for your response robo buddy. I have done some poking around myself over ssh and a sshfs mount. After researching a bit about 'standard/common' Android filesystem layouts, I'm starting to think the stock ROM on this phone is pretty screwy. There is only one flash memory block device (/dev/block/mmcblk0), and it is partitioned into nearly 20 different slices:
Code:
Device Boot Start End Blocks Id System Analysis
/dev/block/mmcblk0p1 * 1 40 20 4d Unknown ?
/dev/block/mmcblk0p2 41 640 300 45 Unknown ?
/dev/block/mmcblk0p3 641 266880 133120 c Win95 FAT32 (LBA) contains fat16 volume with arm9 radio software
/dev/block/mmcblk0p4 266881 7634943 3684031+ 5 Extended extended partition
/dev/block/mmcblk0p5 270336 294911 12288 6a Unknown ?
/dev/block/mmcblk0p6 294912 688127 196608 83 Linux /cache
/dev/block/mmcblk0p7 688128 696319 4096 63 GNU HURD or SysV ?
/dev/block/mmcblk0p8 696320 702463 3072 58 Unknown ?
/dev/block/mmcblk0p9 704512 712703 4096 46 Unknown ?
/dev/block/mmcblk0p10 712704 718847 3072 4a Unknown ?
/dev/block/mmcblk0p11 720896 727039 3072 4b Unknown ?
/dev/block/mmcblk0p12 729088 1515519 393216 83 Linux /system
/dev/block/mmcblk0p13 1515520 3088383 786432 83 Linux /data
/dev/block/mmcblk0p14 3088384 3096575 4096 47 Unknown ?
/dev/block/mmcblk0p15 3096576 3112959 8192 48 Unknown ?
/dev/block/mmcblk0p16 3112960 3153919 20480 60 Unknown ?
/dev/block/mmcblk0p17 3153920 3162111 4096 6c Unknown ?
/dev/block/mmcblk0p18 3162112 3325951 81920 83 Linux /cust
/dev/block/mmcblk0p19 3325952 7634943 2154496 6b Unknown /HWUserData (vold? mounted to /mnt/sdcard)
Partitions 1-4 do not end on cylinder boundary
This is a dump using fdisk with some minor comments at the end of each line. So my question is... where the heck are the 'boot', 'system', and 'recovery' partitions? This layout doesn't make any sense. Where does the bootloader find 'boot.img' at startup?
On top of that, I'm trying to make sense of all this Android jargon. I'm on 64 bit Arch linux with a dev setup and ADB communication with my U8665 working. Found a file "open source-kernel-2.6.38.6-U8815- Gingerbread.tar.gz" on the Huawei website. Contains what appears to be the source for the kernel version running on my U8665 right now. Many comments by authors who appear to be employed by Huawei. Grepping the source tree for 'U8665' nets results in a file 'fs/proc/app_info.c':
Code:
{ /* machine_arch_type s_board_id hw_version_id */
...
{MACH_TYPE_MSM7X27A_U8655_EMMC, "MSM7225A_U8665", "HD2U8655M"},
Searching google for the string "HD2U8655M" nets the device's PTCRB certification of some kind ..?
Ahem. I'm not exactly sure where to go from here. I am wondering if I can somehow compile this kernel along with CM 7 and build an image that way. From what I can understand from what I've read, this phone supports the ARM7 instruction set and has an Adreno GPU, so it's possible to eventually support ICS/JB..
P.S. I have some references to research I've been doing, but alas the forum wont let me insert hyperlinks until I make 10 posts
Edit: Alright, so I went further. mmcblk0p15 and mmcblk0p16 contain android images..
Code:
[[email protected] U8665]$ split_bootimg.pl mmcblk0p15
Page size: 2048 (0x00000800)
Kernel size: 3521448 (0x0035bba8)
Ramdisk size: 701945 (0x000ab5f9)
Second size: 0 (0x00000000)
Board name:
Command line: console=ttyDCC0 androidboot.hardware=huawei
Writing mmcblk0p15-kernel ... complete.
Writing mmcblk0p15-ramdisk.gz ... complete.
[[email protected] U8665]$ split_bootimg.pl mmcblk0p16
Page size: 2048 (0x00000800)
Kernel size: 3501096 (0x00356c28)
Ramdisk size: 1690977 (0x0019cd61)
Second size: 0 (0x00000000)
Board name:
Command line: console=ttyMSM0,115200,n8 androidboot.hardware=qcom
Writing mmcblk0p16-kernel ... complete.
Writing mmcblk0p16-ramdisk.gz ... complete.
So p15 is 'boot' and p16 is 'recovery', right? I should be able to build a ClockworkMod image with one of these kernels and then either fastboot flash it to recovery or just dd it into the proper device, correct?

Thanks
I just made an account to thank you guys for helping me root my fusion2. I am just a complete freeloader who has helped nothing whatsoever, but if i could i would! thanks guys i just hope you know you are appreciated for your hard work, and i hope a custom rom is made because i dont know how to get rid of some bloatware apps that have nand security and i have no idea how to turn that off O.O
best 100 bucks ive spent in a while for the fusion 2, i use the app pinger and i pay $0 dollars a year for texting and calling as long as i use wifi!!
well i hope u guys proceed more with this phone, if not, either way thanks guys

still bricked
sounds like theres some more interest in the phone now thx RFE. I'm still bricked with this one tried every way I could think of to flash those rooted stock system files they took every time via fastboot flash system but I havent been able to get the phone to load past white at&t. I'm assuming my boot.img / recovery.img / system.img either not existing or not correct for phone so unable to load. Could someone give me simple instructions to flash that or possibly rip those img files and or create an update.zip containing everything and signed properly so fastboot can flash as simply as fastboot update that'd be awesome and a quick and easy fix for anyone that bricks in the future experimenting with customs or whatever... wish I could help but new to most of this thx guys keep up the good work!

BOOOYA, well done! Rooted WiFi homephone.. thank you!

Lmao, so rad

statussticks said:
Thanks for your response robo buddy. I have done some poking around myself over ssh and a sshfs mount. After researching a bit about 'standard/common' Android filesystem layouts, I'm starting to think the stock ROM on this phone is pretty screwy. There is only one flash memory block device (/dev/block/mmcblk0), and it is partitioned into nearly 20 different slices:
Code:
Device Boot Start End Blocks Id System Analysis
/dev/block/mmcblk0p1 * 1 40 20 4d Unknown ?
/dev/block/mmcblk0p2 41 640 300 45 Unknown ?
/dev/block/mmcblk0p3 641 266880 133120 c Win95 FAT32 (LBA) contains fat16 volume with arm9 radio software
/dev/block/mmcblk0p4 266881 7634943 3684031+ 5 Extended extended partition
/dev/block/mmcblk0p5 270336 294911 12288 6a Unknown ?
/dev/block/mmcblk0p6 294912 688127 196608 83 Linux /cache
/dev/block/mmcblk0p7 688128 696319 4096 63 GNU HURD or SysV ?
/dev/block/mmcblk0p8 696320 702463 3072 58 Unknown ?
/dev/block/mmcblk0p9 704512 712703 4096 46 Unknown ?
/dev/block/mmcblk0p10 712704 718847 3072 4a Unknown ?
/dev/block/mmcblk0p11 720896 727039 3072 4b Unknown ?
/dev/block/mmcblk0p12 729088 1515519 393216 83 Linux /system
/dev/block/mmcblk0p13 1515520 3088383 786432 83 Linux /data
/dev/block/mmcblk0p14 3088384 3096575 4096 47 Unknown ?
/dev/block/mmcblk0p15 3096576 3112959 8192 48 Unknown ?
/dev/block/mmcblk0p16 3112960 3153919 20480 60 Unknown ?
/dev/block/mmcblk0p17 3153920 3162111 4096 6c Unknown ?
/dev/block/mmcblk0p18 3162112 3325951 81920 83 Linux /cust
/dev/block/mmcblk0p19 3325952 7634943 2154496 6b Unknown /HWUserData (vold? mounted to /mnt/sdcard)
Partitions 1-4 do not end on cylinder boundary
This is a dump using fdisk with some minor comments at the end of each line. So my question is... where the heck are the 'boot', 'system', and 'recovery' partitions? This layout doesn't make any sense. Where does the bootloader find 'boot.img' at startup?
On top of that, I'm trying to make sense of all this Android jargon. I'm on 64 bit Arch linux with a dev setup and ADB communication with my U8665 working. Found a file "open source-kernel-2.6.38.6-U8815- Gingerbread.tar.gz" on the Huawei website. Contains what appears to be the source for the kernel version running on my U8665 right now. Many comments by authors who appear to be employed by Huawei. Grepping the source tree for 'U8665' nets results in a file 'fs/proc/app_info.c':
Code:
{ /* machine_arch_type s_board_id hw_version_id */
...
{MACH_TYPE_MSM7X27A_U8655_EMMC, "MSM7225A_U8665", "HD2U8655M"},
Searching google for the string "HD2U8655M" nets the device's PTCRB certification of some kind ..?
Ahem. I'm not exactly sure where to go from here. I am wondering if I can somehow compile this kernel along with CM 7 and build an image that way. From what I can understand from what I've read, this phone supports the ARM7 instruction set and has an Adreno GPU, so it's possible to eventually support ICS/JB..
P.S. I have some references to research I've been doing, but alas the forum wont let me insert hyperlinks until I make 10 posts
Edit: Alright, so I went further. mmcblk0p15 and mmcblk0p16 contain android images..
Code:
[[email protected] U8665]$ split_bootimg.pl mmcblk0p15
Page size: 2048 (0x00000800)
Kernel size: 3521448 (0x0035bba8)
Ramdisk size: 701945 (0x000ab5f9)
Second size: 0 (0x00000000)
Board name:
Command line: console=ttyDCC0 androidboot.hardware=huawei
Writing mmcblk0p15-kernel ... complete.
Writing mmcblk0p15-ramdisk.gz ... complete.
[[email protected] U8665]$ split_bootimg.pl mmcblk0p16
Page size: 2048 (0x00000800)
Kernel size: 3501096 (0x00356c28)
Ramdisk size: 1690977 (0x0019cd61)
Second size: 0 (0x00000000)
Board name:
Command line: console=ttyMSM0,115200,n8 androidboot.hardware=qcom
Writing mmcblk0p16-kernel ... complete.
Writing mmcblk0p16-ramdisk.gz ... complete.
So p15 is 'boot' and p16 is 'recovery', right? I should be able to build a ClockworkMod image with one of these kernels and then either fastboot flash it to recovery or just dd it into the proper device, correct?
Click to expand...
Click to collapse
I do believe so, but I'm not too sure. Maybe you can help out RFE, since I'm no developer.
ericrazy2000 said:
I just made an account to thank you guys for helping me root my fusion2. I am just a complete freeloader who has helped nothing whatsoever, but if i could i would! thanks guys i just hope you know you are appreciated for your hard work, and i hope a custom rom is made because i dont know how to get rid of some bloatware apps that have nand security and i have no idea how to turn that off O.O
best 100 bucks ive spent in a while for the fusion 2, i use the app pinger and i pay $0 dollars a year for texting and calling as long as i use wifi!!
well i hope u guys proceed more with this phone, if not, either way thanks guys
Click to expand...
Click to collapse
sinco54 said:
BOOOYA, well done! Rooted WiFi homephone.. thank you!
Click to expand...
Click to collapse
gigilie said:
sounds like theres some more interest in the phone now thx RFE. I'm still bricked with this one tried every way I could think of to flash those rooted stock system files they took every time via fastboot flash system but I havent been able to get the phone to load past white at&t. I'm assuming my boot.img / recovery.img / system.img either not existing or not correct for phone so unable to load. Could someone give me simple instructions to flash that or possibly rip those img files and or create an update.zip containing everything and signed properly so fastboot can flash as simply as fastboot update that'd be awesome and a quick and easy fix for anyone that bricks in the future experimenting with customs or whatever... wish I could help but new to most of this thx guys keep up the good work!
Click to expand...
Click to collapse
Thanks for all your support! Looks like we have potential developer (statussticks) for this phone. :good:

RoboticBuddy said:
I do believe so, but I'm not too sure. Maybe you can help out RFE, since I'm no developer.
Thanks for all your support! Looks like we have potential developer (statussticks) for this phone. :good:
Click to expand...
Click to collapse
I hope so, i bought this phone at frys for 59.99 on a crazy 1 day sale for no good reason. lol... Its actually a pretty little impressive piece for the price and a custom bare bones aosp/aokp/cm would be the meow meow!!! cool little phone for sure!!

I have to be honest, I know nothing about Android development. I just jumped into this because I was forced to replace my flip phone GoPhone (submerged) and ended up with a smartphone. I am going to PM RFE once more, see if I get a response.
See the thing is.. at this point I'm supposed to be able to issue the command
Code:
fastboot boot out/target/product/u8665/recovery.img
to load a test image over USB into the phone's memory and boot it (?), essentially to test a build before you flash it. I've tried this with both the 'boot' and 'recovery' kernels (p15 and p16), building a CyanogenMod-gingerbread Recovery image (apparently) successfully. When I issue the above mentioned fastboot command it reports success, but nothing happens. Phone just sits at the ATT logo, and is no longer accessible by any fastboot commands. Requires me to unplug the phone, remove the battery. Hard freeze.
So it's like.. do I really wanna run the risk of trying to flash this to recovery and bricking my phone? I'm still not sure if I can just reflash the superrecovery backup if things don't go well. I have heard incidents of people saying 'fastboot won't respond anymore, screen always stuck at the logo.'
I may just go for it a little later. Hell, I'll buy another $99 phone if I have to. I wish RFE would chime in and drop the knowledge carpet bomb or something..

statussticks said:
I have to be honest, I know nothing about Android development. I just jumped into this because I was forced to replace my flip phone GoPhone (submerged) and ended up with a smartphone. I am going to PM RFE once more, see if I get a response.
See the thing is.. at this point I'm supposed to be able to issue the command
Code:
fastboot boot out/target/product/u8665/recovery.img
to load a test image over USB into the phone's memory and boot it (?), essentially to test a build before you flash it. I've tried this with both the 'boot' and 'recovery' kernels (p15 and p16), building a CyanogenMod-gingerbread Recovery image (apparently) successfully. When I issue the above mentioned fastboot command it reports success, but nothing happens. Phone just sits at the ATT logo, and is no longer accessible by any fastboot commands. Requires me to unplug the phone, remove the battery. Hard freeze.
So it's like.. do I really wanna run the risk of trying to flash this to recovery and bricking my phone? I'm still not sure if I can just reflash the superrecovery backup if things don't go well. I have heard incidents of people saying 'fastboot won't respond anymore, screen always stuck at the logo.'
I may just go for it a little later. Hell, I'll buy another $99 phone if I have to. I wish RFE would chime in and drop the knowledge carpet bomb or something..
Click to expand...
Click to collapse
A working twrp would be straight drug deala pimp style.. I'm gonna reach out to a couple of devs that may be willing to help out but I don't know, I may have to get him loaded and bribe him with cheap hookers. Also, if you go for it and your phone explodes into puppies then is be willing to help on a 2 device for development.. ill run by frys and see if they are on sale or if I can weasel the sales guy into hookin a sale price up today after I close the store.. stand by sweetie pie.
Sent from my HTC One XL using xda premium

Got Root/Trying to build CWM
sinco54 said:
Lmao, so rad
Click to expand...
Click to collapse
Got root no problem, but dumping the files necessary to build CWM is puzzling me.. help?
---------- Post added at 08:45 AM ---------- Previous post was at 07:48 AM ----------
RoboticBuddy said:
I have made this thread to compile all the posts on rooting/custom ROMs for the Fusion 2.
Q1. How do I root my device?
A. I have put all the necessary files together in one package for rooting. https://www.dropbox.com/s/lm11rrn3z5c2j6v/Huawei-Fusion-2-Recovery-Root.zip
Q2. Is there any Custom Recovery?
A. There is no CWM or TWRP as of now, but you can boot into CWM via fastboot. http://forum.xda-developers.com/showpost.php?p=36534284&postcount=4
Q3. Is there any Customs ROMs for this phone?
A. As of now, there are NO developed custom ROMs for this phone, yet. There is a pre-rooted stock ROM, for anybody who has a bricked phone. http://forum.xda-developers.com/showpost.php?p=36533895&postcount=46
Will add more later, when I have the time.
Thanks to RFE, who made rooting the Fusion 2 possible!
Click to expand...
Click to collapse
After using this http://www.mediafire.com/?irr4cc14xy9ygs9 which is a method to get cwm on the first fusion. I lost the recovery.img including the stock one.. However when I replaced the CWM build for the fusion 1 found in the "INSTALLADOR" CWM thing with a build intended for the fusion 2 I am back on stock recovery! (found in a random forum don't feel like finding now will post if anyone wants PM ME)

Shagerty said:
Got root no problem, but dumping the files necessary to build CWM is puzzling me.. help?
---------- Post added at 08:45 AM ---------- Previous post was at 07:48 AM ----------
After using this http://www.mediafire.com/?irr4cc14xy9ygs9 which is a method to get cwm on the first fusion. I lost the recovery.img including the stock one.. However when I replaced the CWM build for the fusion 1 found in the "INSTALLADOR" CWM thing with a build intended for the fusion 2 I am back on stock recovery! (found in a random forum don't feel like finding now will post if anyone wants PM ME)
Click to expand...
Click to collapse
I'm trying /a friend of mine/ is to get a twrp to function..
Also, these phones were on sale at Fry's again but were 79.99.. I picked 1 more up solely for development.
Sent from my One X using xda premium

Thank you! Rooted my phone without any problems following your instructions!
Probably it is a wrong place to ask such questions, but could you point me to any information how to unlock network on this phone (currently it is locked for AT&T, and can be used with their SIM cards only)?
Thank you!

I'm still looking for that info too...
Sent from my HTC One XL using xda premium

Got unlocking code from one unlocking services for $15 in 24hours.
And then used Titanium Backup and Root Uninstaller to remove AT&T apps.

Aknodx said:
Got unlocking code from one unlocking services for $15 in 24hours.
And then used Titanium Backup to remove AT&T apps.
Click to expand...
Click to collapse
Where did you buy the unlocking code?

[Guide] Unbrick Your Sprint S3 ..... (and maybe others)

Just Realized Im in wrong thread .and don't know how to fix hopefully I will be moved to Q and A
This is just to help out people who may have had a hard time getting other guides to work like I had
I dont have original thread so i will give you my rough draft and will update when possible.
All steps work.
My working image link is at bottom of post
Here is were I made the mistake
http://forum.xda-developers.com/showthread.php?t=1745865
These are the 2 files
1.Galaxy-S-fre3-2.51.zip
2.Galaxy-S-fre3-MD4FirmwareModemAIO.zip
flashed first and wamo no andro
Ya my bad shouldnt have flashed firmware but i did and payed the price.
Heres my specs.
Android Ver:
4.3
Baseband Ver:
L710VPUCMK3
Build:
JSS15JL710VPUCMK3
Hardware Ver:
L710.14
haha, so im a knuklehead.
I thought i lost my device (this is still a bad-ass phone, almost too nice to be in a roofers pouch and getten torn up. But it takes really nice pictures of my custom work, and takes em fast so i can get back to work.
I lost 12 hours for stupid mistake,
Not to mention the last device i bricked was my first (Hero) and thought was my last.
The only life left in the device, was red light, when battery removed (when battery was placed in during charge, red light went out in 5 to 10 sec.)
When battery was in unit, no lights at all.
I noticed when usb cable attached to ubuntu, was some kind of Qualcomm Device _DLMODE or somthing.
I will edit this post when i find it again, but anyway that led to nothing.
My first attempts were made following this guide:http://forum.xda-developers.com/showthread.php?t=2369125
I couldnt figure out by reading the threads if how I was to format the fat32 partition default 8 or 4 or 1Mg
I couldnt understand why we would have to try to write the image over and over...Why it wouldnt write it right the first time.
I had a hard time trying to write the image file ..debrick_sph_l710.img to sdcard using my v-box..
(Virtual-Box under windows 8 with Ubuntu 13.10 installed ....Android-Kernel-Build ready ).
After trying all the different ways and different images, I said screw it i give up.
.........Till after dinner
wife made a roasted chicken not gonna be late.
Finally I made my own image from my wifes phone, because we bought them at the same time.
One problem hers isnt rooted and she wasnt about to let me touch it.............
Solution: I bought her a galaxy4 for 49.00 /w upgrade, now i have 2 galaxy 3's. But only one works.:/
That was a pain rooting because she always excepts the firmware upgrades when they come over air.
Couldnt get the "seLinux seAndroid" thing so i just went back to 4.1 for now so that i could adb.
Heres What Did It...
http://forum.xda-developers.com/showthread.php?t=2345860
HERES HOW I DID IT
To extract a de-brick image from your phone (an UnBricked Phone) do in an adb shell:
If you know the partition use:
dd if=/dev/block/mmcblk0 of=/sdcard/HomefixSprint_S3_L710.img bs=1048576 count=70
If not use:
dd if=/dev/block/platform/msm_sdcc.1/by-name/modem of=/sdcard/HomefixSprint_S3_L710.img bs=1048576 count=70
MY TERMINAL SHOWS:
C:\Users\dad>adb shell
[email protected]:/ # busybox dd if=/dev/block/mmcblk0 of=/sdcard/HomefixSprint_S3_L710.img bs=1048576 count=70
0 of=/sdcard/HomefixSprint_S3_L710.img bs=1048576 count=70 <
70+0 records in
70+0 records out
73400320 bytes (70.0MB) copied, 4.578239 seconds, 15.3MB/s
Take that image, copy it to your cygwin directory and write it to an unformatted 16mb sdcard using cygwin:
TO GET THE SDCARD READY:
get EaseUS Partition Master Free Edition-Free For Home Users
and find the sdcard, its about 14.82GB, if u have more than 1 your on your own.
Select that one, and delete all partitions.
Then, New partition, select fat32, and then finish by applying the operations.
IN CYGWIN:
Get sdcard info:
cat /proc/partitions
MY TERMINAL SHOWS:
[email protected] ~
$ cat /proc/partitions
major minor #blocks name
8 0 976762584 sda
8 1 976759808 sda1
8 16 117220824 sdb
8 17 358400 sdb1
8 18 116859904 sdb2
8 32 976762584 sdc
8 33 976759808 sdc1
8 48 244198584 sdd
8 49 244196001 sdd1
8 64 976762584 sde
8 65 976657408 sde1
8 80 976762584 sdf
8 81 976760001 sdf1
8 96 976762584 sdg
8 97 976760001 sdg1
8 112 976075776 sdh
8 113 976074752 sdh1
8 128 15558144 sdi
8 129 15558110 sdi1
[email protected] ~
$ ls
debrick_sph_l710.img
[email protected] ~
$ dd if=HomefixSprint_s3_L710.img of=/dev/sdi
143360+0 records in
143360+0 records out
73400320 bytes (73 MB) copied, 338.771 s, 217 kB/s
I DID WHAT I WAS SUPPOSED TO DO:
Put battery in
Connect usb cable
Insert sdcard
Vol-up/Home and Power
I felt the vibration no more than a second after pressing power (along with vol_dwn and home key pressed and held)
As you can imagine, my adrenilin was pumpped to the point of feeling like i smoked a pack of camel ciggirettes, AGAIN, as i try to boot the phone.
I knew i was out of the woods after I saw the samsung logo.
It Skipped past download.
I was able to boot right into my desktop, however there were no signal bars.
and the Baseband ver: was unknown.
I powered down the phone (man that was hard to do) but i did.
Tried to get into download mode but failed at first, recovery failed also.
Finally got to download then i was good.
NOTES:
After I revived the phone I had nothing too loose because now I had 2 S3's, so I played a bit.
Its fun to brick your phone on purpose haha
:The debrick_sph_l710.img or the Debrick_Sprint_S3_L710_4.3.img did not work for me
:I did not need the class 10, class 4 worked too
:I did not need cable attached
:It didnt Matter wich order i put battery, sdcard, usb-cord to boot
:I did not format card
nly took 1 try to write working image each time ( didnt take several attemts) I wrote and tested 3 different images.
:Upon booting It seems to be the same each time ,couple three four sec (out of a few times playing it may have taken 10sec to boot on one occasion).
:I think the issues with ubuntu was,the sdcard was not ejecting properly and corrupting the image.
:If you have a sucssesful write to sdcard, it may not show up in file explorer until you pull out card reader and re-insert it... then it will show up in file explorer as a folder called "image" with bunch of files or somthing in it, then you know it wrote ok.
:for some reason after i haha... BRICKED MY SG3 ON PURPOSE....Oh my GOD....Im SHOT, booted to my homemade image, i was able to boot into recovery as well as Download.
:Not for nothen I tried to:
dd if=/sdcard/recovery.img of=/dev/block/platform/msm_sdcc.1/by-name/recovery
dd if=/sdcard/boot.img of=/dev/block/platform/msm_sdcc.1/by-name/boot
dd if=/sdcard/modem.img of=/dev/block/platform/msm_sdcc.1/by-name/modem
(Remember i was able to boot to system, so adb worked)
Did not work, however it may have worked if i used the syntax...mmcblk0 and such.
My Image Link: http://rooferdave.com/Downloads/sprintsg3.html

Will your image work if placed on a formated sd card or do I need to do the partion step then copy